| Platform SDK: Active Directory, ADSI, and Directory Services |
Groups can be placed in any container or organizational unit in a domain as well as the root of the domain. This means that groups can be in numerous locations in the directory hierarchy.
You can perform a deep search for (objectClass=group) to find all groups in a tree. You can also use a query string of the form, which uses the matching rule OID to search for the ADS_GROUP_TYPE_SECURITY_ENABLED bit in the groupType attribute. For more information on using matching rules, see How to Specify Comparison Values.
(&(objectClass=group)(groupType:1.2.840.113556.1.4.804:=2147483648) )