Listing Members of Distribution Lists and Security Groups
Originally published June 24, 2004
(Note November 13, 2007: the information is good, but this really needs rewriting.)
A question I've received several times is “how do I list all the members of a distribution list?” With Active Directory and Exchange 200x, the same question can be asked about security groups, since there is little difference between a security group and a distribution group (one can be used in assigning security objects to a security principal, the other cannot).
There are a number of ways to do this. My tool of choice is adfind. This tool, available on Joe Richard's www.joeware.net site, is available here. Joe is an Active Directory MVP and he has a number of excellent tools available for free on his website.
You can also fairly easily script this, and Windows 2003 has the dsquery command. dsquery has many of the features available with adfind, but has some limitations when executed on a Windows 2000 computer.
The primary thing you need with adfind is your “base”. This is the default naming context from your root directory services entry. In English - if your active directory domain is “ad.local”, then your base is “dc=ad,dc=local”.
The next thing you need with adfind is knowledge of how to construct LDAP queries and the real names of LDAP attributes. Your best bet for this information is MSDN.
On to our searchs...
For your entire A/D, you can list the members of all security and distribution groups:
adfind -b dc=brnets,dc=local -f "objectcategory=group" member
To list the members of all security and distribution groups which are defined in a particular OU:
adfind -b cn=users,dc=brnets,dc=local -f "objectcategory=group" -s onelevel member
For a particular OU and all of its sub-OU's:
adfind -b cn=hosting,dc=brnets,dc=local -f "objectcategory=group" -s subtree member
Mail-enabled distribution groups always have a "mail" attribute. So, if you only want to see the members of mail-enabled distribution groups in an OU and all of its sub-OU's:
adfind -b cn=hosting,dc=brnets,dc=local -f "(&(objectcategory=group)(mail=*))" -s subtree member
Security groups do not, by default, have a "mail" attribute. So, if you only want to see the members of non-mail-enabled security groups in an OU and all of its sub-OU's:
adfind -b cn=hosting,dc=brnets,dc=local -f "&(objectcategory=group)(!(mail=*))" -s subtree member
LDAP queries are very powerful when it comes to retrieving information from your Active Directory. It is well worth a system administrator's (and Exchange administrator!) time to learn how to generate these queries.
Amit Zinman discusses a way using Exchange System Manager to build LDAP queries more easily here. While I find the ESM queries needlessly complex, it's a great way to get started.
Edit on January 12, 2005: Joe Richards pointed out that all of my “objectclass=group” would be much better as “objectcategory=group”, plus an error in one of my LDAP queries.
Also, if you want to specifically separate distribution lists and security groups, you can add the following qualifier to your LDAP queries:
For Distribution Lists: (sAMAccountType=268435457)
For Security Groups: (sAMAccountType=268435456)
M