FYI I dusted this one off and made some modifications which should do what the poster wants... Instead of the regex, you could just put in the = 8 instead if you want universal groups only.
P.S. This list is friendly to those who post in plain text. I don't care, but some do. P.S.S. If you have circular references in your groups (Group A in Group B and Group B in Group A), this could spin out of control re-checking the nestedness of your groups. HTH Steven #--------------------------------------------------------- use Win32::OLE qw (in); # base functionality use Win32::OLE::Variant; query_ldap("<LDAP://OU=SOMEOU,dc=somedomain,dc=>;(objectclass=Group);ads path,cn,ADsPath;subtree",$objects); print "recordcount = ".$objects->{RecordCount}."\n"; while (!$objects->{EOF}) { #print $objects->Fields("adsPath")->{Value}."\n"; $myObj = Win32::OLE->GetObject($objects->Fields("adsPath")->{Value}); print $myObj->{SamAccountName}."\n"; if ($myObj->{groupType} =~ /(2|4|8)/) { #global=2 local=4 universal=8 geT_members($myObj,2); } $objects->MoveNext(); } sub geT_members { my $group = $_[0]; my $spacing = $_[1]; foreach $member (in ($group->{Members})) { for (1..$spacing) { print " "; } print "$member->{Name}\n"; if ($member->{groupType} =~ /(2|4|8)/) { #global=2 local=4 universal=8 for (1..$spacing) { print " "; } print " --Nested Group found\n"; #sleep 5; if (scalar($member->{Members}) > 0) { geT_members($member,$spacing+2); } } } } sub query_ldap { my $ldap_query = $_[0]; my $error_num; my $error_name; my $RS; my $Conn = Win32::OLE->new("ADODB.Connection"); if (Win32::OLE->LastError() != 0) { print "Failed creating ADODB.Connection object (".Win32::OLE->LastError().")\n -> $ldap_query\n"; return 0; } $Conn->{'Provider'} = "ADsDSOObject"; if (Win32::OLE->LastError() != 0) { print "Failed setting ADODB.Command Provider (".Win32::OLE->LastError().")\n -> $ldap_query\n"; return 0; } $Conn->{Open} = "Perl Active Directory Query"; my $Cmd = Win32::OLE->new("ADODB.Command"); if (Win32::OLE->LastError() != 0) { print "Failed creating ADODB.Command object (".Win32::OLE->LastError().")\n -> $ldap_query\n"; return 0; } $Cmd->{CommandText} = $ldap_query; $Cmd->{Properties}->{"Page Size"} = 99; $Cmd->{ActiveConnection} = $Conn; $RS = $Cmd->Execute(); if (Win32::OLE->LastError() != 0) { print "Failed Executing ADODB Command object (".Win32::OLE->LastError().")\nExecuting ADODB Command -> $ldap_query\n"; return 0; } else { $_[1] = $RS; return 1; } } ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 18, 2008 5:08 AM To: [EMAIL PROTECTED]; perl-win32-admin@listserv.ActiveState.com Subject: RE: Enumerating Universal Group members Why not enumerate the member attribute.. If you do this you can bind to each object and determine if it is a group and then loop through it as well. Bryan ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Conor Lillis Sent: Wednesday, September 17, 2008 6:48 AM To: perl-win32-admin@listserv.ActiveState.com Subject: Enumerating Universal Group members Hi all, as part of a security audit to see who has send permissions to Exchange 2003 dist. lists, I am trying to enumerate universal groups. My methodology is as follows:- Enumerate values in ADSI attribute dLMemSubmitPerms For each element in this list, enumerate the members of the nested group. This works for Universal security list members, but not for nested universal distribution lists. A snippet of my code is below:- my @dLMemSubmitPerms= $entry->get_value('dLMemSubmitPerms'); foreach my $line(@dLMemSubmitPerms) { my ($group) = (split /,/,$line); $group=~ s/CN=//ig; print "\n\nACL on \"$name\"\t: \"$group\"\t\n"; if(Win32::NetAdmin::GroupGetMembers('$PDC', "$group", [EMAIL PROTECTED])) { print "Enumerating group listing for \"$group\"\n"; foreach my $member(@array) { print "$member is in \"$group\"\n"; } } I may be missing a important step, bnut having stared at it for a while nothing is jumping out at me... Also, if anyone has a smart mechanism to enumerate members of nested groups within nested groups (we have maybe 5 degrees of nesting on some lists) that would be much appreciated. Regards, Conor Lillis --------------------------------------- Senior Systems Administrator, Group Network Services, tel : +353-1-616-2540 Anglo Irish Bank www.angloirishbank.ie <http://www.angloirishbank.ie/> --------------------------------------- ********************************************************************** Private, Confidential and Privileged. This e-mail and any files and attachments transmitted with it are confidential and/or privileged. They are intended solely for the use of the intended recipient. The content of this e-mail and any file or attachment transmitted with it may have been changed or altered without the consent of the author. If you are not the intended recipient, please note that any review, dissemination, disclosure, alteration, printing, circulation or transmission of this e-mail and/or any file or attachment transmitted with it, is prohibited and may be unlawful. If you have received this e-mail or any file or attachment transmitted with it in error please notify Anglo Irish Bank Corporation Plc, Stephen Court, 18/21 St Stephen's Green, Dublin 2, Ireland, telephone no: +353-1-6162000. Directors: S P FitzPatrick (Chairman), D Drumm (Chief Executive), L Bradshaw, D O'Connor, A Heraty, M D Jacob, W A McAteer, G McGann, D Quilligan, N Sullivan, P Whelan, N Harwerth ( U.S.) Registered Office: Stephen Court, 18/21 St Stephen's Green, Dublin 2 Ireland Registered in Ireland: No 22045 Anglo Irish Bank Corporation plc is regulated by the Financial Regulator. Anglo Irish Bank Corporation plc (trading as Anglo Irish Bank Private Banking) is regulated by the Financial Regulator. Anglo Irish Assurance Company Limited is regulated by the Financial Regulator. ********************************************************************** _______________________________________________ Perl-Win32-Admin mailing list Perl-Win32-Admin@listserv.ActiveState.com To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs