RE: [ActiveDir] Enumerating Group type and Mebership...

Tue, 25 Jul 2006 17:49:37 -0700

Hi,

 

Try these (if you don’t get any better answers from the gurus):

 

For just groups and their membership (batch file)

 

dsquery group > all-groups.txt
for /f "tokens=1* delims=}" %a in (all-groups.txt) do @(echo GROUP:%a & dsget group %a -members) >> group-members.txt

 

For groups, type and membership (vbs file):

 

' To output to a text file use:

' cscript //nologo test.vbs > filename.txt

 

Option Explicit

 

Dim objConn       ' ADODB.Connection

Dim objCommand    ' ADODB.Command

Dim objRS         ' ADODB.Recordset

Dim objRootDSE    ' RootDSE

Dim objGroup      ' AD Group

Dim strDNSDomain  ' String

Dim strQuery      ' String

Dim strDN         ' String

 

 

' Bind to the Root Container

Set objConn = CreateObject("ADODB.Connection")

objConn.Provider = "ADsDSOObject"

objConn.Open "Active Directory Provider"

 

' Create our Command Object

Set objCommand = CreateObject("ADODB.Command")

Set objCommand.ActiveConnection = objConn

 

 

' Determine the DNS domain from the RootDSE object.

Set objRootDSE = GetObject("LDAP://RootDSE")

strDNSDomain = objRootDSE.Get("defaultNamingContext")

 

' Search for all groups, return the Distinguished Name of each.

strQuery = "<LDAP://" & strDNSDomain & ">;(objectClass=group);distinguishedName;subtree"

objCommand.CommandText = strQuery

objCommand.Properties("Page Size") = 100

objCommand.Properties("Timeout") = 30

objCommand.Properties("Cache Results") = False

 

Set objRS = objCommand.Execute

If objRS.EOF Then

  Wscript.Echo "No groups found"

  objConn.Close

  Set objRootDSE = Nothing

  Set objConn = Nothing

  Set objCommand = Nothing

  Set objRS = Nothing

  Wscript.Quit

End If

 

' Enumerate all groups, bind to each, and document group members.

Do Until objRS.EOF

  strDN = objRS.Fields("distinguishedName")

  Set objGroup = GetObject("LDAP://" & strDN)

  'Wscript.Echo objGroup.sAMAccountName & " (" & GetType(objGroup.groupType) & ")"

  'If objGroup.GroupType = 2 or objGroup.GroupType = 4 or objGroup.GroupType = 8 then

     Wscript.Echo objGroup.sAMAccountName & " (" & GetType(objGroup.groupType) & ")"

     Call GetMembers(objGroup)

  'End If

  objRS.MoveNext

Loop

 

' Clean up.

objConn.Close

Set objRootDSE = Nothing

Set objGroup = Nothing

Set objConn = Nothing

Set objCommand = Nothing

Set objRS = Nothing

 

Function GetType(intType)

' Function to determine group type from the GroupType attribute.

  If (intType And &h01) <> 0 Then

    GetType = "Built-in"

  ElseIf (intType And &h02) <> 0 Then

    GetType = "Global"

  ElseIf (intType And &h04) <> 0 Then

    GetType = "Local"

  ElseIf (intType And &h08) <> 0 Then

    GetType = "Universal"

  End If

  If (intType And &h80000000) <> 0 Then

    GetType = GetType & "/Security"

  Else

    GetType = GetType & "/Distribution"

  End If

End Function

 

Sub GetMembers(objADObject)

' Subroutine to document group membership.

' Members can be users or groups.

  Dim objMember, strType

  For Each objMember In objADObject.Members

    If UCase(Left(objMember.objectCategory, 8)) = "CN=GROUP" Then

      strType = "Group"

    Else

      strType = "User"

    End If

    Wscript.Echo "   Member: " & objMember.sAMAccountName _

      & " (" & strType & ")"

  Next

  WScript.Echo ""

  Set objMember = Nothing

End Sub

 

Cheers
Ken

 

--

My IIS Blog: www.adOpenStatic.com/cs/blogs/ken

Tech.Ed Sydney: learn all about IIS 7.0 - See you there!

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer
Sent: Wednesday, 26 July 2006 7:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enumerating Group type and Mebership...

 

We’re medium size – and yes someone does want a current outdated list J -

Just trying to make it happen….

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves
Sent: Tuesday, July 25, 2006 2:02 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Enumerating Group type and Mebership...

 

You either have a small environment or someone wants a document that will be completely outdated 12 minutes after it's compiled.

Though just to be honest, I'd love to be able to click on a '+' on groups and show their members and continue to follow the '+' if there is nesting.  That would be an awesome feature in the ADUC.  Maybe I should submit that feature request to Quest and Microsoft.

On 7/25/06, Mike Hogenauer <[EMAIL PROTECTED]> wrote:

I need all Security Groups and Distribution groups – and their members

 

Thanks Laura!

 

From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Laura A. Robinson
Sent: Tuesday, July 25, 2006 12:00 PM

Subject: RE: [ActiveDir] Enumerating Group type and Mebership...

 

What is "everything [you] need", specifically?

 

Thanks,

 

Laura

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mike Hogenauer
Sent: Tuesday, July 25, 2006 2:49 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Enumerating Group type and Mebership...

All,

 

I'm trying to enumerate all groups in my AD environment. I need to get Group name group type and group members for each group…

 

I've tried some sample _vbscript_s from http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0419.mspx

 

Then I tried (below) but It still doesn't seem to pull back everything I need- Any help would be great! In a perfect world - J -  I need a list of all security groups and distribution groups and their members

Thanks,

Mike

 

Enumerate Security Groups and Member in Domain

 

csvde -f c:\tmp\SecurityGroups.csv -p subtree -l cn,mail,member  -r "(|(&(objectCategory=Group)(objectClass=Group)(|(groupType=-2147483644)(groupType=-2147483646)(groupType=-2147483640))))" -j c:\tmp

 

 

Enumerate Distribution Groups and Member in Domain

 

csvde -f c:\tmp\DistributionLists.csv -p subtree -l cn,mail,member  -r "(|(&(objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2))))" -j c:\tmp

 

 

 

Reply via email to