Using the Custom Rule SECGROUP.DLL to Determine User Security Group Membership

New Boundary Support
Smart Update (Configuration Groups, Organizational Groups)

The information in this article applies to:

• Prism Deploy 5 and newer

• Prism Pack 5 and newer

Note: This functionality has been superceded by the Member_Of operator that is part of Policy Commander 1.5 and above and Prism Suite 7.0.3 and above. See the Related Articles section below.



New Boundary has developed a COM DLL to allow Prism to query the security group membership of the currently-logged in user. The results of the query can be used to populate a User-Defined Configuration Group within Prism Deploy, or to determine whether a Prism Pack or Prism Deploy Package Installation Rule has been met. 

Download attached SecGrp.ZIP (65 KB)


You must first install and register the DLL on your target systems in order to use the functionality. Copy the DLL to the target computers, then run "REGSVR32 SECGROUP.DLL" to register it with the system. The location of the file is irrelevant, though obvious choices would be the “C:\Program Files\Prism Deploy\Client” folder or “Common Files\New Boundary” folder. The simplest way to install the DLL is to build a Package capturing these steps and deploy it with your usual methods.  Alternately, use the Package that New Boundary Support has created. Our Package copies SECGROUP.DLL to the folder “C:\Program Files\Prism Deploy\Client” and registers the DLL in this path.

To use the DLL’s functionality, select Value Type <Custom> when defining a User-Defined Configuration Group in Prism Deploy Console or when creating a new Installation Rule within the Editor. Enter "Security Groups" "<GroupToSearchFor>" in the text box. <GroupToSearchFor> is the domain (if necessary) and name of the security group you’re interested in.  Domain level security groups require that you type in the name of the domain, then the name of the security group. Local built-in security groups only require the name of the group. For example, to find members of the built-in (local) security group "Administrators", just enter the name. To find members of a domain group, the syntax is "<Domain>\<Group Name>" (e.g. "NewBoundary\Dev"). The backslash separates the domain and group name.

If a match is made between <GroupToSearchFor> and a security group, the DLL returns the value "True", otherwise it returns "False”. Hence, the only useful choices for the value field in the rule wizard are "True" and "False".

Rule Syntax:

<Custom> “Security Groups” “<GroupToSearchFor> = True/False


<Custom> “Security Groups” “Builtin\Administrators” = “True”

<Custom> “Security Groups” “NT Authority\Authenticated Users” = “True”

<Custom> “Security Groups” “Everyone” = “True”

<Custom> “Security Groups” “Domain\Accounting” = “True”

<Custom> “Security Groups” “%userdomain%\Domain Admins” = “True”

<Custom> “Security Groups” “LocalComputerName\LocalGroupName” = “True”

<Custom> “Security Groups” “%computername%\LocalGroupName” = “True”

Optionally, set up the rule to search for all matches to a group name using wildcard characters. Leave the <GroupToSearchFor> field empty (“”), then enter the characters you wish to search for in the value field rather than specifying True or False. Using this method, only MATCHES and GREPMATCHES can be used as the operator.


<Custom> “Security Groups” “” MATCHES “*Domain\*admin*”

<Custom> “Security Groups” “” MATCHES “*_thinclient*”

Note that the wildcard character “*” must be specified at the beginning and end of the string within the value field.

New Boundary has included the utility LOGGROUPS.EXE. When launched from a command-line, LOGGROUPS.EXE writes a Unicode format text file listing the names of all the security groups found for the currently-logged user. The file WRITELOG.TXT is written to the same folder from where the utility was launched. It can be used to assist you with the syntax for creating a Security Groups custom rule.   

NOTE:  The Security Groups custom DLL was written for the NT family of OS’s only; the functionality is not supported on Win9x systems. Windows 9x and computers that do not have SECGROUP.DLL installed and registered will not successfully run the rule.  Thus Package installations using the SECGROUP DLL as an installation rule will fail. Likewise, Prism Deploy target systems lacking the SECGROUP.DLL will not be able to add themselves to the custom configuration group defined by the DLL.


Also In This Category

On a scale of 1-5, please rate the helpfulness of this article

Not Helpful
Very Helpful
Optionally provide your comments to help us improve this article...

Thank you for your feedback!

Add Your Comments
Email Address:
RadEditor - HTML WYSIWYG Editor. MS Word-like content editing experience thanks to a rich set of formatting tools, dropdowns, dialogs, system modules and built-in spell-check.
RadEditor's components - toolbar, content area, modes and modules
Toolbar's wrapper  
Content area wrapper
RadEditor's bottom area: Design, Html and Preview modes, Statistics module and resize handle.
It contains RadEditor's Modes/views (HTML, Design and Preview), Statistics and Resizer
Editor Mode buttonsStatistics moduleEditor resizer
RadEditor's Modules - special tools used to provide extra information such as Tag Inspector, Real Time HTML Viewer, Tag Properties and other.
Verification Code:
Last Modified: 18 Years Ago
Last Modified By: New Boundary Support
Article not rated yet.
Article has been viewed 8.6K times.
Customer Support Software By InstantKB 2015-2
Execution: 1.000. 20 queries. Compression Disabled.