How to tell which users are NOT in a group? 2

[CathodeRay]

I apologize if I'm missing something obvious, but is there a way to tell which users in Active Directory are *NOT* in a specific group?

For example, we may wish to create a group called "Holiday" and we'd like to make sure we've got all the right users in that group, and be able to tell if we missed anybody.

Thanks...

 

[Davetoo]

If you open the Group, you'll see all the members of that group.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[CathodeRay]

Thanks, Davetoo... but note that my question is:

How can I determine which Active Directory members are *NOT* part of a group...

 

[Davetoo]

Process of elimination...if they're *NOT* in the group, then they're *NOT* part of the group.

How many users do you have?

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[lhuegele]

Dave is correct - if you look at the group, there is a members tab. Anyone NOT listed on the members tab is NOT a group member.

Good luck,

 

[itsp1965]

Try using the memberof tool

http://www.jsifaq.com/SF/Tips/Tip.aspx?id=5871

It can query groups for membership

Hope this helps.

 

[CathodeRay]

Thanks for the replies... I'm really appreciative of the time people put in here to answer questions, but please allow me to calrify my question.

Let's say I have 400 users in Active Directory. I want to create an email distribution list of certain people (201) in our Division that I'd like to send a party invitation to.

I *think* I've got everybody in this new distribution list, but I'm not really sure.

I currently have two ways to look at the list:

1. Look at the group and see who's in the list. Ok, but that doesn't remind me of names I might have forgotten about.

2. I can look at the entire AD and review all the names, and when I see one that should be in the list, I can then either open up that user and see if they're in that group, or review the list of that group's members and see if they're already in there. Cumbersome.

It would be much easier to generate a list of who's NOT in the group yet to see if they need to be added.

It's kind of like a SQL SELECT statement that says: SELECT ALL USERS FROM AD NOT IN (SELECT ALL FROM DISTRIBUTION LIST)

Wouldn't want to forget to invite anybody to the party, would we?

 

[Davetoo]

Then you need to make your list, and check it twice.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[CathodeRay]

Kyuk, kyuk... good answer. Still checking for a utility to help with this.

 

[Davetoo]

You're searching for a utility for a one time event that you could have already finished by now...seems pointless really.

You have a list of users in your group and you have a list that you want to invite to a party.

Compare the two lists, adjust as necessary.

I'm out of this one. If you're not willing to do a little work to complete a project instead of working so hard to not have to work, well...you get my point.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[CathodeRay]

Excuse me, friends... but I can think of unlimited examples of when this functionality would be useful... not just for this one example.

Thanks anyway.

 

[itsp1965]

Have you tried creating a file that lists the users you want to compare to an extract created using csvde/ldfide (bare in mind that the file formats should be the same) or outputting dsquery to a text file
From there you can use the comp command to compare the two files

 

[lhuegele]

Unless you're good with LDAP and programming, you're going to have to do some manual work here. Sorry. I have never heard of any tool that will look at all the users in AD and all the users that are members of a group, and then compares them.

Perhaps there's an LDAP or programming forum you could re-post your question to???

Good luck,

 

[markdmac]

This is rather simple with VBScript.

1. Read the members of the group into a dictionary object. 2. Read your list of desired users into an array.
3. Then check if the dictionary key exists or not.
4. If the key does not exist, add the user to the group.

Simple stuff.

'==========================================================================
'
' NAME: CheckGroupmembersAgainstList.vbs
'
' AUTHOR: Mark D. MacLachlan , The Spider's Parlor
' URL: [URL unfurl="true"]http://www.thespidersparlor.com[/URL]
' DATE  : 12/9/2007
' COPYRIGHT (c) 2007 All Rights Reserved
'
' COMMENT: 
'
'    THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
'    ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO
'    THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
'    PARTICULAR PURPOSE.
'
'    IN NO EVENT SHALL THE SPIDER'S PARLOR AND/OR ITS RESPECTIVE SUPPLIERS 
'    BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
'    DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
'    WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
'    ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
'    OF THIS CODE OR INFORMATION.
'
'==========================================================================
Dim oDic, oFSO, oTextStream, objGroup, desiredGroupList, wantedUser, userDN
Const ADS_PROPERTY_APPEND = 3
Set oDic = CreateObject("Scripting.Dictionary")
Set oFSO = CreateObject("Scripting.FileSystemObject")

'Bind to the group
Set objGroup = GetObject("LDAP://CN=TSPAdmins,OU=TSP Users,DC=thespidersparlor,DC=local")
'Enumerate members into a dictionary object
For Each member In objGroup.Members
	oDic.Add member.samAccountName, "member"
	WScript.Echo member.samAccountName
Next

'Open the text file containing the ;ist of desired users
Set oTextStream = oFSO.OpenTextFile("userlist.txt")

'make an array from the data file
desiredGroupList = Split(oTextStream.ReadAll, vbNewLine)
'close the data file
oTextStream.Close
For Each wantedUser In desiredGroupList
	'Check if the user is in the group or not
	If oDic.Exists(wantedUser) Then
		WScript.Echo "Member found " & wantedUser
	Else
		'not a member so add them
		WScript.Echo "Not a member, joining " & wantedUser & " to group."
		userDN = GetUserDN(wantedUser)
		objGroup.PutEx ADS_PROPERTY_APPEND, "member", Array(userDN)
		objGroup.SetInfo
	End If
Next

Public Function GetUserDN(ByVal vSAN)
		'This function courtesty of K0b3 and FAQ faq329-5688
	    Dim oRootDSE, oConnection, oCommand, oRecordSet
	    Set oRootDSE = GetObject("LDAP://rootDSE")
	    Set oConnection = CreateObject("ADODB.Connection")
	    oConnection.Open "Provider=ADsDSOObject;"
	    Set oCommand = CreateObject("ADODB.Command")
	    oCommand.ActiveConnection = oConnection
	    oCommand.CommandText = "<LDAP://" & oRootDSE.get("defaultNamingContext") & _
	        ">;(&(objectCategory=User)(samAccountName=" & vSAN & "));distinguishedName;subtree"
	    Set oRecordSet = oCommand.Execute
	    On Error Resume Next
	    SearchDistinguishedName = oRecordSet.Fields("DistinguishedName")
	    On Error GoTo 0
	    oConnection.Close
	    Set oRecordSet = Nothing
	    Set oCommand = Nothing
	    Set oConnection = Nothing
	    Set oRootDSE = Nothing
End Function

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[markdmac]

A correction to the above code, I had changed the function name after testing and neglected to change it everywhere.

The following version also includes error checking.

'==========================================================================
'
' NAME: CheckGroupmembersAgainstList.vbs
'
' AUTHOR: Mark D. MacLachlan , The Spider's Parlor
' URL: [URL unfurl="true"]http://www.thespidersparlor.com[/URL]
' DATE  : 12/9/2007
' COPYRIGHT (c) 2007 All Rights Reserved
'
' COMMENT: This script an many more can be found in 
'          The Admin Script Pack by The Spider's Parlor
'          Work smarter, not harder!
'
'    THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
'    ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO
'    THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
'    PARTICULAR PURPOSE.
'
'    IN NO EVENT SHALL THE SPIDER'S PARLOR AND/OR ITS RESPECTIVE SUPPLIERS 
'    BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
'    DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
'    WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
'    ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
'    OF THIS CODE OR INFORMATION.
'
'==========================================================================
On Error Resume Next
Dim oShell,oDic, oFSO, oTextStream, objGroup, desiredGroupList, wantedUser, userDN
Const ADS_PROPERTY_APPEND = 3
Set oDic = CreateObject("Scripting.Dictionary")
Set oFSO = CreateObject("Scripting.FileSystemObject")
Set oShell = CreateObject("Wscript.Shell")

forceUseCScript

Sub forceUseCScript()
   If Not WScript.FullName = WScript.Path & "\cscript.exe" Then
      oShell.Popup "Launched using wscript. Relaunching...",3,"WSCRIPT"
      oShell.Run "cmd.exe /k " & WScript.Path & "\cscript.exe //NOLOGO " & Chr(34) & WScript.scriptFullName & Chr(34),1,False
      WScript.Quit 0
   End If
End Sub 

'Bind to the group
Set objGroup = GetObject("LDAP://CN=TSPAdmins,OU=TSP Users,DC=thespidersparlor,DC=local")
'Enumerate members into a dictionary object
For Each member In objGroup.Members
	oDic.Add member.samAccountName, "member"
Next

'Open the text file containing the ;ist of desired users
Set oTextStream = oFSO.OpenTextFile("userlist.txt")

'make an array from the data file
desiredGroupList = Split(oTextStream.ReadAll, vbNewLine)
'close the data file
oTextStream.Close
For Each wantedUser In desiredGroupList
	If Len(wantedUser > 0) Then
		'Check if the user is in the group or not
		If oDic.Exists(wantedUser) Then
			WScript.Echo "Member found " & wantedUser
		Else
			'not a member so add them
			WScript.Echo "Not a member, joining " & wantedUser & " to group."
			userDN = GetUserDN(wantedUser)
			
			If Err.Number = 0 Then 
				objGroup.PutEx ADS_PROPERTY_APPEND, "member", Array(userDN)
				objGroup.SetInfo
			End If
			Err.Clear
		End If
	End If
Next

Public Function GetUserDN(ByVal vSAN)
		'This function courtesty of K0b3 and FAQ faq329-5688
	    Dim oRootDSE, oConnection, oCommand, oRecordSet
	    Set oRootDSE = GetObject("LDAP://rootDSE")
	    Set oConnection = CreateObject("ADODB.Connection")
	    oConnection.Open "Provider=ADsDSOObject;"
	    Set oCommand = CreateObject("ADODB.Command")
	    oCommand.ActiveConnection = oConnection
	    oCommand.CommandText = "<LDAP://" & oRootDSE.get("defaultNamingContext") & _
	        ">;(&(objectCategory=User)(samAccountName=" & vSAN & "));distinguishedName;subtree"
	    Set oRecordSet = oCommand.Execute
	    On Error Resume Next
	    GetUserDN = oRecordSet.Fields("DistinguishedName")
	    On Error GoTo 0
	    oConnection.Close
	    Set oRecordSet = Nothing
	    Set oCommand = Nothing
	    Set oConnection = Nothing
	    Set oRootDSE = Nothing
End Function

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[tfg13]

Awesome stuff Mark. I think I'm up to about 75 markdmac special scripts! Even if I tweak it for my use, I always keep your name on them. I need to make sure I give credit where credit is due!

 

[markdmac]

Thanks TFG. You should consider my Admin Pack, you'd have a lifetime of free updates.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[CathodeRay]

Thanks, Mark... Will take a stab at this. I appreciate the positive response.