Haven’t done much scripting lately…..
The script for today is made for Ananth Kumar.
He asked me to make an extension to the “enumerate nested groups script” so that multiple nested groups can be enumerated based on an input file.
I did choose Excel for the input file so that i could reuse previous code.

Follow the next steps to run the script (no admin rights needed):

• find the distinguished names of the nested groups (adsiedit.msc)
• put them in an Excel sheet in the first column ans save the sheet as c:\temp\groups.xls
• open your favorite text editor
• copy and paste the script below into the editor (you can use the icons in the upper rights corner of the code)
• save the script (for example c:\temp\enumeratenestedgroupsfromexcelsheet.vbs)
• open a command prompt
• go to “c:\temp”
• give “cscript enumeratenestedgroupsfromexcelsheet.vbs” (without quotes) and enter

The script:

' Name : enumeratenestedgroupsfromexcelsheet.vbs
' Description : script to enumerate nested Active Directory groups from an Excel sheet
' Author : dirk adamsky - deludi bv
' Version : 1.0
' Date : 04-10-2011

Set objExcel = CreateObject("Excel.Application")
Set objWorkbook = objExcel.Workbooks.Open("C:\temp\groups.xls")
intRow = 2
Do Until objExcel.Cells(intRow,1).Value = ""
strGroupDN = objExcel.Cells(intRow, 1).Value
If strGroupDN <> "" Then
wscript.echo strGroupDN
EnumNestedgroup "LDAP://" & strGroupDN
End If
intRow = intRow + 1
Loop
objExcel.Quit
Set objWorkbook = Nothing
Set objExcel = Nothing

Function EnumNestedgroup(strGroupDN)
Set objGroup = GetObject(strGroupDN)
For Each objMember in objGroup.Members
If (LCase(objMember.Class) = "group") Then
EnumNestedgroup objMember.AdsPath
Else
Wscript.Echo objGroup.cn & " ; " & objMember.DisplayName & " ; " & objMember.Mail
End If
Next
Set objGroup = Nothing
End Function

When you have a modified version or problems/questions that you want to share please post it at the comments below.

Happy scripting.

Dirk Adamsky

Today’s script is made for Tyrone.

His question was a script that enumerates all groups and their members from a given OU.
I already had a script that enumerates the members of an OU.
I also had a script that enumerates the members of a nested group (uses recursion).
The 2 scripts combined are the solution for Tyrone.

Follow the next steps to run the script (no admin rights needed):

* open your favorite text editor
* copy and paste the script into the editor
* change the OU distinguished name (in line 7) into your OU distinguished name
* save the script (for example c:\temp\EnumerateGroupsInOu.vbs)
* open a command prompt
* go to “c:\temp”
* give “cscript EnumerateGroupsInOu.vbs” (without quotes) and enter

You can also dump the output to a file:

* give “cscript EnumerateGroupsInOu.vbs > EnumerateGroupsInOu.txt” (without quotes) and enter

To get that file into Excel:

* open Excel
* go to Menu=>Open File
* change file type to “all”
* chose EnumerateGroupsInOu.txt
* chose “;” as separator character

The script:

' Name : EnumerateGroupsInOu.vbs
' Description : script to enumerate all groups and their members from a specific Active Directory OU
' Author : dirk adamsky - deludi bv
' Version : 1.00
' Date : 01-06-2011

Set objOU = GetObject("LDAP://OU=test,DC=test,DC=org")
	For Each objMember in objOU
		If (LCase(objMember.Class) = "group") Then
			EnumNestedgroup objMember.AdsPath
		End If
	Next
Set objOU = Nothing

Function EnumNestedgroup(strGroupDN)
	Set objGroup = GetObject(strGroupDN)
	For Each objMember in objGroup.Members
		If (LCase(objMember.Class) = "group") Then
			wscript.echo objMember.AdsPath
			EnumNestedgroup objMember.AdsPath
		Else
			Wscript.Echo objGroup.Name & " ; " & objMember.DisplayName & " ; " & objMember.Mail &_
			" ; " & objMember.Department &  " ; " &	objMember.Company & " ;  " & objMember.Title
		End If
	Next
	Set objGroup = Nothing
End Function

When you have problems/questions with the script please post a reply.

Happy scripting.

Best regards,

Dirk Adamsky

Suffering from a lack of inspiration I decided to rework a previous script.
I had a request on my previous messagerestriction script.
Added to the script is the option to enter the smtp address of
the user or group object for which the messagerestrictions are set.
I have done that by re-using code from this script.
Another question was the option to output to a file,
this can be done easily by running the script like this:

cscript enumeratesendtorights.vbs > thefilenameofyourchoice.txt.

Follow the next steps to run the script (no admin rights needed):

* find the distinguished name of the nested group (adsiedit.msc)
* open your favorite text editor
* copy and paste the script into the editor
* change the distinguished name
* save the script (for example c:tempenumeratesendtorights.vbs)
* open a command prompt
* go to “c:temp”
* give “cscript enumeratesendtorights.vbs” (without quotes) and enter

The script:

' Name : enumeratesendtorights.vbs
' Description : script to enumerate the message restrictions (send to rights) of a distributionlist
' Author : dirk adamsky - deludi bv
' Version : 2.00 added smtp input option based on input from M (see comments on previous script)
' Date : 20-08-2010 (v.1.00 date 08-02-2010)
' Level: advanced

strObject = InputBox("Please enter the smtp address")
Set objSource = GetObject("LDAP://" & GetDN(strObject))
If TypeName(objSource.authOrig) = "String" Then
	GetSendToRights ("LDAP://" & objSource.authOrig)
Else
	For Each User In objSource.authOrig
		GetSendToRights ("LDAP://" & User)
	Next
End If
If TypeName(objSource.dLMemSubmitPerms) = "String" Then
	EnumNestedgroup objSource.dLMemSubmitPerms
Else
	For Each Group in objSource.dLMemSubmitPerms
		EnumNestedgroup Group
	Next
End If
Set objSource = Nothing

Function GetDN(strMail)
	Set adoCommand = CreateObject("ADODB.Command")
	Set adoConnection = CreateObject("ADODB.Connection")
	adoConnection.Provider = "ADsDSOObject"
	adoConnection.Open "Active Directory Provider"
	adoCommand.ActiveConnection = adoConnection
	Set objRootDSE = GetObject("LDAP://RootDSE")
	strBase = "<LDAP://" & objRootDSE.Get("defaultNamingContext") & ">"

	' Filter on user objects.
	strFilter = "(mail=" &  strMail & ")"

	' Comma delimited list of attribute values to retrieve.
	strAttributes = "distinguishedName"

	' Construct the LDAP syntax query.
	strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
	adoCommand.CommandText = strQuery
	adoCommand.Properties("Page Size") = 100
	adoCommand.Properties("Timeout") = 30
	adoCommand.Properties("Cache Results") = False
	Set adoRecordset = adoCommand.Execute
	wscript.echo adoRecordset.Fields("distinguishedName").Value
	GetDN = adoRecordset.Fields("distinguishedName").Value
	adoRecordset.Close
	adoConnection.Close

	Set adoRecordset = Nothing
	Set objRootDSE = Nothing
	Set adoConnection = Nothing
	Set adoCommand = Nothing

End Function

Function GetSendToRights(strUserDN)
	On Error Resume Next
	Set objAccount = GetObject(strUserDN)
	Wscript.Echo objAccount.Mail & " ; " & objAccount.DisplayName & " ; direct send to rights"
	Set objSecurityDescriptor = objAccount.Get("ntSecurityDescriptor")
	Set objDacl = objSecurityDescriptor.DiscretionaryAcl
	Set objAce = CreateObject("AccessControlEntry")
	For Each objAce In objDacl
		If objAce.ObjectType = "{AB721A54-1E2F-11D0-9819-00AA0040529B}" Then
			If (Left(objAce.Trustee,3) <> "S-1" And objAce.Trustee <> "NT AUTHORITYSELF") Then
				GetUserDetails Mid(objAce.Trustee,9)
			End If
		End If
	Next
End Function

Function GetUserDetails(strPreW2K)
	Set adoCommand = CreateObject("ADODB.Command")
	Set adoConnection = CreateObject("ADODB.Connection")
	adoConnection.Provider = "ADsDSOObject"
	adoConnection.Open "Active Directory Provider"
	adoCommand.ActiveConnection = adoConnection

	' Search entire Active Directory domain.
	Set objRootDSE = GetObject("LDAP://RootDSE")
	strDNSDomain = objRootDSE.Get("defaultNamingContext")
	strBase = "<LDAP://" & strDNSDomain & ">"

	' Filter on user objects.
	strFilter = "(&(objectCategory=person)(objectClass=user)(sAMAccountName=" &  strPreW2K & "))"

	' Comma delimited list of attribute values to retrieve.
	strAttributes = "mail, displayname"

	' Construct the LDAP syntax query.
	strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
	adoCommand.CommandText = strQuery
	adoCommand.Properties("Page Size") = 100
	adoCommand.Properties("Timeout") = 30
	adoCommand.Properties("Cache Results") = False

	' Run the query.
	Set adoRecordset = adoCommand.Execute
	Wscript.Echo adoRecordset.Fields("mail").Value & " ; " & adoRecordset.Fields("displayname").Value & " ; indirect send to rights"
	' Clean up.
	adoRecordset.Close
	adoConnection.Close

	Set adoRecordset = Nothing
	Set objRootDSE = Nothing
	Set adoConnection = Nothing
	Set adoCommand = Nothing
End Function	

Sub EnumNestedgroup(strGroupDN)
	Set objGroup = GetObject("LDAP://" & strGroupDN)
	For Each objMember in objGroup.Members
		If (LCase(objMember.Class) = "group") Then
			Call EnumNestedgroup(objMember.AdsPath)
		Else
			GetSendToRights objMember.AdsPath
		End If
	Next
	Set objGroup = Nothing
End Sub

When you have problems/questions with the script please post a reply.

Happy scripting.

Best regards,

Dirk Adamsky

The next script for today enumerates all hidden distribution groups.
This is done by an ADO query with a filter on groups, msExchHideFromAddressLists and mail property.

Follow the next steps to run the script (no admin rights needed):

• copy and paste the script in your favorite text editor
• save the script (for example c:temphidden-distribution-groups.vbs)
• open a command prompt
• go to “c:temp”
• give “cscript hidden-distribution-groups.vbs” (without quotes) and enter

The script:

' Name : hidden-distribution-groups.vbs
' Description : script to enumerate all distribution groups that are hidden in the Global Address List
' Author : dirk adamsky - deludi bv
' Version : 1.00
' Date : 15-07-2010
' Level: intermediate

Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection

Set objRootDSE = GetObject("LDAP://RootDSE")
strBase = "<LDAP://" & objRootDSE.Get("defaultNamingContext") & ">"
strFilter = "(&(objectCategory=group)(msExchHideFromAddressLists=TRUE)(mail=*))"
strAttributes = "displayname, mail, msExchHideFromAddressLists"

strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False

Set objRecordset = adoCommand.Execute

objRecordSet.MoveFirst
Do Until objRecordSet.EOF
	Wscript.Echo objRecordSet.Fields("displayname").Value & " ; " & objRecordSet.Fields("mail").Value
	objRecordSet.MoveNext
Loop

Set objRecordset = Nothing
Set objRootDSE = Nothing
Set adoConnection = Nothing
Set adoCommand = Nothing

When you have problems/questions please post a reply or give a ‘star’ rating.

Happy scripting.

Best regards,

Dirk Adamsky – Deludi BV