RE: [ActiveDir] Query out all user members in nested groups
Hi Aaron, this is simple, you can either do a LDAP-Query against the members attribute of the group using different utilities, or use dsget which does the work for you: Using the groups DistinguishedName: dsget group cn=mygroup,cn=users,dc=mydomain,dc=com -members or via the groups name dsquery group domainroot -name mygroup | dsget group -members Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D |-Original Message- |From: [EMAIL PROTECTED] [mailto:ActiveDir- |[EMAIL PROTECTED] On Behalf Of Aaron Seet |Sent: Friday, November 25, 2005 11:53 AM |To: ActiveDir@mail.activedir.org |Subject: [ActiveDir] Query out all user members in nested groups | |I am trying to find a way to list all user accounts that are members of a |given group, _including_ those in nested groups. I didn't find anything useful |in my cache of historical LDAP emails, and it seems from the internet people |are more interested in finding what groups a user has membership in - opposite |to my perspective. | |Any advice if this is possible? thanks, | |Aaron | | |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Query out all user members in nested groups
Ulf B. Simon-Weidner wrote: Hi Aaron, this is simple, you can either do a LDAP-Query against the members attribute of the group using different utilities, or use dsget which does the work for you: Using the groups DistinguishedName: dsget group cn=mygroup,cn=users,dc=mydomain,dc=com -members or via the groups name dsquery group domainroot -name mygroup | dsget group -members But using dsquery in this way Yoou ar not able to un-neast group membership. You have to make some script around this to be able to track the group membership of a user through nested groups. -- Tomasz Onyszko http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Query out all user members in nested groups
Hello @, The option "-expand" might help: dsget group cn=mygroup,cn=users,dc=mydomain,dc=com -members -expand Best regards, Martin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Friday, November 25, 2005 1:06 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Query out all user members in nested groups Ulf B. Simon-Weidner wrote: > Hi Aaron, > > this is simple, you can either do a LDAP-Query against the members attribute > of the group using different utilities, or use dsget which does the work for > you: > > Using the groups DistinguishedName: > > dsget group cn=mygroup,cn=users,dc=mydomain,dc=com -members > > or via the groups name > > dsquery group domainroot -name mygroup | dsget group -members > But using dsquery in this way Yoou ar not able to un-neast group membership. You have to make some script around this to be able to track the group membership of a user through nested groups. -- Tomasz Onyszko http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Query out all user members in nested groups
I believe Joe's memberOf tool is what you are looking for: -- http://joeware.net/win/free/tools/memberof.htm List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Query out all user members in nested groups
Robbie Allen's AD Cookbook covers this topic as well: http://rallenhome.com/books/adcookbook/src/07.03-view_nested_group_membership.vbs.txt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Seet Sent: Friday, November 25, 2005 5:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Query out all user members in nested groups I am trying to find a way to list all user accounts that are members of a given group, _including_ those in nested groups. I didn't find anything useful in my cache of historical LDAP emails, and it seems from the internet people are more interested in finding what groups a user has membership in - opposite to my perspective. Any advice if this is possible? thanks, Aaron List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Query out all user members in nested groups
Aahrg - thought if I want to putt his into the reply as well but haven't read the _inclusing nested groups_ - I though he just wanted the direct members. So yes - use expanded. |-Original Message- |From: [EMAIL PROTECTED] [mailto:ActiveDir- |[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] |Sent: Friday, November 25, 2005 1:17 PM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Query out all user members in nested groups | |Hello @, | |The option "-expand" might help: | |dsget group cn=mygroup,cn=users,dc=mydomain,dc=com -members -expand | |Best regards, | |Martin | |-Original Message- |From: [EMAIL PROTECTED] [mailto:ActiveDir- |[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko |Sent: Friday, November 25, 2005 1:06 PM |To: ActiveDir@mail.activedir.org |Subject: Re: [ActiveDir] Query out all user members in nested groups | |Ulf B. Simon-Weidner wrote: |> Hi Aaron, |> |> this is simple, you can either do a LDAP-Query against the members |> attribute of the group using different utilities, or use dsget which |> does the work for |> you: |> |> Using the groups DistinguishedName: |> |> dsget group cn=mygroup,cn=users,dc=mydomain,dc=com -members |> |> or via the groups name |> |> dsquery group domainroot -name mygroup | dsget group -members |> | |But using dsquery in this way Yoou ar not able to un-neast group membership. |You have to make some script around this to be able to track the group |membership of a user through nested groups. | |-- |Tomasz Onyszko |http://www.w2k.pl |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Query out all user members in nested groups
I apologize for leaving out crucial information. I am trying to enchance (less-than-optimal) .NET code, so this involves the use of DirectorySearcher and SearchResult classes in the System.DirectoryServices namespace. The current implementation takes the top-level group name and searches for it, then loops through the "member" collection returned (part of the SearchResult.Properties collection), determining which is a User and which is a Group. For those identified as Groups, they are put through their own level of Members search. For each User that is retrieved, yet another search is performed to get their logon name (appears the results of the Member collection shows only Full Name property of Users). So in an example scenario, that can result in 200+ calls for individual User query, taking some 179 seconds. My immediate idea was to find a way to make a single chunky query rather than numerous small queries (similar to SQL query advice), so I wondered if there is an LDAP search pattern that can have itself recursively drill down all groups and return me the Logon names in one fell swoop. If that is not possible, then the next best thing would be to return all Users' Logon names in a Group rather than the Full name. Aaron List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Query out all user members in nested groups
My response is assuming that you are using the old DirectoryServices stuff and not the newer 2.0 DS.Protocols stuff. With that caveat, most DS .NET code is less than optimal as it relies on ADSI which is in itself less than optimal. Group enumeration is great because it uses multiple queries to get ANYTHING besides the DN of the members. So if you say query a group and you even know that a member is not a user, you have already done the query for the group, and another query for that member. So to enumerate a group of 500 members and display a full name or object type or anything besides a DN, ADSI has already done another query on your behlaf to return the info for each member you have displayed so you would have done 501 queries at that point. If you have to force additional queries beyond that, well that is above and beyond. The only thing that is close to what you are asking for is something MS added to K3 AD reachable only if you are using pure LDAP (not ADSI calls) is called an attribute scoped query. Basically it allows you to do a BASE level query of AD and tell it to return a specific Object to you (i.e. you can't do a subtree search, you already need the DN of the object) but instead of getting members as DNs, you can tell the AD to return to you any of the attributes of each of the members or even to return only specific members (say the users or the groups). You can learn more here http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/p erforming_an_attribute_scoped_query.asp http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/ldap/l dap_server_asq_oid.asp http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/a ds_searchpref_enum.asp Note, I just noticed the filter they use in the example of link 1 may not be optimal. It isn't normally but it depends entirely on the implementation in the backend as I don't expect the query is actually sent through the normal process. I tried to find the implementation in the source to verify because track it down. So I will send a note onto the MSDN folks to see if it can be verified. The possibly non-optimal piece is the filter objectclass=user. I don't use .NET, but it looks like there is some chatter on this, see http://msdn.microsoft.com/msdnmag/issues/05/12/DirectoryServices/default.asp x http://winfx.msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref /html/T_System_DirectoryServices_Protocols_AsqRequestControl.asp joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Seet Sent: Saturday, November 26, 2005 8:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Query out all user members in nested groups I apologize for leaving out crucial information. I am trying to enchance (less-than-optimal) .NET code, so this involves the use of DirectorySearcher and SearchResult classes in the System.DirectoryServices namespace. The current implementation takes the top-level group name and searches for it, then loops through the "member" collection returned (part of the SearchResult.Properties collection), determining which is a User and which is a Group. For those identified as Groups, they are put through their own level of Members search. For each User that is retrieved, yet another search is performed to get their logon name (appears the results of the Member collection shows only Full Name property of Users). So in an example scenario, that can result in 200+ calls for individual User query, taking some 179 seconds. My immediate idea was to find a way to make a single chunky query rather than numerous small queries (similar to SQL query advice), so I wondered if there is an LDAP search pattern that can have itself recursively drill down all groups and return me the Logon names in one fell swoop. If that is not possible, then the next best thing would be to return all Users' Logon names in a Group rather than the Full name. Aaron List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Query out all user members in nested groups
Unfortunately it won't expand groups, it goes the other way, finds all (or most all) memberships a user has. I have a couple of scripts that do this but nothing I can share publicly as they were written for customers. I keep meaning to write a tool to do it. I really want to write it though to do ASQ queries (as mentioned twice before today actually) but that only works against K3. I wish people would stop using 2K. ;o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Friday, November 25, 2005 6:52 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Query out all user members in nested groups I believe Joe's memberOf tool is what you are looking for: -- http://joeware.net/win/free/tools/memberof.htm List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Query out all user members in nested groups
Thanks, i will see if those articles bring me closer to the task. Meanwhile for those who have touch with .NET, I was taking a cue from recommendation of the DirectoryEntry class, and decided to run a little experiment with that class instead; see what it is capable of. The tutorial logic made it look _simple_enough_, just instantiate it this.directoryNode = new DirectoryEntry("LDAP://cn=Engineers,ou=Home,dc=riotangel,dc=local"); and then loop through its children foreach(DirectoryEntry child in directoryNode.Children) { TreeNode newNode = new TreeNode(child.Name); switch (child.SchemaClassName) { case "User" : // something break; case "Group" : // something break; } } but in reality, the Children collection is _empty_. I am wondering how I could get it to load its children tree, even if large? There is nothing within that class to specific any special form of loading. Regards, Aaron -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, 26 November 2005 22:58 I don't use .NET, but it looks like there is some chatter on this, see List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/