What does samAccountType in groups of Active Directory mean?

Question 1

What does samAccountType in groups of Active Directory mean?

c# active-directory ldap active-directory-group

Farzad J · Nov 14, 2011 · Viewed 9.5k times · Source

Answer

Answer

SAM-Account-Name (mentioned in your question's title) is the short name of the group.

It's there to provide compatibility with Windows NT 4 / Windows 98 systems, where account names (including group names) were limited to 19 characters.

SAM-Account-Type (mentioned in your question's body) is the account type. It can take the following values:

SAM_DOMAIN_OBJECT              0x0
SAM_GROUP_OBJECT               0x10000000
SAM_NON_SECURITY_GROUP_OBJECT  0x10000001
SAM_ALIAS_OBJECT               0x20000000
SAM_NON_SECURITY_ALIAS_OBJECT  0x20000001
SAM_USER_OBJECT                0x30000000
SAM_MACHINE_ACCOUNT            0x30000001
SAM_TRUST_ACCOUNT              0x30000002
SAM_APP_BASIC_GROUP            0x40000000
SAM_APP_QUERY_GROUP            0x40000001

Not surprisingly (since you're working with groups), the numbers in your question map to SAM_GROUP_OBJECT, SAM_NON_SECURITY_GROUP_OBJECT and SAM_ALIAS_OBJECT, respectively.

Question 2

I'm using this query by C# in Active Directory:

DirectoryEntry de = new DirectoryEntry("LDAP://" + this.rootLDAP);
DirectorySearcher ds = new DirectorySearcher(de, "(&(objectcategory=Group))");

It works just fine.

But one of the properties which it returns is called "samAccountType" and it has the below values :

268435456
268435457
536870912

What does it mean?

What does samAccountType in groups of Active Directory mean?

Answer

Related questions