1

VBscript: VBscript to enumerate all groups and their members from a specific Active Directory OU

Posted June 1st, 2011 in groups by dirk adamsky

Today’s script is made for Tyrone.

His question was a script that enumerates all groups and their members from a given OU.
I already had a script that enumerates the members of an OU.
I also had a script that enumerates the members of a nested group (uses recursion).
The 2 scripts combined are the solution for Tyrone.

Follow the next steps to run the script (no admin rights needed):

* open your favorite text editor
* copy and paste the script into the editor
* change the OU distinguished name (in line 7) into your OU distinguished name
* save the script (for example c:\temp\EnumerateGroupsInOu.vbs)
* open a command prompt
* go to “c:\temp”
* give “cscript EnumerateGroupsInOu.vbs” (without quotes) and enter

You can also dump the output to a file:

* give “cscript EnumerateGroupsInOu.vbs > EnumerateGroupsInOu.txt” (without quotes) and enter

To get that file into Excel:

* open Excel
* go to Menu=>Open File
* change file type to “all”
* chose EnumerateGroupsInOu.txt
* chose “;” as separator character

The script:

' Name : EnumerateGroupsInOu.vbs
' Description : script to enumerate all groups and their members from a specific Active Directory OU
' Author : dirk adamsky - deludi bv
' Version : 1.00
' Date : 01-06-2011

Set objOU = GetObject("LDAP://OU=test,DC=test,DC=org")
	For Each objMember in objOU
		If (LCase(objMember.Class) = "group") Then
			EnumNestedgroup objMember.AdsPath
		End If
	Next
Set objOU = Nothing

Function EnumNestedgroup(strGroupDN)
	Set objGroup = GetObject(strGroupDN)
	For Each objMember in objGroup.Members
		If (LCase(objMember.Class) = "group") Then
			wscript.echo objMember.AdsPath
			EnumNestedgroup objMember.AdsPath
		Else
			Wscript.Echo objGroup.Name & " ; " & objMember.DisplayName & " ; " & objMember.Mail &_
			" ; " & objMember.Department &  " ; " &	objMember.Company & " ;  " & objMember.Title
		End If
	Next
	Set objGroup = Nothing
End Function

When you have problems/questions with the script please post a reply.

Happy scripting.

Best regards,

Dirk Adamsky

0

Active Directory: VBscript to count the number of users in subgroups of a nested distribution group

Posted March 30th, 2010 in distributiongroups by dirk adamsky

Last friday I got a question from Marten on the number of users that a subgroup contains.
I have made a small mutation of the previous script to achieve this. The output of the script now contains the number of users in each subgroup.

Follow the next steps to run the script (no admin rights needed):

  • open your favorite text editor
  • copy and paste the script into the editor
  • save the script (for example c:tempcountgroupmembershipnestedgroup.vbs)
  • open a command prompt
  • go to “c:temp”
  • give “cscript countgroupmembershipnestedgroup.vbs” (without quotes) and enter

The script:

' Name : countgroupmembershipnestedgroup.vbs
' Description : script to count the number of users in subgroups of a nested distribution group
' Author : dirk adamsky - deludi bv
' Version : 1.00
' Date : 30-03-2010
' Level : intermediate

Set objDictionary = CreateObject("Scripting.Dictionary")
strTargetGroupDN = "LDAP://CN=SW (Alle Medewerkers),OU=DistributieGroepen,OU=Groepen,DC=domstad,DC=org"
Call EnumNestedgroup(strTargetGroupDN)

Sub EnumNestedgroup(strGroupDN)
	Set objGroup = GetObject(strGroupDN)
	For Each objMember in objGroup.Members
		If (LCase(objMember.Class) = "group") Then
			Call EnumNestedgroup(objMember.AdsPath)
		Else
			If objDictionary.Exists(objGroup.DisplayName) Then
				objDictionary.Item(objGroup.DisplayName) = objDictionary.Item(objGroup.DisplayName) + 1
			Else
				objDictionary.Add objGroup.DisplayName, 1
			End If
		End If
	Next
	Set objGroup = Nothing
End Sub

For Each strKey in objDictionary.Keys
	If objDictionary.Item(strKey) > 1 Then
		Wscript.Echo strKey & " contains ; " & objDictionary.Item(strKey) & " ; users"
	End If
Next

Set objDictionary = Nothing

When you have problems/questions please post a reply.

Happy scripting.

Best regards,

Dirk Adamsky – Deludi BV
[adrotate group="1"]

5

Active Directory: VBscript to enumerate the message restrictions (send to rights) of a distributionlist

Posted February 8th, 2010 in messagerestrictions by dirk adamsky

Finally I can show you my script to enumerate the message restrictions (send to rights as I tend to call then) on a distributionlist. The send to rights consists of 2 pieces, the users and the groups rights.
The users with send to rights are enumerated in the authOrig attribute of the distribution list AD object, the groups are allocated in the dLMemSubmitPerms attribute. Both attributes are arrays.
I also found out that when a listed user or resource mailbox had send as rights on it’s Active Directory object the users listed in the send as also have send to rights on the distribution list.

Follow the next steps to run the script (no admin rights needed):

* find the distinguished name of the nested group (adsiedit.msc)
* open your favorite text editor
* copy and paste the script into the editor
* change the distinguished name
* save the script (for example c:tempenumeratesendtorights.vbs)
* open a command prompt
* go to “c:temp”
* give “cscript enumeratesendtorights.vbs” (without quotes) and enter

The script:

' Name : enumeratesendtorights.vbs
' Description : script to enumerate the message restrictions (send to rights) of a distributionlist
' Author : dirk adamsky - deludi bv
' Version : 1.10 added check on attribute type based on input from Pedro (see comments)
' Date : 11-03-2010 (v.1.00 date 08-02-2010)
' Level: advanced

Set objSourceGroup = GetObject("LDAP://CN=distribution list (all members),OU=groups,DC=test,DC=org")
If objSourceGroup.authOrig <> "" Then
	If TypeName(objSourceGroup.authOrig) = "String" Then
		GetSendToRights ("LDAP://" & objSourceGroup.authOrig)
	Else
		For Each User In objSourceGroup.authOrig
			GetSendToRights ("LDAP://" & User)
		Next
	End If
End If
If objSourceGroup.dLMemSubmitPerms <> "" Then
	If TypeName(objSourceGroup.dLMemSubmitPerms) = "String" Then
		EnumNestedgroup objSourceGroup.dLMemSubmitPerms
	Else
		For Each Group in objSourceGroup.dLMemSubmitPerms
			EnumNestedgroup Group
		Next
	End If
End If
Set objSourceGroup = Nothing

Function GetSendToRights(strUserDN)
	On Error Resume Next
	Set objAccount = GetObject(strUserDN)
	Wscript.Echo objAccount.Mail & " ; " & objAccount.DisplayName & " ; direct send to rights"
	Set objSecurityDescriptor = objAccount.Get("ntSecurityDescriptor")
	Set objDacl = objSecurityDescriptor.DiscretionaryAcl
	Set objAce = CreateObject("AccessControlEntry")
	For Each objAce In objDacl
		If objAce.ObjectType = "{AB721A54-1E2F-11D0-9819-00AA0040529B}" Then
			If (Left(objAce.Trustee,3) <> "S-1" And objAce.Trustee <> "NT AUTHORITYSELF") Then
				GetUserDetails Mid(objAce.Trustee,9)
			End If
		End If
	Next
End Function

Function GetUserDetails(strPreW2K)
	Set adoCommand = CreateObject("ADODB.Command")
	Set adoConnection = CreateObject("ADODB.Connection")
	adoConnection.Provider = "ADsDSOObject"
	adoConnection.Open "Active Directory Provider"
	adoCommand.ActiveConnection = adoConnection

	' Search entire Active Directory domain.
	Set objRootDSE = GetObject("LDAP://RootDSE")
	strDNSDomain = objRootDSE.Get("defaultNamingContext")
	strBase = "<LDAP://" & strDNSDomain & ">"

	' Filter on user objects.
	strFilter = "(&(objectCategory=person)(objectClass=user)(sAMAccountName=" &  strPreW2K & "))"

	' Comma delimited list of attribute values to retrieve.
	strAttributes = "mail, displayname"

	' Construct the LDAP syntax query.
	strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
	adoCommand.CommandText = strQuery
	adoCommand.Properties("Page Size") = 100
	adoCommand.Properties("Timeout") = 30
	adoCommand.Properties("Cache Results") = False

	' Run the query.
	Set adoRecordset = adoCommand.Execute
	Wscript.Echo adoRecordset.Fields("mail").Value & " ; " & adoRecordset.Fields("displayname").Value & " ; indirect send to rights"
	' Clean up.
	adoRecordset.Close
	adoConnection.Close

	Set adoRecordset = Nothing
	Set objRootDSE = Nothing
	Set adoConnection = Nothing
	Set adoCommand = Nothing
End Function	

Sub EnumNestedgroup(strGroupDN)
	Set objGroup = GetObject("LDAP://" & strGroupDN)
	For Each objMember in objGroup.Members
		If (LCase(objMember.Class) = "group") Then
			Call EnumNestedgroup(objMember.AdsPath)
		Else
			GetSendToRights objMember.AdsPath
		End If
	Next
	Set objGroup = Nothing
End Sub

When you have problems/questions with the script please post a reply.

Happy scripting.

Best regards,

Dirk Adamsky

34

Active Directory: VBscript to enumerate the members of nested groups V2

Posted February 8th, 2010 in groups by dirk adamsky

A couple of weeks ago I posted the enumeratenestedgroup script.
Last friday (while working at another script) I thought: this can be done better/more efficient.
What I have done is a rewrite of the script, it now contains 50% less code.
This is mainly because the recursion is implemented better.
When you are not familiar with recursion: here’s a extensive wikipedia article.
You can easily modify the script with extra user attributes, counters, etc.
Here you can find some mutations of the enumerate nested group script:

What the script does:

  • fill a variable with the group distinguished name
  • call the function EnumNestedgroup
  • the function checks whether the member is a group or a user
  • when the member is a user the displayname and smtp address are echoed on the screen
  • when the member is a group the group distinguished name is echoed and the function is called again
  • this loop continues untill the last member is enumerated

Follow the next steps to run the script (no admin rights needed):

  • find the distinguished name of the nested group (adsiedit.msc)
  • open your favorite text editor
  • copy and paste the script into the editor
  • change the distinguished name
  • save the script (for example c:\tempenumeratenestedgroup.vbs)
  • open a command prompt
  • go to “c:\temp”
  • give “cscript enumeratenestedgroup.vbs” (without quotes) and enter

The script:

' Name : enumeratenestedgroup.vbs
' Description : script to enumerate the members of a nested group
' Author : dirk adamsky - deludi bv
' Version : 2.2 replaced the subroutine statement with a function statement
' Date : 07-06-2011

strTargetGroupDN = "LDAP://CN=testgroup,OU=groups,DC=test,DC=org"
EnumNestedgroup strTargetGroupDN
Function EnumNestedgroup(strGroupDN)
	Set objGroup = GetObject(strGroupDN)
	For Each objMember in objGroup.Members
		If (LCase(objMember.Class) = "group") Then
			wscript.echo objMember.AdsPath
			EnumNestedgroup objMember.AdsPath
		Else
			Wscript.Echo objMember.DisplayName & " ; " & objMember.Mail
		End If
	Next
	Set objGroup = Nothing
End Function

When you have a modified version or problems/questions that you want to share please post it at the comments below.

Happy scripting.

Dirk Adamsky

« Older Entries

Popular articles

Tags

active directory adsi alive attribute command prompt computer cscript disable disabled distribution group email enumerate excel exchange files filesystem object filter folder groups homedirectory hp microserver lastlogon lastlogontimestamp list mail mailbox memberOf members memberships n36l nested group number ou ping recursion server smtp address status subfolders user vb vbs vbscript vmware esxi wmi

Categories

Recent Comments