Robbie Cannings

Querying and Updating Active Directory GIDNumber attribute

Robbie Cannings -

I came across a duplicate GIDNumber value in AD Groups. This is a hidden attribute, so can't be viewed/edited using the AD Users and Groups MMC.

Querying AD

This example shows the main attributes, but not the one we are after

PS C:\Users\administratoor> Get-ADGroup -Identity "Sales Maximus Team"
 
 
DistinguishedName : CN=Sales Maximus Team,OU=Sales,OU=Castle Hill,OU=Distribution,OU=Groups,OU=APAC,DC=sydney,DC=flowerpots,DC=com
GroupCategory     : Security
GroupScope        : Universal
Name              : Sales Maximus Team
ObjectClass       : group
ObjectGUID        : aabbcc55-1122-3bba-aadf-a663eeec2341
SamAccountName    : Sales Maximus Team
SID               : S-1-5-21-1256578901-1546006358-1122334201-11042

This example now includes the GIDNumber

PS C:\Users\administratoor> Get-ADGroup -Identity "Sales Maximus Team" -properties GIDNumber
 
 
DistinguishedName : CN=Sales Maximus Team,OU=Sales,OU=Castle Hill,OU=Distribution,OU=Groups,OU=APAC,DC=sydney,DC=flowerpots,DC=com
GIDNumber         : 11224
GroupCategory     : Security
GroupScope        : Universal
Name              : Sales Maximus Team
ObjectClass       : group
ObjectGUID        : aabbcc55-1122-3bba-aadf-a663eeec2341
SamAccountName    : Sales Maximus Team
SID               : S-1-5-21-1256578901-1546006358-1122334201-11042

Search for that GID Number in AD

I can query AD Groups for all matching records.

PS C:\Users\administratoor> Get-ADGroup -filter 'GIDNumber -eq 11224' -properties GIDNumber
 
 
DistinguishedName : CN=Finance AR,OU=Groups,OU=Disabled,OU=APAC,DC=sydney,DC=flowerpots,DC=com
GIDNumber         : 11224
GroupCategory     : Security
GroupScope        : Universal
Name              : Finance AR
ObjectClass       : group
ObjectGUID        : aabbcc55-1122-3bba-aadf-a663eeec2342
SamAccountName    : Finance AR
SID               : S-1-5-21-1256578901-1546006358-1122334201-11043
 
DistinguishedName : CN=Sales Maximus Team,OU=Sales,OU=Castle Hill,OU=Distribution,OU=Groups,OU=APAC,DC=sydney,DC=flowerpots,DC=com
GIDNumber         : 11224
GroupCategory     : Security
GroupScope        : Universal
Name              : Sales Maximus Team
ObjectClass       : group
ObjectGUID        : aabbcc55-1122-3bba-aadf-a663eeec2341
SamAccountName    : Sales Maximus Team
SID               : S-1-5-21-1256578901-1546006358-1122334201-11042

Look for a new GID (one which isn't used)

There are ways of looping etc, I've just used an example to find an unused one manually.

PS C:\Users\administratoor> Get-ADGroup -filter 'GIDNumber -eq 11225'

Modify the existing group's GIDNumber

PS C:\Users\administratoor> Set-ADGroup -identity "Sales Maximus Team" -Replace @{"GIDNumber" = "11225"}

Confirm the change was successful

PS C:\Users\administratoor> Get-ADGroup -filter 'GIDNumber -eq 11225'
 
 
DistinguishedName : CN=Sales Maximus Team,OU=Sales,OU=Castle Hill,OU=Distribution,OU=Groups,OU=APAC,DC=sydney,DC=flowerpots,DC=com
GroupCategory     : Security
GroupScope        : Universal
Name              : Sales Maximus Team
ObjectClass       : group
ObjectGUID        : aabbcc55-1122-3bba-aadf-a663eeec2341
SamAccountName    : Sales Maximus Team
SID               : S-1-5-21-1256578901-1546006358-1122334201-11042
 
 
 
PS C:\Users\administratoor> Get-ADGroup -Identity "Sales Maximus Team" -properties GIDNumber
 
 
DistinguishedName : CN=Sales Maximus Team,OU=Sales,OU=Castle Hill,OU=Distribution,OU=Groups,OU=APAC,DC=sydney,DC=flowerpots,DC=com
GIDNumber         : 11225
GroupCategory     : Security
GroupScope        : Universal
Name              : Sales Maximus Team
ObjectClass       : group
ObjectGUID        : aabbcc55-1122-3bba-aadf-a663eeec2341
SamAccountName    : Sales Maximus Team
SID               : S-1-5-21-1256578901-1546006358-1122334201-11042