Re: List members of Global group in NT domain.

07/10/2007, 11h34

Afsal wrote:

> My Boss wants list of members in 4 global groups in NT domain, in
> following format,
> 1. Full Name
> 2. NT logon Name
> 3. The group the user is member of (out of the 4 groups)
> Each group has about 200 users and it is impossible to get user
> information
> using net groups or global(NT Resource kit utility) commands.
> Any scripting ?
>
> Thank you in Advance.

It can be done using ADO in a VBScript program. To trick is to query on
users that have any of the 4 group Distinguished Names in their memberOf
attribute. You must specify the full Distinguished Names of the groups. By
"Full Name" I assume you mean the Common Name (the value of the cn
attribute).

Retrieving the values of the cn and sAMAccountName attributes is easy. The
hard part is also outputing which of the 4 groups the user belongs to. The
only way I can think of is to retrieve all group memberships, loop through
them, and test for each of the 4. In the example below I delimit the values
with semicolons.
===========
Option Explicit
Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
Dim objRootDSE, strDNSDomain, strQuery, adoRecordset
Dim strGroup1, strGroup2, strGroup3, strGroup4
Dim strCN, strNTName, arrGroups, strGroup, strList

' Specify Distinguished Names of groups.
strGroup1 = "cn=Sales,ou=West,dc=MyDomain,dc=com"
strGroup2 = "cn=Engr,ou=East,dc=MyDomain,dc=com"
strGroup3 = "cn=Accounting,ou=North,dc=MyDomain,dc=com"
strGroup4 = "cn=IT,ou=South,dc=MyDomain,dc=com"

' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection

' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & strDNSDomain & ">"

' Filter on all users that are members of any of 4 groups.
strFilter = "(&(objectCategory=person)(objectClass=user)" _
& "(|" _
& "(memberOf=" & strGroup1 & ")" _
& "(memberOf=" & strGroup2 & ")" _
& "(memberOf=" & strGroup3 & ")" _
& "(memberOf=" & strGroup4 & ")" _
& "))" _

' Comma delimited list of attribute values to retrieve.
strAttributes = "cn,sAMAccountName,memberOf"

' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False

' Run the query.
Set adoRecordset = adoCommand.Execute

' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
' Retrieve values.
strCN = adoRecordset.Fields("cn").Value
strNTName = adoRecordset.Fields("sAMAccountName").Value
arrGroups = adoRecordset.Fields("memberOf").Value
strList = ""
' We know there is at least one group membership.
' Only list memberships in any of the 4 specified.
For Each strGroup In arrGroups
If (strGroup = strGroup1) Or (strGroup = strGroup2) _
Or (strGroup = strGroup3) Or (strGroup = strGroup4) Then
strList = strList & ";" & strGroup
End If
Next
' The value of strList starts with ";".
Wscript.Echo strCN & ";" & strNTName & strList
' Move to the next record in the recordset.
adoRecordset.MoveNext
Loop

' Clean up.
adoRecordset.Close
adoConnection.Close
===============
For more on using ADO in VBScript programs, see this link:

http://www.rlmueller.net/ADOSearchTips.htm

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

11/10/2007, 04h20

My apologies. I missed that your domain is NT. ADO cannot be used in NT
domains, because NT is not LDAP compliant. You cannot use the LDAP provider
in NT domains, you must use the WinNT provider. I can think of a few ways,
but all are brute force methods and slow. The most direct method is to bind
to the 4 groups, bind to the domain, enumerate all users in the domain and
for each user check if they are a member of any of 4 groups (using the
IsMember method of the group).
===============
' Bind to the four groups.
Set objGroup1 = GetObject("WinNT://RAC_Master/DIP_Acorde_Admin,group")
Set objGroup2 = GetObject("WinNT://RAC_Master/Accounting,group")
Set objGroup3 = GetObject("WinNT://RAC_Master/Sales,group")
Set objGroup4 = GetObject("WinNT://RAC_Master/Engineering,group")

' Bind to the domain.
Set objDomain = GetObject("WinNT://RAC_Master")
' Filter on user objects.
objDomain.Filter = Array("user")

' Enumerate all users in the domain.
For Each objUser In objDomain
' Keep track of which of the 4 groups the user is a member.
' The IsMember method returns True or False.
blnGroup1 = objGroup1.IsMember(objUser.AdsPath)
blnGroup2 = objGroup1.IsMember(objUser.AdsPath)
blnGroup3 = objGroup1.IsMember(objUser.AdsPath)
blnGroup4 = objGroup1.IsMember(objUser.AdsPath)
' Output only if user is a member of at least one of the groups.
If (blnGroup1 = True) Or (blnGroup2 = True) _
Or (blnGroup3 = True) Or (blnGroup4 = True) Then
Wscript.Echo objUser.FullName & "," & objUser.Name _
& "," & CStr(blnGroup1) & "," & CStr(blnGroup2) _
& "," & CStr(blnGroup2) & "," & CStr(blnGroup4)
End If
Next
===========
In the above I delimited values with commas. The last four values are True
or False depending on which groups the user is a member. The output can be
redirected to a text file and read into a spreadsheet. This method requires
binding to all users, which can be slow if there are many users.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

"Afsal" <afsal@AVIVA> wrote in message
news:3B3375BD-D2D8-41B3-A77D-6523153462EA@microsoft.com...
>
>
> Dear Richard Mueller,
>
> I have following issue with the script. Since I work in
> the NT domain, I dont know how to convert the following lines in your
> code:
>
> strGroup1 = "cn=Sales,ou=West,dc=MyDomain,dc=com"
> strGroup2 = "cn=Engr,ou=East,dc=MyDomain,dc=com"
> strGroup3 = "cn=Accounting,ou=North,dc=MyDomain,dc=com"
> strGroup4 = "cn=IT,ou=South,dc=MyDomain,dc=com"
>
> MY domain is RAC_MASTER, and one of the user group is DIP_Acorde_Admin. I
> also tried using the script in the your site EnumGroup.vbs but ran into
> similar problem.
>
> My issue now to write my NT domain RAC_MASTER, group DIP_Acorde_Admin as
> in
> the syntax below
> "cn=Accounting,ou=North,dc=MyDomain,dc=com"
> I tried the following but with no success
> cn=DIP_Acorde_Admin, dc=RAC_MASTER
>

07/10/2007, 11h34	#1
Richard Mueller [MVP] Messages: n/a Hébergeur:	Re: List members of Global group in NT domain. Afsal wrote: > My Boss wants list of members in 4 global groups in NT domain, in > following format, > 1. Full Name > 2. NT logon Name > 3. The group the user is member of (out of the 4 groups) > Each group has about 200 users and it is impossible to get user > information > using net groups or global(NT Resource kit utility) commands. > Any scripting ? > > Thank you in Advance. It can be done using ADO in a VBScript program. To trick is to query on users that have any of the 4 group Distinguished Names in their memberOf attribute. You must specify the full Distinguished Names of the groups. By "Full Name" I assume you mean the Common Name (the value of the cn attribute). Retrieving the values of the cn and sAMAccountName attributes is easy. The hard part is also outputing which of the 4 groups the user belongs to. The only way I can think of is to retrieve all group memberships, loop through them, and test for each of the 4. In the example below I delimit the values with semicolons. =========== Option Explicit Dim adoCommand, adoConnection, strBase, strFilter, strAttributes Dim objRootDSE, strDNSDomain, strQuery, adoRecordset Dim strGroup1, strGroup2, strGroup3, strGroup4 Dim strCN, strNTName, arrGroups, strGroup, strList ' Specify Distinguished Names of groups. strGroup1 = "cn=Sales,ou=West,dc=MyDomain,dc=com" strGroup2 = "cn=Engr,ou=East,dc=MyDomain,dc=com" strGroup3 = "cn=Accounting,ou=North,dc=MyDomain,dc=com" strGroup4 = "cn=IT,ou=South,dc=MyDomain,dc=com" ' Setup ADO objects. Set adoCommand = CreateObject("ADODB.Command") Set adoConnection = CreateObject("ADODB.Connection") adoConnection.Provider = "ADsDSOObject" adoConnection.Open "Active Directory Provider" adoCommand.ActiveConnection = adoConnection ' Search entire Active Directory domain. Set objRootDSE = GetObject("LDAP://RootDSE") strDNSDomain = objRootDSE.Get("defaultNamingContext") strBase = "<LDAP://" & strDNSDomain & ">" ' Filter on all users that are members of any of 4 groups. strFilter = "(&(objectCategory=person)(objectClass=user)" _ & "(\|" _ & "(memberOf=" & strGroup1 & ")" _ & "(memberOf=" & strGroup2 & ")" _ & "(memberOf=" & strGroup3 & ")" _ & "(memberOf=" & strGroup4 & ")" _ & "))" _ ' Comma delimited list of attribute values to retrieve. strAttributes = "cn,sAMAccountName,memberOf" ' Construct the LDAP syntax query. strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree" adoCommand.CommandText = strQuery adoCommand.Properties("Page Size") = 100 adoCommand.Properties("Timeout") = 30 adoCommand.Properties("Cache Results") = False ' Run the query. Set adoRecordset = adoCommand.Execute ' Enumerate the resulting recordset. Do Until adoRecordset.EOF ' Retrieve values. strCN = adoRecordset.Fields("cn").Value strNTName = adoRecordset.Fields("sAMAccountName").Value arrGroups = adoRecordset.Fields("memberOf").Value strList = "" ' We know there is at least one group membership. ' Only list memberships in any of the 4 specified. For Each strGroup In arrGroups If (strGroup = strGroup1) Or (strGroup = strGroup2) _ Or (strGroup = strGroup3) Or (strGroup = strGroup4) Then strList = strList & ";" & strGroup End If Next ' The value of strList starts with ";". Wscript.Echo strCN & ";" & strNTName & strList ' Move to the next record in the recordset. adoRecordset.MoveNext Loop ' Clean up. adoRecordset.Close adoConnection.Close =============== For more on using ADO in VBScript programs, see this link: http://www.rlmueller.net/ADOSearchTips.htm -- Richard Mueller Microsoft MVP Scripting and ADSI Hilltop Lab - http://www.rlmueller.net --

11/10/2007, 04h20	#2
Richard Mueller [MVP] Messages: n/a Hébergeur:	Re: List members of Global group in NT domain. My apologies. I missed that your domain is NT. ADO cannot be used in NT domains, because NT is not LDAP compliant. You cannot use the LDAP provider in NT domains, you must use the WinNT provider. I can think of a few ways, but all are brute force methods and slow. The most direct method is to bind to the 4 groups, bind to the domain, enumerate all users in the domain and for each user check if they are a member of any of 4 groups (using the IsMember method of the group). =============== ' Bind to the four groups. Set objGroup1 = GetObject("WinNT://RAC_Master/DIP_Acorde_Admin,group") Set objGroup2 = GetObject("WinNT://RAC_Master/Accounting,group") Set objGroup3 = GetObject("WinNT://RAC_Master/Sales,group") Set objGroup4 = GetObject("WinNT://RAC_Master/Engineering,group") ' Bind to the domain. Set objDomain = GetObject("WinNT://RAC_Master") ' Filter on user objects. objDomain.Filter = Array("user") ' Enumerate all users in the domain. For Each objUser In objDomain ' Keep track of which of the 4 groups the user is a member. ' The IsMember method returns True or False. blnGroup1 = objGroup1.IsMember(objUser.AdsPath) blnGroup2 = objGroup1.IsMember(objUser.AdsPath) blnGroup3 = objGroup1.IsMember(objUser.AdsPath) blnGroup4 = objGroup1.IsMember(objUser.AdsPath) ' Output only if user is a member of at least one of the groups. If (blnGroup1 = True) Or (blnGroup2 = True) _ Or (blnGroup3 = True) Or (blnGroup4 = True) Then Wscript.Echo objUser.FullName & "," & objUser.Name _ & "," & CStr(blnGroup1) & "," & CStr(blnGroup2) _ & "," & CStr(blnGroup2) & "," & CStr(blnGroup4) End If Next =========== In the above I delimited values with commas. The last four values are True or False depending on which groups the user is a member. The output can be redirected to a text file and read into a spreadsheet. This method requires binding to all users, which can be slow if there are many users. -- Richard Mueller Microsoft MVP Scripting and ADSI Hilltop Lab - http://www.rlmueller.net -- "Afsal" <afsal@AVIVA> wrote in message news:3B3375BD-D2D8-41B3-A77D-6523153462EA@microsoft.com... > > > Dear Richard Mueller, > > I have following issue with the script. Since I work in > the NT domain, I dont know how to convert the following lines in your > code: > > strGroup1 = "cn=Sales,ou=West,dc=MyDomain,dc=com" > strGroup2 = "cn=Engr,ou=East,dc=MyDomain,dc=com" > strGroup3 = "cn=Accounting,ou=North,dc=MyDomain,dc=com" > strGroup4 = "cn=IT,ou=South,dc=MyDomain,dc=com" > > MY domain is RAC_MASTER, and one of the user group is DIP_Acorde_Admin. I > also tried using the script in the your site EnumGroup.vbs but ran into > similar problem. > > My issue now to write my NT domain RAC_MASTER, group DIP_Acorde_Admin as > in > the syntax below > "cn=Accounting,ou=North,dc=MyDomain,dc=com" > I tried the following but with no success > cn=DIP_Acorde_Admin, dc=RAC_MASTER >

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email