3.3.4.2 GetADGroupMember

  • Article

A server processes a GetADGroupMember request using the Active Directory Web Services: Custom Action Protocol upon receiving a SOAP message that contains the GetADGroupMemberRequest_Headers header and that specifies the following URI as the SOAP action:

http://schemas.microsoft.com/2008/1/ActiveDirectory/CustomActions/AccountManagement/GetADGroupMember

This operation is specified by the following WSDL.

 <wsdl:operation name="GetADGroupMember">
     <wsdl:input
         wsam:Action=
 "http://schemas.microsoft.com/2008/1/ActiveDirectory/CustomActions/AccountManagement/GetADGroupMember"
         name="GetADGroupMemberRequest"
         message="ca:GetADGroupMemberRequest" />
   <wsdl:output
       wsam:Action=
 "http://schemas.microsoft.com/2008/1/ActiveDirectory/CustomActions/AccountManagement/GetADGroupMemberResponse"
       name="GetADGroupMemberResponse"
       message="ca:GetADGroupMemberResponse" />
   <wsdl:fault
       wsam:Action="http://schemas.microsoft.com/2008/1/ActiveDirectory/Data/fault"
       name="GetADGroupMemberFault"
       message=
 "ca:AccountManagement_GetADGroupMember_GetADGroupMemberFault_FaultMessage" />
 </wsdl:operation>

The GetADGroupMember custom action retrieves the members of the group (Local/Global/Universal and Security/Distribution) that is specified by GetADGroupMemberRequest/GroupDN (section 3.3.4.2.2.3) in the NC specified in GetADGroupMemberRequest/PartitionDN (section 3.3.4.2.2.4).

Members that are returned are security principals (see [MS-AUTHSOD] section 1.1.1.1 and [MS-ADTS] section 5.1.1.5) that meet one of the following criteria:

  • Security principals identified by the group!member attribute of the group.

  • Security principals whose membership is determined via the primary group (the user!primaryGroupID attribute).

  • Foreign security principals (members with the value of user!objectSID, computer!objectSID, or group!objectSID equal to the value of foreignSecurityPrincipal!objectSID of the corresponding foreignSecurityPrincipal object), when the foreignSecurityPrincipal object is a member of a qualifying group. See [MS-SAMR] section 3.1.1.8.9.

If the group contains other members that are not security principals, they are ignored.

If the group contains other groups and element GetADGroupMemberRequest/Recursive (section 3.3.4.2.2.5) is set to TRUE, then GetADGroupMember retrieves members of the child groups as well (recursively). The child groups themselves are not included in the returned members.

For every member previously specified, GetADGroupMember constructs an ActiveDirectoryPrincipal element (section 2.2.3.2) with all the child elements populated and adds it to the GetADGroupMemberResponse/Members element (section 3.3.4.2.2.7). Upon success, the GetADGroupMemberResponse element is returned. If a group has no members, then the server returns a GetADGroupMemberResponse with an empty Members element.

Members are returned without respect to the context supplied in GetADGroupMemberRequest/PartitionDN. If no members were returned by the server, then the GetADGroupMemberResponse element SHOULD have an empty Members element.

If an error occurs while processing this operation, the server MUST return the appropriate SOAP fault for the particular error condition as specified in section 3.3.4.2.8.