Solved: how to determine primaryGroupID?

aeroplane_ · ‎03-13-2010

Hi

As per KB2527, authorization through primary group via LDAP is not supported by IVE. This KB gave the script to run on windows server to know the primary group ID.

My question is tha how to execute this scrip on windows server?

Thanks in advance

spuluka · ‎03-28-2010

To run this as a script on the Domain controller take the following steps. This uses dsquery that is only installed by default on the domain controller.

Copy the script text into notepad and remove all leading and trailing spaces
Save the file as a batch file i.e. "PrimaryGroup.bat" (use the quotes to over ride the default .txt file. Or rename the file extention to be .bat after it is saved.
Put the file in a folder on a Domain controler i.e. c:\scripts\
Launch a dos prompt on the Domain controller (run... cmd)
Change to the directory
cd \scripts\
Run the script for screen output
PrimaryGroup.bat
You can create a text file with the result by
PrimaryGroup.bat > PrimaryGroup.txt
This creates a text file instead of the screen dump with the results of the commands

Steve Puluka BSEET - IP Architect - DQE Communications Pittsburgh, PA (Metro-Ethernet & ISP) - http://puluka.com/home

View solution in original post

spuluka · ‎03-13-2010

The dsquery command is built into the domain controllers in a windows 2003 domain. You run this from the dos prompt on a domain controller, not just any member server.

You will also need to have the appropriate level of rights within AD to access the information being queried. In this case the organizational units that contain the group objects. To insure a full list run under an account with domain administration rights.t

AD Domain Query commands

Steve Puluka BSEET - IP Architect - DQE Communications Pittsburgh, PA (Metro-Ethernet & ISP) - http://puluka.com/home

aeroplane_ · ‎03-26-2010

Hi

Thanks for reply. How to run the below script to know the primary group id using dsquery command.

Remember that dsquery Active Directory command is available thru Windows 2000 Server resource Kit.

@echo off
setlocal
if exist "%TEMP%\%ComputerName%_ListGroupRID_1.tmp" del /q "%TEMP%\%ComputerName%_ListGroupRID_1.tmp"
if exist "%TEMP%\%ComputerName%_ListGroupRID_2.tmp" del /q "%TEMP%\%ComputerName%_ListGroupRID_2.tmp"
set query=dsquery * domainroot -filter "(&(objectClass=Group))" -attr objectSid sAMAccountName -limit 0
for /f "Tokens=2-7 Delims=-" %%a in ('%query%') do call :rid "%%a" "%%b" "%%c" "%%d" "%%e" "%%f"
sort "%TEMP%\%ComputerName%_ListGroupRID_1.tmp" /O "%TEMP%\%ComputerName%_ListGroupRID_2.tmp"
type "%TEMP%\%ComputerName%_ListGroupRID_2.tmp"
del /q "%TEMP%\%ComputerName%_ListGroupRID_1.tmp"
del /q "%TEMP%\%ComputerName%_ListGroupRID_2.tmp"
endlocal
goto :EOF
:rid
if {%1}=={} goto :EOF
set wrk1=%1
shift
set wrk2=%wrk1: =%
if %wrk1% EQU %wrk2% goto RID
set wrk2=%wrk2: "=%
set wrk2=%wrk2:"=%
set wrk1=%wrk2:~0,4%
set wrk2=%wrk2:~4%
if "%wrk1:~3,1%" EQU " " set wrk1= %wrk1:~0,3%
if /i "%wrk2%" NEQ "Pre" goto out
set wrk2=Pre-%1
set wrk2=%wrk2: =%
set wrk2=%wrk2: "=%
set wrk2=%wrk2:"=%
ut
@echo %wrk1% "%wrk2%">>"%TEMP%\%ComputerName%_ListGroupRID_1.tmp"

Many thanks

aeroplane_ · ‎03-26-2010

This KB http://kb.pulsesecure.net/KB2527 suggested the above script for determining the primary group id but how to execute it from command line on Windows server.

Thanks

spuluka · ‎03-28-2010

To run this as a script on the Domain controller take the following steps. This uses dsquery that is only installed by default on the domain controller.

Copy the script text into notepad and remove all leading and trailing spaces
Save the file as a batch file i.e. "PrimaryGroup.bat" (use the quotes to over ride the default .txt file. Or rename the file extention to be .bat after it is saved.
Put the file in a folder on a Domain controler i.e. c:\scripts\
Launch a dos prompt on the Domain controller (run... cmd)
Change to the directory
cd \scripts\
Run the script for screen output
PrimaryGroup.bat
You can create a text file with the result by
PrimaryGroup.bat > PrimaryGroup.txt
This creates a text file instead of the screen dump with the results of the commands

Steve Puluka BSEET - IP Architect - DQE Communications Pittsburgh, PA (Metro-Ethernet & ISP) - http://puluka.com/home

ruc_ · ‎03-28-2010

1. If you have difficulty running this script as an alternative you could try an LDAP browser to find the Primary Group ID.

2. Another approach is to use Native Active Directory/NT type Auth server on the IVE. This will seamlessly use Primary Group membership info for Role mapping.

FYI - The main limitation here is not that IVE does not support it but more so that this Group membership info is not returned by Active Directory when queried via LDAP as noted in http://support.microsoft.com/kb/275523

aeroplane_ · ‎03-31-2010

Many thanks dear.

Dear ruc

How to use the LDAP browser to get the same information. Can you give me high level steps.

Thanks

ruc_ · ‎03-31-2010

Try below link for steps to use this tool. Once you are familiar with the tool refer to attached screenshot for specifically finding primary group ID

http://technet.microsoft.com/en-us/library/aa996205(EXCHG.65).aspx#DoingASearchUsingLDP

aeroplane_ · ‎04-05-2010

Thanks for your help ruc

how to determine primaryGroupID?

how to determine primaryGroupID?

Re: how to determine primaryGroupID?

Re: how to determine primaryGroupID?

Re: how to determine primaryGroupID?

Re: how to determine primaryGroupID?

Re: how to determine primaryGroupID?

Re: how to determine primaryGroupID?

Re: how to determine primaryGroupID?

Re: how to determine primaryGroupID?

Re: how to determine primaryGroupID?