Map out Nested Groups

i working in 2008 ad environment. have been asked map out groups have, both security & distribution, , show memberships of other groups. @ time, i'm not concerned w/the users in groups, groups members of other groups , how ties together. essentially, want series of trees, or circles in cases, showing groups , parent & child groups. there utility out there this? found ms has released ad topology mapper ous, trusted domains, etc. if find groups, perfect. in advance assistance.

this vbscript program might you. uses ado retrieve groups , memberships. groups first read dictionary object, recordset read again save members groups. groups, , direct members groups, output:

option explicit    dim objrootdse, strdnsdomain, adocommand, adoconnection  dim strbase, strfilter, strattributes, strquery, adorecordset  dim strdn, arrstrmembers, strmember  dim objgroupmembers, strgrouplist  dim arrstrgroups, strgroup, strgroupmember    ' setup dictionary object of group memberships.  ' key value group distinguished name.  ' item value array of members of group,  ' members groups. groups not have  ' group members have empty array.  set objgroupmembers = createobject("scripting.dictionary")  objgroupmembers.comparemode = vbtextcompare    ' determine dns domain name.  set objrootdse = getobject("ldap://rootdse")  strdnsdomain = objrootdse.get("defaultnamingcontext")    ' use ado search active directory.  set adocommand = createobject("adodb.command")  set adoconnection = createobject("adodb.connection")  adoconnection.provider = "adsdsoobject"  adoconnection.open "active directory provider"  adocommand.activeconnection = adoconnection    ' search entire domain.  strbase = "<ldap://" & strdnsdomain & ">"    ' filter on group objects.  strfilter = "(objectcategory=group)"    ' comma delimited list of attribute values retrieve.  ' member attribute of group objects multi-valued attribute.  strattributes = "distinguishedname,member"    ' construct ado query, using ldap syntax.  strquery = strbase & ";" & strfilter & ";" & strattributes & ";subtree"    ' run query.  adocommand.commandtext = strquery  adocommand.properties("page size") = 100  adocommand.properties("timeout") = 30  adocommand.properties("cache results") = false  set adorecordset = adocommand.execute    ' enumerate recordset , populate dictionary object  ' distinguished names of groups in domain.  ' item value starts out empty array.  until adorecordset.eof    strdn = adorecordset.fields("distinguishedname").value    objgroupmembers(strdn) = array("")    adorecordset.movenext  loop  adorecordset.close    ' reopen recordset can read again.  adorecordset.open    ' enumerate recordset , populate dictionary object  ' group memberships.  until adorecordset.eof    strdn = adorecordset.fields("distinguishedname").value    arrstrmembers = adorecordset.fields("member").value    ' check if group has members.    if not isnull(arrstrmembers)      ' group has @ least 1 member.      if (typename(arrstrmembers) = "string")        ' group has 1 member. check if member group.        if objgroupmembers.exists(arrstrmembers)          ' member group. convert array (one element)          ' , update dictionary object of group memberships.          arrstrmembers = replace(arrstrmembers, ";", "^^#")          objgroupmembers(strdn) = array(arrstrmembers)        end if      else        ' group has more 1 member.        ' create semicolon delimited list of group members.        strgrouplist = ""        each strmember in arrstrmembers          ' check if member group. if so, add          ' semicolon delimited list of group members.          if objgroupmembers.exists(strmember)            strmember = replace(strmember, ";", "^^#")            if (strgrouplist = "")              strgrouplist = strmember            else              strgrouplist = strgrouplist & ";" & strmember            end if          end if        next        ' if list not blank, convert array ,        ' update dictionary object of group memberships.        if (strgrouplist <> "")          objgroupmembers(strdn) = split(strgrouplist, ";")        end if      end if    end if    adorecordset.movenext  loop  adorecordset.close    ' enumerate groups.  arrstrgroups = objgroupmembers.keys  each strgroup in arrstrgroups    wscript.echo "group: " & strgroup    ' document group membership of each group.    each strgroupmember in objgroupmembers(strgroup)      if (strgroupmember <> "")        wscript.echo " group member: " & strgroupmember      end if    next  next    ' clean up.  adoconnection.close

this based on program find instances of circular nested groups linked here:

http://www.rlmueller.net/circularnested.htm

richard mueller

mvp adsi

Windows Server > Directory Services

Search This Blog

Apple ip

Map out Nested Groups

Comments

Post a Comment

Popular posts from this blog

WIMMount (HSM) causing cluster storage to go redirected (2012r2 DC)

Failed to delete the test record dcdiag-test-record in zone test.com

Azure MFA with Azure AD and RDS