Enumerating Groups in a Domain

Unlike Windows NT® 4.0 domains, Windows® 2000 groups can be placed in any container or organizational unit in a domain as well as the root of the domain. This means that groups can be in numerous locations in the directory hierarchy. Therefore, you have two choices for enumerating groups:

1. Enumerate the groups directly contained in a container, OU, or at the root of the domain.

   Explicitly bind to the container object containing the groups you are interested in enumerating, set a filter containing "groups" as the class using the IADsContainer::put_Filter property method, and use the IADsContainer::get__NewEnum method to enumerate the group objects.

   This technique is useful if you want to enumerate groups that are directly contained in a container or OU object. If the container contains other containers that can potentially contain other groups, you need to bind to those containers and recursively enumerate the groups on those containers. If you do not need to manipulate the group objects and only need to read specific properties, you should use the deep search described in option 2.

2. Because enumeration returns pointers to ADSI COM objects representing each group object, you can call QueryInterface to get IADs, IADsGroup, and IADsPropertyList interface pointers to the group object. This means you can get interface pointers to each enumerated group object in a container without having to explicitly bind to each group object. If you wanted to perform operations on all the groups directly within a container, enumeration saves you from having to bind to each group in order to call IADs or IADsGroup methods. If you only want to retrieve specific properties from groups, you should use IDirectorySearch as described in option 3.
3. Perform a deep search for objectCategory=group to find all groups in a tree.

   First, bind to the container object where you want to begin the search. For example, if you wanted to find all groups in a domain, you would bind to root of the domain; if you wanted to find all groups in the forest, you would bind to global catalog and search from the root of the GC.

   Then use IDirectorySearch to query using a search filter containing (objectCategory=group) and search preference of ADS_SCOPE_SUBTREE.

   Note  You can perform a search with a search preference of ADS_SCOPE_ONELEVEL to limit the search to the direct contents of the container object that you bound to.

   IDirectorySearch retrieves only the values of specific properties from groups. If you only want to retrieve values, you should use IDirectorySearch. If you want to manipulate the group objects returned from a search (that is, you want to use IADs or IADsGroup methods), you must explicitly bind to them (to do this, specify distinguishedName as one of the properties to return from the search and use the returned distinguished names to bind to each group returned in the search).

   Only specific properties are retrieved. You cannot retrieve all attributes without explicitly specifying every possible attribute of the group class.