I think that works (not near AD env).

Adfind –b <domain root> -f (objectcategory=group) cn members

Something like that…

:m:dsm:cci:mvp | marcusoh.blogspot.com

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer
Sent: Tuesday, July 25, 2006 8:48 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enumerating Group type and Mebership...

Hi,

Try these (if you don’t get any better answers from the gurus):

For just groups and their membership (batch file)

dsquery group > all-groups.txt
for /f "tokens=1* delims=}" %a in (all-groups.txt) do @(echo GROUP:%a & dsget group %a -members) >> group-members.txt

For groups, type and membership (vbs file):

' To output to a text file use:

' cscript //nologo test.vbs > filename.txt

Option Explicit

Dim objConn ' ADODB.Connection

Dim objCommand ' ADODB.Command

Dim objRS ' ADODB.Recordset

Dim objRootDSE ' RootDSE

Dim objGroup ' AD Group

Dim strDNSDomain ' String

Dim strQuery ' String

Dim strDN ' String

' Bind to the Root Container

Set objConn = CreateObject("ADODB.Connection")

objConn.Provider = "ADsDSOObject"

objConn.Open "Active Directory Provider"

' Create our Command Object

Set objCommand = CreateObject("ADODB.Command")

Set objCommand.ActiveConnection = objConn

' Determine the DNS domain from the RootDSE object.

Set objRootDSE = GetObject("LDAP://RootDSE")

strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Search for all groups, return the Distinguished Name of each.

strQuery = "<LDAP://" & strDNSDomain & ">;(objectClass=group);distinguishedName;subtree"

objCommand.CommandText = strQuery

objCommand.Properties("Page Size") = 100

objCommand.Properties("Timeout") = 30

objCommand.Properties("Cache Results") = False

Set objRS = objCommand.Execute

If objRS.EOF Then

Wscript.Echo "No groups found"

objConn.Close

Set objRootDSE = Nothing

Set objConn = Nothing

Set objCommand = Nothing

Set objRS = Nothing

Wscript.Quit

End If

' Enumerate all groups, bind to each, and document group members.

Do Until objRS.EOF

strDN = objRS.Fields("distinguishedName")

Set objGroup = GetObject("LDAP://" & strDN)

'Wscript.Echo objGroup.sAMAccountName & " (" & GetType(objGroup.groupType) & ")"

'If objGroup.GroupType = 2 or objGroup.GroupType = 4 or objGroup.GroupType = 8 then

Wscript.Echo objGroup.sAMAccountName & " (" & GetType(objGroup.groupType) & ")"

Call GetMembers(objGroup)

'End If

objRS.MoveNext

Loop

' Clean up.

objConn.Close

Set objRootDSE = Nothing

Set objGroup = Nothing

Set objConn = Nothing

Set objCommand = Nothing

Set objRS = Nothing

Function GetType(intType)

' Function to determine group type from the GroupType attribute.

If (intType And &h01) <> 0 Then

GetType = "Built-in"

ElseIf (intType And &h02) <> 0 Then

GetType = "Global"

ElseIf (intType And &h04) <> 0 Then

GetType = "Local"

ElseIf (intType And &h08) <> 0 Then

GetType = "Universal"

End If

If (intType And &h80000000) <> 0 Then

GetType = GetType & "/Security"

Else

GetType = GetType & "/Distribution"

End If

End Function

Sub GetMembers(objADObject)

' Subroutine to document group membership.

' Members can be users or groups.

Dim objMember, strType

For Each objMember In objADObject.Members

If UCase(Left(objMember.objectCategory, 8)) = "CN=GROUP" Then

strType = "Group"

Else

strType = "User"

End If

Wscript.Echo " Member: " & objMember.sAMAccountName _

& " (" & strType & ")"

WScript.Echo ""

Set objMember = Nothing

End Sub

Cheers
Ken

My IIS Blog: www.adOpenStatic.com/cs/blogs/ken

Tech.Ed Sydney: learn all about IIS 7.0 - See you there!

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer
Sent: Wednesday, 26 July 2006 7:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enumerating Group type and Mebership...

We’re medium size – and yes someone does want a current outdated list J -

Just trying to make it happen….

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves
Sent: Tuesday, July 25, 2006 2:02 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Enumerating Group type and Mebership...

You either have a small environment or someone wants a document that will be completely outdated 12 minutes after it's compiled.

Though just to be honest, I'd love to be able to click on a '+' on groups and show their members and continue to follow the '+' if there is nesting. That would be an awesome feature in the ADUC. Maybe I should submit that feature request to Quest and Microsoft.

On 7/25/06, Mike Hogenauer <[EMAIL PROTECTED]> wrote:

I need all Security Groups and Distribution groups – and their members

Thanks Laura!

From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Laura A. Robinson
Sent: Tuesday, July 25, 2006 12:00 PM

To: ActiveDir@mail.activedir.org

Subject: RE: [ActiveDir] Enumerating Group type and Mebership...

What is "everything [you] need", specifically?

Thanks,

Laura

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mike Hogenauer
Sent: Tuesday, July 25, 2006 2:49 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Enumerating Group type and Mebership...

All,

I'm trying to enumerate all groups in my AD environment. I need to get Group name group type and group members for each group…

I've tried some sample _vbscript_s from http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0419.mspx

Then I tried (below) but It still doesn't seem to pull back everything I need- Any help would be great! In a perfect world - J - I need a list of all security groups and distribution groups and their members

Thanks,

Mike

Enumerate Security Groups and Member in Domain

csvde -f c:\tmp\SecurityGroups.csv -p subtree -l cn,mail,member -r "(|(&(objectCategory=Group)(objectClass=Group)(|(groupType=-2147483644)(groupType=-2147483646)(groupType=-2147483640))))" -j c:\tmp

Enumerate Distribution Groups and Member in Domain

csvde -f c:\tmp\DistributionLists.csv -p subtree -l cn,mail,member -r "(|(&(objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2))))" -j c:\tmp

RE: [ActiveDir] Enumerating Group type and Mebership...

Reply via email to