Re: [ActiveDir] Enumerating Group type and Mebership...
Hello Mike, Try this one: - Option Explicit Dim objDomain, objUser, objGroup Set objDomain = GetObject("WinNT://MyDomain") objDomain.Filter = Array("user") For Each objUser In objDomain Wscript.Echo "User: " objUser.Name For Each objGroup In objUser.Groups Wscript.Echo "-- Member of group: " objGroup.Name Next Next objDomain.Filter = Array("group") For Each objGroup In objDomain Wscript.Echo "Group: " objGroup.Name For Each objUser In objGroup.Members Wscript.Echo "-- Member: " objUser.Name Next Next Fire it with something like cscript dump.vbs dump.txt Just my 2 cents Mathieu CHATEAU http://lordoftheping.blogspot.com Tuesday, July 25, 2006, 8:49:11 PM, you wrote: All, Im trying to enumerate all groups in my AD environment. I need to get Group name group type and group members for each group Ive tried some sample _vbscript_s fromhttp://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0419.mspx Then I tried (below) but It still doesnt seem to pull back everything I need- Any help would be great! In a perfect world -J- I need a list of all security groups and distribution groups and their members Thanks, Mike Enumerate Security Groups and Member in Domain csvde -f c:\tmp\SecurityGroups.csv -p subtree -l cn,mail,member -r "(|((objectCategory=Group)(objectClass=Group)(|(groupType=-2147483644)(groupType=-2147483646)(groupType=-2147483640" -j c:\tmp Enumerate Distribution Groups and Member in Domain csvde -f c:\tmp\DistributionLists.csv -p subtree -l cn,mail,member -r "(|((objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2" -j c:\tmp -- Best regards, Mathieu mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Enumerating Group type and Mebership...
I believe that was one of the items in a list of about 25 requests generated here on the list that I submitted into the bug/request system at MSFT as well as sending directly to the responsible Dev (the guy doing a lot of the GUI user experience stuff) at AD. He loved the ideas but said that for most of them LH R2 sounded more likely than LH. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt HargravesSent: Tuesday, July 25, 2006 5:02 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Enumerating Group type and Mebership... You either have a small environment or someone wants a document that will be completely outdated 12 minutes after it's compiled.Though just to be honest, I'd love to be able to click on a '+' on groups and show their members and continue to follow the '+' if there is nesting. That would be an awesome feature in the ADUC. Maybe I should submit that feature request to Quest and Microsoft. On 7/25/06, Mike Hogenauer [EMAIL PROTECTED] wrote: I need all Security Groups and Distribution groups and their members Thanks Laura! From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Laura A. RobinsonSent: Tuesday, July 25, 2006 12:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enumerating Group type and Mebership... What is "everything [you] need", specifically? Thanks, Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mike HogenauerSent: Tuesday, July 25, 2006 2:49 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Enumerating Group type and Mebership... All, I'm trying to enumerate all groups in my AD environment. I need to get Group name group type and group members for each group I've tried some sample _vbscript_s from http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0419.mspx Then I tried (below) but It still doesn't seem to pull back everything I need- Any help would be great! In a perfect world - J - I need a list of all security groups and distribution groups and their members Thanks, Mike Enumerate Security Groups and Member in Domain csvde -f c:\tmp\SecurityGroups.csv -p subtree -l cn,mail,member -r "(|((objectCategory=Group)(objectClass=Group)(|(groupType=-2147483644)(groupType=-2147483646)(groupType=-2147483640" -j c:\tmp Enumerate Distribution Groups and Member in Domain csvde -f c:\tmp\DistributionLists.csv -p subtree -l cn,mail,member -r "(|((objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2" -j c:\tmp
RE: [ActiveDir] Enumerating Group type and Mebership...
This is the kind of thing if I got a request for it I would end up wrapping into a perl script and then tossing into a webpage via CGI that the "someone" could look at when they wanted as they are just looking to poke around occasionally and it is stupid to burn up admin resources for ad hoc requests like this. I would probably present a list of the groups first and then let them select what they want and then display that info. If it is for some sort of overall review, then I would just hand over the perl script and let them run it as they want. I don't know if you are aware but your filter is not capturing system type groups like Remote Desktop Users, Pre-We2K group, etc... In generala nice little shortcut... for all windows security-enabled groups, use (grouptype=-1) and for all non windows security-enabled groups use (grouptype=0); the attribute is indexed and not valid for anything but groups so you don't need anything else. Cutting out the ORs will help speed it up since it won't have to do a join of several lookups. A couple of quick command to verify this adfind -sc s:grouptype searchflags G:\Tempadfind -sc s:grouptype searchflags AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 Using server: r2dc2.test.loc:389Directory: Windows Server 2003Base DN: CN=Schema,CN=Configuration,DC=test,DC=loc dn:CN=Group-Type,CN=Schema,CN=Configuration,DC=test,DC=locsearchFlags: 9 [INDEX(1);PRESERVE TOMBSTONE(8)] 1 Objects returned adfind -sc scontainsl:grouptype G:\Tempadfind -sc scontainsl:grouptype group And you can test the various query efficiencies with something like adfind -b search_base -f search_filter -stats+only G:\Tempadfind -default -f "(groupType=-1)" -stats+only AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 Using server: r2dc2.test.loc:389Directory: Windows Server 2003Base DN: DC=test,DC=loc Statistics=Elapsed Time: 11 (ms)Returned 36 entries of 36 visited - (100.00%) Used Filter:(groupType=-1) Used Indices:idx_groupType:36:N Analysis-Hit Rate of 100.00% is Efficient Indices used: Index Name : idx_groupTypeRecord Count: 36 (estimate)Index Type : Normal Attribute Index Filter Breakdown: (groupType=-1) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike HogenauerSent: Tuesday, July 25, 2006 5:12 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Enumerating Group type and Mebership... Were medium size and yes someone does want a current outdated list J - Just trying to make it happen. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt HargravesSent: Tuesday, July 25, 2006 2:02 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Enumerating Group type and Mebership... You either have a small environment or someone wants a document that will be completely outdated 12 minutes after it's compiled.Though just to be honest, I'd love to be able to click on a '+' on groups and show their members and continue to follow the '+' if there is nesting. That would be an awesome feature in the ADUC. Maybe I should submit that feature request to Quest and Microsoft. On 7/25/06, Mike Hogenauer [EMAIL PROTECTED] wrote: I need all Security Groups and Distribution groups and their members Thanks Laura! From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Laura A. RobinsonSent: Tuesday, July 25, 2006 12:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enumerating Group type and Mebership... What is "everything [you] need", specifically? Thanks, Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mike HogenauerSent: Tuesday, July 25, 2006 2:49 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Enumerating Group type and Mebership... All, I'm trying to enumerate all groups in my AD environment. I need to get Group name group type and group members for each group I've tried some sample _vbscript_s from http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0419.mspx Then I tried (below) but It still doesn't seem to pull back everything I need- Any help would be great! In a perfect world - J - I need a list of all security groups and distribution groups and their members Thanks, Mike Enumerate Security Groups and Member in Domain csvde -f c:\tmp\SecurityGroups.csv -p subtree -l cn,mail,member -r "(|((objectCategory=Group)(objectClass=Group)(|(groupType=-2147483644)(groupType=-2147483646)(groupType=-2147483640" -j c:\tmp Enumerate Distribution Groups and Member in Domain csvde -f c:\tmp\DistributionLists.csv -p subtree -l cn,mail,member -r "(|((objectCategory=Group)(
Re: [ActiveDir] Enumerating Group type and Mebership...
Personally I like to find a find a good tool if it makes my life easier. In the area of user/group reporting one such tool is Hyena from Systemtools.com. I'm not sure how (in) efficient it's ldap queries are when it's asked for nested group membership but I've never had to run it against an AD environment with more then a couple thousand users and groups. Even in those largest cases it's returned results in minutes or less so I wouldn't think a well setup environment would take more than say an hour for even a large AD structure (there I go assuming). Custom scripting is great when the problem is so trivial or so complex that standard off the shelf tools don't make sense, but for the majority of cases they just seem like a good investment to me =) Andrew Fidel Matt Hargraves [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 07/25/2006 05:54 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject Re: [ActiveDir] Enumerating Group type and Mebership... Getting a list of groups is easy... getting it all enumerated will be a bit more complex, though not terribly so. The ADUC allows you to create queries and list all security groups. You can then export this list to a file. Once you have the file, you need to import that list into Excel (pretty easy), then run a _vbscript_ against with LDAP or ADSI scripting in it (or something like that) to enumerate group members. If they want nested members also, then you've got a lot more complex issue, but I would just state that it's not practical and let him work with the current list. Hopefully the resulting gargantuan file will be enough to make anyone choke and stop making rediculous requests that they don't understand the futility of. Enumerating 10k groups simply so that you can toss the list out later that week because it's just going to get more and more out of date is worse than silly, it's a waste of company effort (and money). Make it too easy for him to generate that report and soon he'll be wanting to see what items they have access to in the environment, so you'll end up enumerating out all files and shares and rights assignments on computers. On 7/25/06, Mike Hogenauer [EMAIL PROTECTED] wrote: We're medium size and yes someone does want a current outdated list J - Just trying to make it happen. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, July 25, 2006 2:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Enumerating Group type and Mebership... You either have a small environment or someone wants a document that will be completely outdated 12 minutes after it's compiled. Though just to be honest, I'd love to be able to click on a '+' on groups and show their members and continue to follow the '+' if there is nesting. That would be an awesome feature in the ADUC. Maybe I should submit that feature request to Quest and Microsoft. On 7/25/06, Mike Hogenauer [EMAIL PROTECTED] wrote: I need all Security Groups and Distribution groups and their members Thanks Laura! From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Laura A. Robinson Sent: Tuesday, July 25, 2006 12:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enumerating Group type and Mebership... What is everything [you] need, specifically? Thanks, Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Mike Hogenauer Sent: Tuesday, July 25, 2006 2:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Enumerating Group type and Mebership... All, I'm trying to enumerate all groups in my AD environment. I need to get Group name group type and group members for each group I've tried some sample _vbscript_s from http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0419.mspx Then I tried (below) but It still doesn't seem to pull back everything I need- Any help would be great! In a perfect world - J - I need a list of all security groups and distribution groups and their members Thanks, Mike Enumerate Security Groups and Member in Domain csvde -f c:\tmp\SecurityGroups.csv -p subtree -l cn,mail,member -r (|((objectCategory=Group)(objectClass=Group)(|(groupType=-2147483644)(groupType=-2147483646)(groupType=-2147483640 -j c:\tmp Enumerate Distribution Groups and Member in Domain csvde -f c:\tmp\DistributionLists.csv -p subtree -l cn,mail,member -r (|((objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2 -j c:\tmp
RE: [ActiveDir] Enumerating Group type and Mebership...
Hello, First, please excuse my english written After, the script below enumerates all groups (and their members) of a user. Perhaps, this can help you for your needs Bye Set FSO = CreateObject(Scripting.FileSystemObject) Set WSHShell = WScript.CreateObject(WScript.Shell) Set WSHNetwork = WScript.CreateObject(WScript.Network) Set Drives = CreateObject(Scripting.Dictionary) Set Printers = CreateObject(Scripting.Dictionary) Set listegroupes = CreateObject(Scripting.Dictionary) 'Création d'un objet LDAP Set rootDSE = GetObject(LDAP://rootDSE) 'Création d'un objet connexion ADO Set Con = CreateObject(ADODB.Connection) 'Création d'un objet commande ADO Set ocommand = CreateObject(ADODB.Command) 'Récupération du domaine d'appartenance sDomain = rootDSE.Get(defaultNamingContext) Set domain = GetObject(LDAP:// sDomain) Nom_utilisateur=WSHNetwork.UserName Domaine_utilisateur=WSHNetwork.UserDomain if not(membrede(Nom_utilisateur)) then wscript.echo no group for user Nom_utilisateur ( Domaine_utilisateur ) else wscript.echo user Nom_utilisateur is member of : VBCRLF For Each Group In listegroupes.items wscript.echo group -- Group VBCRLF Next end if ' ROUTINES RECUPERATION APPARTENANCE GROUPE---' function membrede(nomuser) Con.Provider = ADsDSOObject Con.Open Active Directory Provider ocommand.ActiveConnection = Con 'build LDAP request 'initialize filter sfilteruser=((objectClass=user)(|(name= nomuser )(sn= nomuser )(sAMAccountName= nomuser ))) 'for user sfiltergroup=(objectClass=group) 'for groups 'attributes to return. sAttribsToReturn = memberOf 'pour retrouver l'attribut membre de... 'initialize deep. sDepth = subTree 'everywhere in domain 'direct membership macommand = domain.adspath ; sfilteruser ; sAttribsToReturn ; sDepth ocommand.CommandText = macommand Set rs = ocommand.Execute compteur=0 if (rs.RecordCount = 1) then rs.MoveFirst do mo=rs.Fields(memberof).value if not(IsNull(mo)) then For Each grp In mo listegroupes.add compteur,grp compteur=compteur+1 Next else membrede=FALSE exit function 'wscript.echo le compte nomuser n'appartient à aucun groupe vbcrlf end if rs.movenext loop while Not rs.EOF else membrede=FALSE exit function ' wscript.echo Petit problème end if 'indirect membership index=0 do macommand = LDAP:// listegroupes(index) ; sfiltergroup ; sAttribsToReturn ; sDepth 'wscript.echo macommand ocommand.CommandText = macommand Set rs = ocommand.Execute if (rs.RecordCount0) then rs.MoveFirst do mo=rs.Fields(memberof).value if not(IsNull(mo)) then For Each grp In mo listegroupes.add compteur,grp compteur=compteur+1 ' wscript.echo grp Next else 'wscript.echo pas de membre de pour: listegroupes(index) end if rs.movenext loop while Not rs.EOF else ' wscript.echo pas de record trouvé end if index=index+1 loop while (indexcompteur) for each cle in listegroupes grp=right(listegroupes(cle),len(listegroupes(cle))-3) p = Instr(1, grp, ,, 0) grp=left(grp,p-1) listegroupes(cle)=grp next membrede=TRUE end function ' FIN ROUTINES RECUPERATION APPARTENANCE GROUPE---' De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Mike Hogenauer Envoyé : mardi 25 juillet 2006 20:49 À : ActiveDir@mail.activedir.org Objet : [ActiveDir] Enumerating Group type and Mebership... All, Im trying to enumerate all groups in my AD environment. I need to get Group name group type and group members for each group Ive tried some sample VB scripts from http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0419. mspx Then I tried (below) but It still doesnt seem to pull back everything I need- Any help would be great! In a perfect world - J - I need a list of all security groups and distribution groups and their members Thanks, Mike Enumerate Security Groups and Member in Domain csvde -f c:\tmp\SecurityGroups.csv -p subtree -l cn,mail,member -r (|((objectCategory=Group)(objectClass=Group)(|(groupType=-2147483644)(grou pType=-2147483646)(groupType=-2147483640 -j c:\tmp Enumerate Distribution Groups and Member in Domain csvde -f c:\tmp\DistributionLists.csv -p subtree -l cn,mail,member -r (|((objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(g roupType=2 -j c:\tmp List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Enumerating Group type and Mebership...
All, Im trying to enumerate all groups in my AD environment. I need to get Group name group type and group members for each group Ive tried some sample _vbscript_s from http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0419.mspx Then I tried (below) but It still doesnt seem to pull back everything I need- Any help would be great! In a perfect world - J - I need a list of all security groups and distribution groups and their members Thanks, Mike Enumerate Security Groups and Member in Domain csvde -f c:\tmp\SecurityGroups.csv -p subtree -l cn,mail,member -r (|((objectCategory=Group)(objectClass=Group)(|(groupType=-2147483644)(groupType=-2147483646)(groupType=-2147483640 -j c:\tmp Enumerate Distribution Groups and Member in Domain csvde -f c:\tmp\DistributionLists.csv -p subtree -l cn,mail,member -r (|((objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2 -j c:\tmp
RE: [ActiveDir] Enumerating Group type and Mebership...
What is "everything [you] need", specifically? Thanks, Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike HogenauerSent: Tuesday, July 25, 2006 2:49 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Enumerating Group type and Mebership... All, Im trying to enumerate all groups in my AD environment. I need to get Group name group type and group members for each group Ive tried some sample _vbscript_s from http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0419.mspx Then I tried (below) but It still doesnt seem to pull back everything I need- Any help would be great! In a perfect world - J - I need a list of all security groups and distribution groups and their members Thanks, Mike Enumerate Security Groups and Member in Domain csvde -f c:\tmp\SecurityGroups.csv -p subtree -l cn,mail,member -r "(|((objectCategory=Group)(objectClass=Group)(|(groupType=-2147483644)(groupType=-2147483646)(groupType=-2147483640" -j c:\tmp Enumerate Distribution Groups and Member in Domain csvde -f c:\tmp\DistributionLists.csv -p subtree -l cn,mail,member -r "(|((objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2" -j c:\tmp
Re: [ActiveDir] Enumerating Group type and Mebership...
Give Joe's adfind a spin, there is a good article here that may help too (nice adfind examples) http://blogs.brnets.com/michael/archive/2004/06/24/168.aspx On 7/25/06, Mike Hogenauer [EMAIL PROTECTED] wrote: All, I'm trying to enumerate all groups in my AD environment. I need to get Group name group type and group members for each group… I've tried some sample _vbscript_s from http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0419.mspx Then I tried (below) but It still doesn't seem to pull back everything I need- Any help would be great! In a perfect world - J - I need a list of all security groups and distribution groups and their members Thanks, Mike Enumerate Security Groups and Member in Domain csvde -f c:\tmp\SecurityGroups.csv -p subtree -l cn,mail,member -r (|((objectCategory=Group)(objectClass=Group)(|(groupType=-2147483644)(groupType=-2147483646)(groupType=-2147483640 -j c:\tmp Enumerate Distribution Groups and Member in Domain csvde -f c:\tmp\DistributionLists.csv -p subtree -l cn,mail,member -r (|((objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2 -j c:\tmp
RE: [ActiveDir] Enumerating Group type and Mebership...
I need all Security Groups and Distribution groups and their members Thanks Laura! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Tuesday, July 25, 2006 12:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enumerating Group type and Mebership... What is everything [you] need, specifically? Thanks, Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Tuesday, July 25, 2006 2:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Enumerating Group type and Mebership... All, Im trying to enumerate all groups in my AD environment. I need to get Group name group type and group members for each group Ive tried some sample _vbscript_s from http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0419.mspx Then I tried (below) but It still doesnt seem to pull back everything I need- Any help would be great! In a perfect world - J - I need a list of all security groups and distribution groups and their members Thanks, Mike Enumerate Security Groups and Member in Domain csvde -f c:\tmp\SecurityGroups.csv -p subtree -l cn,mail,member -r (|((objectCategory=Group)(objectClass=Group)(|(groupType=-2147483644)(groupType=-2147483646)(groupType=-2147483640 -j c:\tmp Enumerate Distribution Groups and Member in Domain csvde -f c:\tmp\DistributionLists.csv -p subtree -l cn,mail,member -r (|((objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2 -j c:\tmp
Re: [ActiveDir] Enumerating Group type and Mebership...
You either have a small environment or someone wants a document that will be completely outdated 12 minutes after it's compiled.Though just to be honest, I'd love to be able to click on a '+' on groups and show their members and continue to follow the '+' if there is nesting. That would be an awesome feature in the ADUC. Maybe I should submit that feature request to Quest and Microsoft. On 7/25/06, Mike Hogenauer [EMAIL PROTECTED] wrote: I need all Security Groups and Distribution groups – and their members Thanks Laura! From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Laura A. Robinson Sent: Tuesday, July 25, 2006 12:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enumerating Group type and Mebership... What is everything [you] need, specifically? Thanks, Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mike Hogenauer Sent: Tuesday, July 25, 2006 2:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Enumerating Group type and Mebership... All, I'm trying to enumerate all groups in my AD environment. I need to get Group name group type and group members for each group… I've tried some sample _vbscript_s from http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0419.mspx Then I tried (below) but It still doesn't seem to pull back everything I need- Any help would be great! In a perfect world - J - I need a list of all security groups and distribution groups and their members Thanks, Mike Enumerate Security Groups and Member in Domain csvde -f c:\tmp\SecurityGroups.csv -p subtree -l cn,mail,member -r (|((objectCategory=Group)(objectClass=Group)(|(groupType=-2147483644)(groupType=-2147483646)(groupType=-2147483640 -j c:\tmp Enumerate Distribution Groups and Member in Domain csvde -f c:\tmp\DistributionLists.csv -p subtree -l cn,mail,member -r (|((objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2 -j c:\tmp
RE: [ActiveDir] Enumerating Group type and Mebership...
Were medium size and yes someone does want a current outdated list J - Just trying to make it happen. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Tuesday, July 25, 2006 2:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Enumerating Group type and Mebership... You either have a small environment or someone wants a document that will be completely outdated 12 minutes after it's compiled. Though just to be honest, I'd love to be able to click on a '+' on groups and show their members and continue to follow the '+' if there is nesting. That would be an awesome feature in the ADUC. Maybe I should submit that feature request to Quest and Microsoft. On 7/25/06, Mike Hogenauer [EMAIL PROTECTED] wrote: I need all Security Groups and Distribution groups and their members Thanks Laura! From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Laura A. Robinson Sent: Tuesday, July 25, 2006 12:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enumerating Group type and Mebership... What is everything [you] need, specifically? Thanks, Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mike Hogenauer Sent: Tuesday, July 25, 2006 2:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Enumerating Group type and Mebership... All, I'm trying to enumerate all groups in my AD environment. I need to get Group name group type and group members for each group I've tried some sample _vbscript_s from http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0419.mspx Then I tried (below) but It still doesn't seem to pull back everything I need- Any help would be great! In a perfect world - J - I need a list of all security groups and distribution groups and their members Thanks, Mike Enumerate Security Groups and Member in Domain csvde -f c:\tmp\SecurityGroups.csv -p subtree -l cn,mail,member -r (|((objectCategory=Group)(objectClass=Group)(|(groupType=-2147483644)(groupType=-2147483646)(groupType=-2147483640 -j c:\tmp Enumerate Distribution Groups and Member in Domain csvde -f c:\tmp\DistributionLists.csv -p subtree -l cn,mail,member -r (|((objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2 -j c:\tmp
Re: [ActiveDir] Enumerating Group type and Mebership...
Getting a list of groups is easy... getting it all enumerated will be a bit more complex, though not terribly so.The ADUC allows you to create queries and list all security groups. You can then export this list to a file. Once you have the file, you need to import that list into Excel (pretty easy), then run a _vbscript_ against with LDAP or ADSI scripting in it (or something like that) to enumerate group members. If they want nested members also, then you've got a lot more complex issue, but I would just state that it's not practical and let him work with the current list. Hopefully the resulting gargantuan file will be enough to make anyone choke and stop making rediculous requests that they don't understand the futility of. Enumerating 10k groups simply so that you can toss the list out later that week because it's just going to get more and more out of date is worse than silly, it's a waste of company effort (and money). Make it too easy for him to generate that report and soon he'll be wanting to see what items they have access to in the environment, so you'll end up enumerating out all files and shares and rights assignments on computers. On 7/25/06, Mike Hogenauer [EMAIL PROTECTED] wrote: We're medium size – and yes someone does want a current outdated list J - Just trying to make it happen…. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, July 25, 2006 2:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Enumerating Group type and Mebership... You either have a small environment or someone wants a document that will be completely outdated 12 minutes after it's compiled. Though just to be honest, I'd love to be able to click on a '+' on groups and show their members and continue to follow the '+' if there is nesting. That would be an awesome feature in the ADUC. Maybe I should submit that feature request to Quest and Microsoft. On 7/25/06, Mike Hogenauer [EMAIL PROTECTED] wrote: I need all Security Groups and Distribution groups – and their members Thanks Laura! From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Laura A. Robinson Sent: Tuesday, July 25, 2006 12:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enumerating Group type and Mebership... What is everything [you] need, specifically? Thanks, Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Mike Hogenauer Sent: Tuesday, July 25, 2006 2:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Enumerating Group type and Mebership... All, I'm trying to enumerate all groups in my AD environment. I need to get Group name group type and group members for each group… I've tried some sample _vbscript_s from http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0419.mspx Then I tried (below) but It still doesn't seem to pull back everything I need- Any help would be great! In a perfect world - J - I need a list of all security groups and distribution groups and their members Thanks, Mike Enumerate Security Groups and Member in Domain csvde -f c:\tmp\SecurityGroups.csv -p subtree -l cn,mail,member -r (|((objectCategory=Group)(objectClass=Group)(|(groupType=-2147483644)(groupType=-2147483646)(groupType=-2147483640 -j c:\tmp Enumerate Distribution Groups and Member in Domain csvde -f c:\tmp\DistributionLists.csv -p subtree -l cn,mail,member -r (|((objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2 -j c:\tmp
RE: [ActiveDir] Enumerating Group type and Mebership...
Ugh, this sounds exactly like the SOX audit our company is currently going through. People asking for reports and screenshots of things they simply dont understand. Its a joy. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Tuesday, July 25, 2006 2:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Enumerating Group type and Mebership... Getting a list of groups is easy... getting it all enumerated will be a bit more complex, though not terribly so. The ADUC allows you to create queries and list all security groups. You can then export this list to a file. Once you have the file, you need to import that list into Excel (pretty easy), then run a _vbscript_ against with LDAP or ADSI scripting in it (or something like that) to enumerate group members. If they want nested members also, then you've got a lot more complex issue, but I would just state that it's not practical and let him work with the current list. Hopefully the resulting gargantuan file will be enough to make anyone choke and stop making rediculous requests that they don't understand the futility of. Enumerating 10k groups simply so that you can toss the list out later that week because it's just going to get more and more out of date is worse than silly, it's a waste of company effort (and money). Make it too easy for him to generate that report and soon he'll be wanting to see what items they have access to in the environment, so you'll end up enumerating out all files and shares and rights assignments on computers. On 7/25/06, Mike Hogenauer [EMAIL PROTECTED] wrote: We're medium size and yes someone does want a current outdated list J - Just trying to make it happen. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, July 25, 2006 2:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Enumerating Group type and Mebership... You either have a small environment or someone wants a document that will be completely outdated 12 minutes after it's compiled. Though just to be honest, I'd love to be able to click on a '+' on groups and show their members and continue to follow the '+' if there is nesting. That would be an awesome feature in the ADUC. Maybe I should submit that feature request to Quest and Microsoft. On 7/25/06, Mike Hogenauer [EMAIL PROTECTED] wrote: I need all Security Groups and Distribution groups and their members Thanks Laura! From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Laura A. Robinson Sent: Tuesday, July 25, 2006 12:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enumerating Group type and Mebership... What is everything [you] need, specifically? Thanks, Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Mike Hogenauer Sent: Tuesday, July 25, 2006 2:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Enumerating Group type and Mebership... All, I'm trying to enumerate all groups in my AD environment. I need to get Group name group type and group members for each group I've tried some sample _vbscript_s from http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0419.mspx Then I tried (below) but It still doesn't seem to pull back everything I need- Any help would be great! In a perfect world - J - I need a list of all security groups and distribution groups and their members Thanks, Mike Enumerate Security Groups and Member in Domain csvde -f c:\tmp\SecurityGroups.csv -p subtree -l cn,mail,member -r (|((objectCategory=Group)(objectClass=Group)(|(groupType=-2147483644)(groupType=-2147483646)(groupType=-2147483640 -j c:\tmp Enumerate Distribution Groups and Member in Domain csvde -f c:\tmp\DistributionLists.csv -p subtree -l cn,mail,member -r (|((objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2 -j c:\tmp
RE: [ActiveDir] Enumerating Group type and Mebership...
Hi, Try these (if you dont get any better answers from the gurus): For just groups and their membership (batch file) dsquery group all-groups.txt for /f tokens=1* delims=} %a in (all-groups.txt) do @(echo GROUP:%a dsget group %a -members) group-members.txt For groups, type and membership (vbs file): ' To output to a text file use: ' cscript //nologo test.vbs filename.txt Option Explicit Dim objConn ' ADODB.Connection Dim objCommand ' ADODB.Command Dim objRS ' ADODB.Recordset Dim objRootDSE ' RootDSE Dim objGroup ' AD Group Dim strDNSDomain ' String Dim strQuery ' String Dim strDN ' String ' Bind to the Root Container Set objConn = CreateObject(ADODB.Connection) objConn.Provider = ADsDSOObject objConn.Open Active Directory Provider ' Create our Command Object Set objCommand = CreateObject(ADODB.Command) Set objCommand.ActiveConnection = objConn ' Determine the DNS domain from the RootDSE object. Set objRootDSE = GetObject(LDAP://RootDSE) strDNSDomain = objRootDSE.Get(defaultNamingContext) ' Search for all groups, return the Distinguished Name of each. strQuery = LDAP:// strDNSDomain ;(objectClass=group);distinguishedName;subtree objCommand.CommandText = strQuery objCommand.Properties(Page Size) = 100 objCommand.Properties(Timeout) = 30 objCommand.Properties(Cache Results) = False Set objRS = objCommand.Execute If objRS.EOF Then Wscript.Echo No groups found objConn.Close Set objRootDSE = Nothing Set objConn = Nothing Set objCommand = Nothing Set objRS = Nothing Wscript.Quit End If ' Enumerate all groups, bind to each, and document group members. Do Until objRS.EOF strDN = objRS.Fields(distinguishedName) Set objGroup = GetObject(LDAP:// strDN) 'Wscript.Echo objGroup.sAMAccountName ( GetType(objGroup.groupType) ) 'If objGroup.GroupType = 2 or objGroup.GroupType = 4 or objGroup.GroupType = 8 then Wscript.Echo objGroup.sAMAccountName ( GetType(objGroup.groupType) ) Call GetMembers(objGroup) 'End If objRS.MoveNext Loop ' Clean up. objConn.Close Set objRootDSE = Nothing Set objGroup = Nothing Set objConn = Nothing Set objCommand = Nothing Set objRS = Nothing Function GetType(intType) ' Function to determine group type from the GroupType attribute. If (intType And h01) 0 Then GetType = Built-in ElseIf (intType And h02) 0 Then GetType = Global ElseIf (intType And h04) 0 Then GetType = Local ElseIf (intType And h08) 0 Then GetType = Universal End If If (intType And h8000) 0 Then GetType = GetType /Security Else GetType = GetType /Distribution End If End Function Sub GetMembers(objADObject) ' Subroutine to document group membership. ' Members can be users or groups. Dim objMember, strType For Each objMember In objADObject.Members If UCase(Left(objMember.objectCategory, 8)) = CN=GROUP Then strType = Group Else strType = User End If Wscript.Echo Member: objMember.sAMAccountName _ ( strType ) Next WScript.Echo Set objMember = Nothing End Sub Cheers Ken -- My IIS Blog: www.adOpenStatic.com/cs/blogs/ken Tech.Ed Sydney: learn all about IIS 7.0 - See you there! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Wednesday, 26 July 2006 7:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enumerating Group type and Mebership... Were medium size and yes someone does want a current outdated list J - Just trying to make it happen. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Tuesday, July 25, 2006 2:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Enumerating Group type and Mebership... You either have a small environment or someone wants a document that will be completely outdated 12 minutes after it's compiled. Though just to be honest, I'd love to be able to click on a '+' on groups and show their members and continue to follow the '+' if there is nesting. That would be an awesome feature in the ADUC. Maybe I should submit that feature request to Quest and Microsoft. On 7/25/06, Mike Hogenauer [EMAIL PROTECTED] wrote: I need all Security Groups and Distribution groups and their members Thanks Laura! From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Laura A. Robinson Sent: Tuesday, July 25, 2006 12:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enumerating Group type and Mebership... What is everything [you] need, specifically? Thanks, Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mike Hogenauer Sent: Tuesday, July 25, 2006 2:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Enumerating Group type and Mebership... All, I'm trying to enumerate all groups in my AD environment. I need to get Group name group type and group members
RE: [ActiveDir] Enumerating Group type and Mebership...
Dsquery group limit 0| dsget group members I think that works (not near AD env). Adfind b domain root -f (objectcategory=group) cn members Something like that :m:dsm:cci:mvp| marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: Tuesday, July 25, 2006 8:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enumerating Group type and Mebership... Hi, Try these (if you dont get any better answers from the gurus): For just groups and their membership (batch file) dsquery group all-groups.txt for /f tokens=1* delims=} %a in (all-groups.txt) do @(echo GROUP:%a dsget group %a -members) group-members.txt For groups, type and membership (vbs file): ' To output to a text file use: ' cscript //nologo test.vbs filename.txt Option Explicit Dim objConn ' ADODB.Connection Dim objCommand ' ADODB.Command Dim objRS ' ADODB.Recordset Dim objRootDSE ' RootDSE Dim objGroup ' AD Group Dim strDNSDomain ' String Dim strQuery ' String Dim strDN ' String ' Bind to the Root Container Set objConn = CreateObject(ADODB.Connection) objConn.Provider = ADsDSOObject objConn.Open Active Directory Provider ' Create our Command Object Set objCommand = CreateObject(ADODB.Command) Set objCommand.ActiveConnection = objConn ' Determine the DNS domain from the RootDSE object. Set objRootDSE = GetObject(LDAP://RootDSE) strDNSDomain = objRootDSE.Get(defaultNamingContext) ' Search for all groups, return the Distinguished Name of each. strQuery = LDAP:// strDNSDomain ;(objectClass=group);distinguishedName;subtree objCommand.CommandText = strQuery objCommand.Properties(Page Size) = 100 objCommand.Properties(Timeout) = 30 objCommand.Properties(Cache Results) = False Set objRS = objCommand.Execute If objRS.EOF Then Wscript.Echo No groups found objConn.Close Set objRootDSE = Nothing Set objConn = Nothing Set objCommand = Nothing Set objRS = Nothing Wscript.Quit End If ' Enumerate all groups, bind to each, and document group members. Do Until objRS.EOF strDN = objRS.Fields(distinguishedName) Set objGroup = GetObject(LDAP:// strDN) 'Wscript.Echo objGroup.sAMAccountName ( GetType(objGroup.groupType) ) 'If objGroup.GroupType = 2 or objGroup.GroupType = 4 or objGroup.GroupType = 8 then Wscript.Echo objGroup.sAMAccountName ( GetType(objGroup.groupType) ) Call GetMembers(objGroup) 'End If objRS.MoveNext Loop ' Clean up. objConn.Close Set objRootDSE = Nothing Set objGroup = Nothing Set objConn = Nothing Set objCommand = Nothing Set objRS = Nothing Function GetType(intType) ' Function to determine group type from the GroupType attribute. If (intType And h01) 0 Then GetType = Built-in ElseIf (intType And h02) 0 Then GetType = Global ElseIf (intType And h04) 0 Then GetType = Local ElseIf (intType And h08) 0 Then GetType = Universal End If If (intType And h8000) 0 Then GetType = GetType /Security Else GetType = GetType /Distribution End If End Function Sub GetMembers(objADObject) ' Subroutine to document group membership. ' Members can be users or groups. Dim objMember, strType For Each objMember In objADObject.Members If UCase(Left(objMember.objectCategory, 8)) = CN=GROUP Then strType = Group Else strType = User End If Wscript.Echo Member: objMember.sAMAccountName _ ( strType ) Next WScript.Echo Set objMember = Nothing End Sub Cheers Ken -- My IIS Blog: www.adOpenStatic.com/cs/blogs/ken Tech.Ed Sydney: learn all about IIS 7.0 - See you there! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Wednesday, 26 July 2006 7:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enumerating Group type and Mebership... Were medium size and yes someone does want a current outdated list J - Just trying to make it happen. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Tuesday, July 25, 2006 2:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Enumerating Group type and Mebership... You either have a small environment or someone wants a document that will be completely outdated 12 minutes after it's compiled. Though just to be honest, I'd love to be able to click on a '+' on groups and show their members and continue to follow the '+' if there is nesting. That would be an awesome feature in the ADUC. Maybe I should submit that feature request to Quest and Microsoft. On 7/25/06, Mike Hogenauer [EMAIL PROTECTED] wrote: I need all Security Groups and Distribution groups and their members Thanks Laura! From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Laura A. Robinson Sent: Tuesday, July 25, 2006 12:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enumerating Group type and Mebership