Active Directory question

[tseeney]

I hope someone can help me with this. Does anyone know of a way to print a report of all the users in an Active Directory container WITH their group privileges?

Preferably into some sort of spreadsheet format?

Server is 2003...client is XP running AD.

Thanks for any input

Tim

 

[monsterjta]

How about using csvde. From command prompt on your DC, issue the following command:

csvde -f c:\export.csv -r "(objectClass=user)" -d "ou=<OU>,dc=<DOMAIN>" -p OneLevel -l memberOf

You'll need to enter your full DN (ei: replace <ou> with every level OU and <domain> with every level DOMAIN).

You'll be able to open this file with Excel and view the memberOf column. Not the prettiest layout, but you'll have it in a spreadsheet.

I hope you find this post helpful,

Jonathan Almquist
Minneapolis, MN

 

[markdmac]

print a report of all the users in an Active Directory container WITH their group privileges?

Are you looking for a list of group members or a listing of what permissions a particular group has?

Getting a list of groups and their members is easy enough. But you won't be able to list what priviledges a group has unless you were to enumerate through all objects in the environment and checking permissions.

'==========================================================================
'
' NAME: GetGroupMembers.vbs
'
' AUTHOR: Mark D. MacLachlan , The Spider's Parlor
' URL: [URL unfurl="true"]http://www.thespidersparlor.com[/URL]
' DATE  : 3/23/2005
'
' COMMENT: Dumps group members to text file.
'
'    THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
'    ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED To
'    THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
'    PARTICULAR PURPOSE.
'
'    IN NO EVENT SHALL THE SPIDER'S PARLOR AND/OR ITS RESPECTIVE SUPPLIERS 
'    BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
'    DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
'    WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
'    ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
'    OF THIS CODE OR INFORMATION.
'==========================================================================

Dim sResultText,Grps,MemberList
Dim oRootDSE, oConnection, oCommand, oRecordSet
Set oRootDSE = GetObject("LDAP://rootDSE")
Set oConnection = CreateObject("ADODB.Connection")
oConnection.Open "Provider=ADsDSOObject;"
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = oConnection

ldstring = "<LDAP://" & oRootDSE.get("defaultNamingContext") & ">;" 

objCommand.CommandText=ldstring & "(objectClass=group);name,SamAccountName"

Set oRecordSet = objCommand.Execute()
Do While Not oRecordSet.EOF
	sResultText = sResultText & oRecordSet.Fields("samAccountName") & vbCrLf
	'WScript.Echo oRecordSet.Fields("samAccountName") & vbCrLf
	MemberList=RetrieveUsers(dom,oRecordSet.Fields("samAccountName"))
	'WScript.Echo Memberlist
	sResultText = sResultText & memberlist & vbCrLf & "************************************" & vbCrLf
	
	oRecordSet.MoveNext
Loop
'Wscript.Echo sResultText


Set fso = CreateObject("Scripting.FileSystemObject")
Set ts = fso.CreateTextFile (dom & "DomainGroupUsers.txt", ForWriting)
ts.write sResultText
MsgBox "Done"


'*****************************************************************************************
'*****************************************************************************************
Function RetrieveUsers(domainName,grpName)

dim dom
dim grp
dim GrpObj
dim mbrlist
dim mbr

'-------------------------------------------------------------------------------
' *** Enumerate Group Members ***
'-------------------------------------------------------------------------------

grp = grpName
Set objDomain = getObject("LDAP://rootDse")
domainName = objDomain.Get("dnsHostName")
' Build the ADSI query and retrieve the group object
Set GrpObj = GetObject("WinNT://" & domainName & "/" & grp & ",group")

' Loop through the group membership and build a string containing the names
for each mbr in GrpObj.Members
   On error resume next
   mbremail = SearchEmail(mbr.name)  
   If Err Then
	   mbrlist = mbrlist & vbTab & mbr.name & vbCrLf
   Else
   'if you don't want the email addresses, then copy the line 2 up to below
	   mbrlist = mbrlist & vbTab & mbr.name & vbTab & vbTab & mbremail+ vbCrLf
   End If
Next

'The next line returns mbrlist back up to the main body
RetrieveUsers=mbrlist

End Function

Public Function SearchEmail(ByVal vSAN)
    ' Function:     SearchDistinguishedName
    ' Description:  Searches the DistinguishedName for a given SamAccountName
    ' Parameters:   ByVal vSAN - The SamAccountName to search
    ' Returns:      The DistinguishedName Name
    Dim oRootDSE, oConnection, oCommand, oRecordSet

    Set oRootDSE = GetObject("LDAP://rootDSE")
    Set oConnection = CreateObject("ADODB.Connection")
    oConnection.Open "Provider=ADsDSOObject;"
    Set oCommand = CreateObject("ADODB.Command")
    oCommand.ActiveConnection = oConnection
    oCommand.CommandText = "<LDAP://" & oRootDSE.get("defaultNamingContext") & _
        ">;(&(objectCategory=User)(samAccountName=" & vSAN & "));mail;subtree"
    Set oRecordSet = oCommand.Execute
    On Error Resume Next
    SearchEmail = oRecordSet.Fields("mail")
    On Error GoTo 0
    oConnection.Close
    Set oRecordSet = Nothing
    Set oCommand = Nothing
    Set oConnection = Nothing
    Set oRootDSE = Nothing
End Function

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[tseeney]

Thanks kindly...!!

 

[Odissey]

Hi Mark! What about nested groups membership and recursive function?

 

[markdmac]

I have no intention of adding nested groups to the functionality of the script at this time.

You are welcome to modify the code to suite your needs.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[Odissey]

Thank you Mark, but all was done before me

Tseeney, look at this script, it operates with nested groups also:

http://techtasks.com/code/viewbookcode/1622

Very useful book, very useful scripts collection!