Announcement

Collapse
No announcement yet.

Piping dsget w/adfind?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Piping dsget w/adfind?

    Hi everybody, this is what I'm triying to do:

    I have a list of users (users.txt) and this is what I've done in the past to get what groups each user belongs to:

    for /f %i in (users.txt) do @ dsquery user -name %i | dsget user -memberof >> %i.txt

    Well, now I have this issue:

    I want to do the same, but filter the results, I only want to get the groups that end with... "AAA" for example, not all of them.

    Dsget doesn't support -filter so I though using adfind would be a good idea. The bad thing is that I've never used it before and I'm going crazy trying to understand it.

    -

    The job that needs to be done is: from a list of users, get all the groups that end with "AAA", and add the users to the identical groups but ending with "BBB", and delete those users from the same groups ending with "CCC". Tricky?

    Example:

    User "John" is member of BlueAAA, RedAAA, GreenAAA.

    What needs to be done:

    Add John to BlueBBB, RedBBB, and GreenBBB
    Remove John from BlueCCC, RedCCC, and GreenCCC.

    I can do that manually but if I could get the list of the "AAA"'s groups each user belongs to it would be easier I think. I'm not a scripting god =(

    Update- I can only use "dstools" / adfind or vbs scripting. No powershell.

    Thank you!
    Last edited by jaunis; 14th December 2010, 19:10.

  • #2
    Re: Piping dsget w/adfind?

    It's not exactly whaat you want

    but Powershell can do -filter....

    so if you could call Powershell, and make it do the dsquery (or perhaps use questAD tools) then you could filter the output from there maybe ?
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: Piping dsget w/adfind?

      Originally posted by tehcamel View Post
      It's not exactly whaat you want

      but Powershell can do -filter....

      so if you could call Powershell, and make it do the dsquery (or perhaps use questAD tools) then you could filter the output from there maybe ?
      Thank you for your answer, but I can't call powershell (it's not installed on the -90 w2003 servers around the world) and I can't install anything on them =(

      Comment


      • #4
        Re: Piping dsget w/adfind?

        i know this doesn't help at all, but that's really a shame. I'm not a big fan of scripting at all, I never have been.. but powershell has ignited some interest in me - I'm at least somewhat inclined to try and do things that way now.

        you might only need Powershell and QuestAD installed on your own workstation, not on the servers.
        then you just give it the appropriate context..
        Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

        Comment


        • #5
          Re: Piping dsget w/adfind?

          Originally posted by jaunis View Post
          I only want to get the groups that end with... "AAA" for example, not all of them.
          This is a typical use case for regular expressions. VBScript has support for regexps, so let's have an example.

          First, create a list of all the user's groups and save it to some file. Let's call the file usergroups.txt. Then read the file row by row and check whether the text matches whatever suffix you need. For example, let's look for groups containing three arbitary letters and suffix Group. That is, "fooGroup" and "barGroup" are matched but not "qGroup" or "duGurop". For each row, let's print the status (match or miss) and the text. Like so,

          Code:
          Set fso = createObject("Scripting.FileSystemObject") 
          src = "usergroups.txt"
          Set groupFile = fso.OpenTextFile(src,1)
          
          set rex = new RegExp
          pattern = "^[a-z]{3}Group$"
          rex.Pattern = pattern
          rex.IgnoreCase = false
          
          Do Until groupFile.AtEndOfStream
              strLine = groupFile.ReadLine
              if(rex.Test(strLine)) then
                  wscript.echo "found: " & strLine
              else
                  wscript.echo "miss:  " & strLine
              end if
          Loop
          -vP
          Last edited by vonPryz; 15th December 2010, 19:18. Reason: Example is in VBScript

          Comment


          • #6
            Re: Piping dsget w/adfind?

            There are some dosshell solutions too that you can use.

            Pipe the results from dsquery_to_dsget_to a Findstr.exe search to filter groups by CN name.
            With a regular expression "cn=[^=]*AAA," the goupname can be tested. It is a match when the common name of the group ends with AAA.

            command line,
            Code:
            for /f "useBackq delims=" %i in ("users.txt") do @dsquery user -name "%~i" | dsget user -memberof | findstr /ric:"cn=[^=]*AAA," >>"%~i.txt"

            Using a batch you can also add and remove group membership in one run,
            Code:
            @echo off
            
            setlocal enabledelayedexpansion
            for /f "useBackq delims=" %%* in ("users.txt") do (
               For /f "delims=" %%! in (
               'dsquery user -name "%%~*"^|dsget user -memberof ^|findstr /ric:"cn=[^=]*AAA,"'
                ) DO (
               Set "GroupDN=%%~!"
               For /f "tokens=2 delims==" %%i in ('echo."%%~!"') do set "GroupCN=%%~i"
               set "GroupCN=!GroupCN:~0,-3!"
            
               Set newGroupCN=!GroupCN:aaa=BBB!
               call Set newGroupDN=%%GroupDN:!GroupCN!=!newGroupCN!%%
            
               Set otherGroupCN=!GroupCN:aaa=CCC!
               call Set otherGroupDN=%%GroupDN:!GroupCN!=!otherGroupCN!%%
            
               echo.#   User %%~*  is member of:  !GroupCN!
               echo.#   make him/her member of:  !newGroupCN!
               echo.!newGroupDN!
               echo.#   and remove from this group:  !otherGroupCN!
               echo.!otherGroupDN!
            
               echo.
             )
            )
            
            goto:eof

            NOTEs
            • For the filter a RegExp is used in both examples. This Regular expression Test will fail when a group has embedded a "=" sign in its common name! It accepts however when "," (commas) are used in the common name.
            • The String Replace statements in the batch do not make use of a RegExp, so it simply replaces a string. I.E. it replaces AAA if exists in the common name of the group - it will also replace it if not just at the end of the name. You can solve this by translating this batch to a VBScript and use the Replace method of the RegEx obj.


            \Rems
            Last edited by Rems; 17th December 2010, 19:07. Reason: NOTEs added

            This posting is provided "AS IS" with no warranties, and confers no rights.

            __________________

            ** Remember to give credit where credit's due **
            and leave Reputation Points for meaningful posts

            Comment

            Working...
            X