RE: [ActiveDir] Changing Group Scope

[Joe]

Title: Changing Group Scope

Since this is a one off thing I would recommend generating a list of DN's up front and then run them through a script that just reads a file and changes the DNs in the file to the group type you want.

 

Basically define your query that you want... I would assume something like

 

&(objectcategory=group)(mail=*)

 

or if you want to get fancy and only get the global non-security groups

 

 

&(objectcategory=group)(mail=*)(grouptype=2)

 

 

or if you want ANY global group (security or non-security)

 

 

&(objectcategory=group)(mail=*)(grouptype:1.2.840.113556.1.4.803:=2)

 

 

 

So you say... hmmm, great thanks joe. Now how do I easily get that info to put in a text file for Robbie's incredible script that I (meaning Shawn) will modify to read the file and loop... You can get file reading tips from Robbie's book or the Script Center at Technet www.microsoft.com/technet/scriptcenter

 

 

I would say, use this handy dandy tool called adfind... (www.joeware.net on the free win32 tools page).  It is free and a steal at twice the price...

 

adfind -gc -b "" -bit -f "&(objectcategory=group)(grouptype:AND:=2)" -dn 2>nul | findstr /i dn:

 

Which will produce output similar to:

 

dn:CN=group1,CN=Users,DC=joehome,DC=com
dn:CN=group2,CN=Users,DC=joehome,DC=com
dn:CN=groupN,CN=Users,DC=joehome,DC=com

Or if you want to go straight to a file

 

adfind -gc -b "" -bit -f "&(objectcategory=group)(grouptype:AND:=2)" -dn 2>nul | findstr /i dn: >filename.txt

 

Now just do a find/replace on the dn: in notepad (or have the script yank it) or whatever and you have your list of DNs for your groups.

 

 

You can use ado to pull the info as well but if this is a one off and you aren't looking to use it to learn ado, just yank the info in the way described above.

 

 

  joe

 

 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, January 05, 2004 5:16 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Changing Group Scope

Hello Everyone,

I need help writing a script to change the group scope for all groups in our Domain.  See KB article 271930 for an explanation why…this hit me as an oh by the way we forgot to mention...

Robbie Allen,

I have a copy of the AD Cookbook for Windows 2000 and Windows 2003.  In this book you have a script that will accomplish what I am trying, page 225.  Your script focuses on a single group and I must know the DN.  What I am trying to do is run this against the domain and modify all mail enabled groups.  I would prefer not having to manually look up DN's etc.

Any help from anyone is most appreciated.

Thanks in advance,
Shawn