Announcement

Collapse
No announcement yet.

find gpo's in gpresult (for/find/findstr)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • find gpo's in gpresult (for/find/findstr)

    I wan't some specific rules for different gpo's, if I use: "gpresult /r /scope user" I get to see which GPO's (security groups) are active. Now how can I filter some of these active GPO's to my batch file?
    This is part of the outcome from my gpresult:

    Code:
        De gebruiker is lid van de volgende beveiligingsgroepen
              Domain Users
              Iedereen
              SophosAdministrator
              SophosUser
              BUILTIN\Administrators
              Gebruikers
              INTERACTIEF
              AANMELDEN OP DE CONSOLE
              Geverifieerde gebruikers
              Deze organisatie
              LOKAAL
              Iedereen
              GS_08_cv's
              Tekenkamer
              GS_03_verslagen_openbaar
              GS_07_overeenkomsten
              GS_01_facturen
              GS_04_Functieprofielen
              GS_00_documenten
              AEC
              GS_02_functioneringsgesprekken
              GS_06_offertes
              GS_05_Arbeidsovereenkomsten
              GS_09_ aanbevelingsbrieven
              GS_03_verslagen_beperkt
              Systeembeheer
              Hoog verplicht niveau
    I know I can search for a specific name (string?) with findstr, i.e.

    Code:
        gpresult /r /scope user | findstr /L /i "SysteemBeheer" > nul 2>&1
        REM *alternative* gpresult /r /scope user | FIND /i "SysteemBeheer" > nul 2>&1
        IF %ERRORLEVEL% EQU 0 (ECHO Sys.Beheer) ELSE ECHO NO.sys.beheer
    But how can I change it so multiple lines being read?

    i.e. (borrowed some code just for example)

    Code:
        systeminfo | find "Microsoft Windows" > %TEMP%\osname.txt
        FOR /F "usebackq delims=: tokens=2" %%i IN (%TEMP%\osname.txt) DO set vers=%%i
        
        echo %vers% | find "Windows 7" > nul
        if %ERRORLEVEL% == 0 goto ver_7
        
        echo %vers% | find "Windows Server 2008" > nul
        if %ERRORLEVEL% == 0 goto ver_2008
        
        echo %vers% | find "Windows Vista" > nul
        if %ERRORLEVEL% == 0 goto ver_vista
        
        goto warnthenexit
    I mean this does search for multiple variables I hope to some how find multiple Security Groups (GPO's) from the gpresult function (or perhaps a better way?)

    I'd like it to do something like this, if systeembeheer exist do blaat1, if aec exist do blaat2, if tekenkamer exist do blaat3, BUT multiple GPO's can exists SO the script/search must not stop if 1 of the above does exist, it still has to "look" (search) further if one of the other(s) also exist.

    ***Perhaps a little more like this?

    Code:
        @echo off
        CLS
        setlocal enabledelayedexpansion
        
        for %%i in (systeembeheer tekenkamer aec) do (
            gpresult /r /scope user | findstr /L /i %%i
            if errorlevel 0 if not errorlevel 1 echo %%i ok process found !errorlevel!
            if errorlevel 1 if not errorlevel 2 echo %%i no process found !errorlevel!
        )
        
        :exit
        pause
    AND changed it a litte:

    Code:
        @ECHO OFF
        CLS
        SETLOCAL ENABLEEXTENSIONS
        SETLOCAL ENABLEDELAYEDEXPANSION
        
        for %%i in (SysteemBeheer Administratie PersoneelsZaken TeamPlan) do (
            gpresult /r /scope user | findstr /L /i %%i > nul 2>&1
            if errorlevel 0 if not errorlevel 1 Set "GPO_%%i=True"
            if errorlevel 1 if not errorlevel 2 Set "GPO_%%i=False"
        REM if errorlevel 0 if not errorlevel 1 echo %%i ok process found !errorlevel! *debug lines*
        REM if errorlevel 1 if not errorlevel 2 echo %%i no process found !errorlevel! *debug lines*
        )
        
        if "%GPO_systeemBeheer%" == "True" (Echo GPO_SysteemBeheer=%GPO_systeemBeheer%) else Echo GPO_SysteemBeheer Not Found!
        if "%GPO_Administratie%" == "True" (Echo GPO_Administratie=%GPO_Administratie%) else Echo GPO_Administratie Not Found!
        if "%GPO_PersoneelsZaken%" == "True" (Echo GPO_PersoneelsZaken=%GPO_PersoneelsZaken%) else Echo GPO_PersoneelsZaken Not Found!
        if "%GPO_TeamPlan%" == "True" (Echo GPO_TeamPlan=%GPO_TeamPlan%) else Echo GPO_TeamPlan Not Found!
        
        :exit
        echo.
        echo.
        PAUSE
    This does seem to do what I want, bu i'm not sure if it's the best way or the right way to do it ???

  • #2
    Re: find gpo's in gpresult (for/find/findstr)

    Does anyone know if the last piece of script is the best way to do it, or is there a better / more efficient way perhaps?

    Comment


    • #3
      Re: find gpo's in gpresult (for/find/findstr)

      Originally posted by APOC View Post
      [...] I hope to some how find multiple Security Groups (GPO's) from the gpresult function...
      [...] Does anyone know if the last piece of script is the best way to do it, or is there a better / more efficient way perhaps?
      I notice that your batch is running already 4x a gpresult.exe command here in this script. That does make the batch run very slow!

      You could also fire the command only once in the script by using a For statement - then search in every token for a phrase using each name separately from the list of the provided group names. Actually that will be a For-Do loop within a For-Do loop.

      Secondly, a command that also returns the user's security group memberships is the command: net.exe user /domain %username%
      While the Net.exe command is running much faster than doing a gpresult.exe. The limitation when using this command is however that the result will only show the first 21 characters of each of the group names.



      _

      Originally posted by APOC View Post
      I'd like it to do something like this, if systeembeheer exist do blaat1, if aec exist do blaat2, if tekenkamer exist do blaat3, BUT multiple GPO's can exists SO the script/search must not stop if 1 of the above does exist, it still has to "look" (search) further if one of the other(s) also exist.
      In the batch make use of Calling labels instead of creating boolean variables for each group, it will make things easier (at first the code may look very complicated, but when used to it you'll find that it is much easier this way to read the code and for editing groupnames later on). Unlike the statement Goto :labelname a Call :labelname will return to the last position in the batch from where the label was called when this "subroutine" has ended (exit /b).

      Code:
      @echo off
      
      :create a list of groups (assign each group a unique :label_number)
      Set "Groups="
      call :define_Groups   :01 "Systeembeheer"
      call :define_Groups   :02 "AEC"
      call :define_Groups   :03 "Tekenkamer"
       goto:begin
      
      +----------------------------------------------------------------------+
         When the user is a Member Of,     (sub routines)
      
         :01 "Systeembeheer"
           echo.user is a member of the security group: "%*"
           ::\
               exit /b 0
      
         :02 "AEC"
           echo.user is a member of the security group: "%*"
           ::\
               exit /b 0
      
         :03 "Tekenkamer"
           echo.user is a member of the security group: "%*"
           ::\
               exit /b 0
      +----------------------------------------------------------------------+
      
      :begin
      :: retrieve user's group memberships
      For /f "tokens=* delims=*" %%* in (
         'net.exe user /domain %username% ^| findstr /c:" \*"'
         ) do (
      
         rem # now search in every token for a phrase using each name 
         rem # separately from the list of the provided group names.,
         for %%! in (%Groups%) do call:compare "*%%~!" "%%*"
         )
      
      pause
      :end
      
      
      goto:EOF  + + +   sub routines   + + +
      :compare
         set "testgroup=%~1"
         set "label=%testgroup:~23,2%"
         set "testgroup=%testgroup:~0,22%"
         set "string=%~2"
         echo.%string%|findstr /ic:"%testgroup%" >nul &&call:%label% %testgroup%
         exit /b 0
      
      :define_Groups
         :: the number will be attached to the group. The number will be used in the batch for calling as sub routine when the user is a member of a matching group.
      
         :: because the net user command is used we have to cut
         :: or extend names to a fixed length of 21 characters long
         Set "testgroup=%~2                     " (adding 21 trailing spaces first)
         Set "testgroup=%testgroup:~0,21%%~1"    (then Trim. And additionally, appending the :number)
      
         if not defined groups (
           Set groups="%testgroup%") else (
           Set groups=%groups%, "%testgroup%")
         exit /b 0
      _

      final note: Why not simply using a vbs script for this? Making string comparing with a batch script is not always reliable, due to chacters in the string that could be wrongly interpreted by the batch.


      /Rems

      This posting is provided "AS IS" with no warranties, and confers no rights.

      __________________

      ** Remember to give credit where credit's due **
      and leave Reputation Points for meaningful posts

      Comment


      • #4
        Re: find gpo's in gpresult (for/find/findstr)

        GREAT Tip(s)! Help! and Advice!

        Really appreciated and helps me a lot and helps me understand it more and better and I'm really learning from this, GREAT SUPPORT!

        I'll take a good look at this, thanks a lot and with kind regards, Tim.

        Comment

        Working...
        X