This is the kind of thing if I got a request for it I would
end up wrapping into a perl script and then tossing into a webpage via CGI that
the "someone" could look at when they wanted as they are just looking to poke
around occasionally and it is stupid to burn up admin resources for ad hoc
requests like this. I would probably present a list of the groups first and then
let them select what they want and then display that info.
If it is for some sort of overall review, then I would just
hand over the perl script and let them run it as they want.
I don't know if you are aware but your filter is not
capturing system type groups like Remote Desktop Users, Pre-We2K group, etc...
In general a nice little shortcut... for all windows
security-enabled groups, use (grouptype<=-1) and for all non windows
security-enabled groups use (grouptype>=0); the attribute is indexed and not
valid for anything but groups so you don't need anything else. Cutting out the
ORs will help speed it up since it won't have to do a join of several
lookups.
A couple of quick command to verify
this....
adfind -sc s:grouptype searchflags
G:\Temp>adfind -sc s:grouptype
searchflags
AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED])
March 2006
Using server: r2dc2.test.loc:389
Directory: Windows Server 2003 Base DN: CN=Schema,CN=Configuration,DC=test,DC=loc dn:CN=Group-Type,CN=Schema,CN=Configuration,DC=test,DC=loc
>searchFlags: 9 [INDEX(1);PRESERVE TOMBSTONE(8)] 1 Objects returned adfind -sc scontainsl:grouptype
G:\Temp>adfind -sc
scontainsl:grouptype
group
And
you can test the various query efficiencies with something
like
adfind
-b search_base -f search_filter -stats+only
G:\Temp>adfind -default -f
"(groupType<=-1)" -stats+only
AdFind V01.31.00cpp Joe
Richards ([EMAIL PROTECTED])
March 2006
Using server:
r2dc2.test.loc:389
Directory: Windows Server 2003 Base DN: DC=test,DC=loc Statistics
================================= Elapsed Time: 11 (ms) Returned 36 entries of 36 visited - (100.00%) Used
Filter:
(groupType<=-1) Used
Indices:
idx_groupType:36:N Analysis --------------------------------- Hit Rate of 100.00% is Efficient Indices used:
Index Name :
idx_groupType
Record Count: 36 (estimate) Index Type : Normal Attribute Index Filter Breakdown: (groupType<=-1)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Tuesday, July 25, 2006 5:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enumerating Group type and Mebership... We’re
medium size – and yes someone does want a current outdated list J -
Just
trying to make it happen…. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Matt Hargraves You either have a small
environment or someone wants a document that will be completely outdated 12
minutes after it's compiled. On 7/25/06, Mike Hogenauer
<[EMAIL PROTECTED]>
wrote: I need all Security Groups and Distribution
groups – and their members Thanks Laura! From:
[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Laura
A. Robinson Subject: RE: [ActiveDir] Enumerating Group type and
Mebership... What is "everything [you] need",
specifically? Thanks, Laura
|
- RE: [ActiveDir] Enumerating Group type and Mebership... joe
- RE: [ActiveDir] Enumerating Group type and Mebership.... joe
- Re: [ActiveDir] Enumerating Group type and Mebership.... Mathieu CHATEAU