Map out Nested Groups
i working in 2008 ad environment. have been asked map out groups have, both security & distribution, , show memberships of other groups. @ time, i'm not concerned w/the users in groups, groups members of other groups , how ties together. essentially, want series of trees, or circles in cases, showing groups , parent & child groups. there utility out there this? found ms has released ad topology mapper ous, trusted domains, etc. if find groups, perfect. in advance assistance.
this vbscript program might you. uses ado retrieve groups , memberships. groups first read dictionary object, recordset read again save members groups. groups, , direct members groups, output:
option explicit dim objrootdse, strdnsdomain, adocommand, adoconnection dim strbase, strfilter, strattributes, strquery, adorecordset dim strdn, arrstrmembers, strmember dim objgroupmembers, strgrouplist dim arrstrgroups, strgroup, strgroupmember ' setup dictionary object of group memberships. ' key value group distinguished name. ' item value array of members of group, ' members groups. groups not have ' group members have empty array. set objgroupmembers = createobject("scripting.dictionary") objgroupmembers.comparemode = vbtextcompare ' determine dns domain name. set objrootdse = getobject("ldap://rootdse") strdnsdomain = objrootdse.get("defaultnamingcontext") ' use ado search active directory. set adocommand = createobject("adodb.command") set adoconnection = createobject("adodb.connection") adoconnection.provider = "adsdsoobject" adoconnection.open "active directory provider" adocommand.activeconnection = adoconnection ' search entire domain. strbase = "<ldap://" & strdnsdomain & ">" ' filter on group objects. strfilter = "(objectcategory=group)" ' comma delimited list of attribute values retrieve. ' member attribute of group objects multi-valued attribute. strattributes = "distinguishedname,member" ' construct ado query, using ldap syntax. strquery = strbase & ";" & strfilter & ";" & strattributes & ";subtree" ' run query. adocommand.commandtext = strquery adocommand.properties("page size") = 100 adocommand.properties("timeout") = 30 adocommand.properties("cache results") = false set adorecordset = adocommand.execute ' enumerate recordset , populate dictionary object ' distinguished names of groups in domain. ' item value starts out empty array. until adorecordset.eof strdn = adorecordset.fields("distinguishedname").value objgroupmembers(strdn) = array("") adorecordset.movenext loop adorecordset.close ' reopen recordset can read again. adorecordset.open ' enumerate recordset , populate dictionary object ' group memberships. until adorecordset.eof strdn = adorecordset.fields("distinguishedname").value arrstrmembers = adorecordset.fields("member").value ' check if group has members. if not isnull(arrstrmembers) ' group has @ least 1 member. if (typename(arrstrmembers) = "string") ' group has 1 member. check if member group. if objgroupmembers.exists(arrstrmembers) ' member group. convert array (one element) ' , update dictionary object of group memberships. arrstrmembers = replace(arrstrmembers, ";", "^^#") objgroupmembers(strdn) = array(arrstrmembers) end if else ' group has more 1 member. ' create semicolon delimited list of group members. strgrouplist = "" each strmember in arrstrmembers ' check if member group. if so, add ' semicolon delimited list of group members. if objgroupmembers.exists(strmember) strmember = replace(strmember, ";", "^^#") if (strgrouplist = "") strgrouplist = strmember else strgrouplist = strgrouplist & ";" & strmember end if end if next ' if list not blank, convert array , ' update dictionary object of group memberships. if (strgrouplist <> "") objgroupmembers(strdn) = split(strgrouplist, ";") end if end if end if adorecordset.movenext loop adorecordset.close ' enumerate groups. arrstrgroups = objgroupmembers.keys each strgroup in arrstrgroups wscript.echo "group: " & strgroup ' document group membership of each group. each strgroupmember in objgroupmembers(strgroup) if (strgroupmember <> "") wscript.echo " group member: " & strgroupmember end if next next ' clean up. adoconnection.close
this based on program find instances of circular nested groups linked here:
http://www.rlmueller.net/circularnested.htm
richard mueller
mvp adsi
Windows Server > Directory Services
Comments
Post a Comment