This script has a modified version which can be found here:
For a sysadmin there are some time consuming tasks.
Enumerating large hierarchical (distribution) groups is certainly one of them, sometimes the nesting is 6 levels or more. This script is intended to make the above easier.
What the script does:
- connect to the Active Directory group object
- for all members of the group
- if the member is a group (nest) then create a subgroup object
- call the subroutine enumnestedgroup with the subgroup object as argument
- else if the member is a user , echo the mail and displayname of the user
- the subroutine enumnestedgroup uses recursion and basically repeats the above steps for all child-groups
At one occasion the above script did not come to an end. I was curious about the cause: the nested group was a member of itself (several levels deeper). After removing the membership the script ended normally.
The above script can easily be modified. For example: you can count the members that have more then one membership of the group. Also the user attributes of the output can easily be changed. For example: objMember.HomeDirectory gives the homeshare of the user. Please keep in mind that there are some minor object attribute naming differences between AD and ADSI. For example: objUser.AdsPath is the distinguishedName attribute of the user.
Follow the next steps to run the script (no admin rights needed):
- find the distinguished name of the nested group (adsiedit.msc)
- open your favorite text editor
- copy and paste the script into the editor
- change the distinguished name
- save the script (for example c:tempenumeratenestedgroup.vbs)
- open a command prompt
- go to “c:temp”
- give “cscript enumeratenestedgroup.vbs” (without quotes) and enter
The script:
' Name : enumeratenestedgroup.vbs
' Description : script to enumerate the members of a nested group
' Author : dirk adamsky - deludi bv
' Version : 1.00
' Date : 11-01-2010
Set objGroup = GetObject("LDAP://CN=testgroup,OU=groups,DC=test,DC=org")
For Each objMember in objGroup.Members
If (LCase(objMember.Class) = "group") Then
Set objSubGroup = GetObject(objMember.AdsPath)
Call EnumNestedgroup(objSubGroup)
Set objSubGroup = Nothing
Else
Wscript.Echo objMember.Mail & " ; " & objMember.DisplayName
End If
Next
Set objGroup = Nothing
Sub EnumNestedGroup(objNestedGroup)
For Each objSubMember In objNestedGroup.Members
If (LCase(objSubMember.Class) = "group") Then
Set objSubNestedGroup = GetObject(objSubMember.AdsPath)
Call EnumNestedGroup(objSubNestedGroup)
Set objSubNestedGroup = Nothing
Else
Wscript.Echo objSubMember.Mail & " ; " & objSubMember.DisplayName
End If
Next
End Sub
Happy scripting.
Best regards,
Dirk Adamsky
[twitter-follow username="dirkadamsky" scheme="light" count="no"]
Great work Dirk, the best, Excellent script to findout each user of a big DL eventhough the DL structure is too deep. This script also helped to find the circular nested groups with two groups belong to member of the other.
Hi Schummi,
Glad to hear.
When you have the time please take a look at the modified version:
http://deludi.nl/blog/vbscript/active-directory/groups/active-directory-vbscript-to-enumerate-the-members-of-nested-groups-v2/
Best regards,
Dirk Adamsky
Great script…..
Got a quick question I need to create a script that will query all the groups within an ou and output the data to excel.
the scripts i’ve seen only run against the individual group… I’m ok at splitching scripts togeather but this has got me cornered… your help much appreciated
Hi Tyrone,
I have made a script for you.
It can be found here:
http://deludi.nl/blog/none/vbscript-vbscript-to-enumerate-all-groups-and-their-members-from-a-specific-active-directory-ou/
Best regards,
dirk adamsky