Announcement

Collapse
No announcement yet.

[ADFind] 2 Query issues

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • [ADFind] 2 Query issues

    Hi all,


    I have 2 questions concerning the same subject.

    #1
    I'm trying to make a query on AD for the following information:

    The customer needs a READABLE list of groups and the containing members available within AD so they can restructure and see if everyone's in the proper group.

    The reason why I say readable is because i've been able to make a nice long list already with the following query:

    Code:
    adfind -f objectcategory=group member >> f:\groups.txt
    Which seems to be fine for me, but I need computer illiterates to make sense of it.
    The current resulting code is:
    Code:
    dn:CN=Group Policy Creator Owners,CN=Users,DC=Domain,DC=com
    >member: CN=Administrator,CN=Users,DC=Domain,DC=com
    In order to clean it up a bit I've made a batch file which looks like this:

    Code:
    @echo off
    :: PROGRAM - Groups.bat
    
    adfind -f objectcategory=group member >F:\test1.txt
    
    :: Cleaning up the result
    
    echo Stripping down output ...
    (for /F "skip=2 delims=,= tokens=1,2,3*" %%i in ('type F:\test1.txt') do (
       if "%%i"=="dn:CN" (
          echo.
          echo Group=%%j
       ) else (
          echo.   %%j
       )
    )) > F:\test.txt
    
    :: Show results 
    
    echo Done.
    start F:\test.txt
    
    
    :: cleanup
    
    del F:\test1.txt >nul 2>&1
    endlocal
    I've copied a bit of this code from:
    http://forum.sysinternals.com/forum_...ID=50782#50782

    But while for my previous example it looks ok
    Code:
    Group=Group Policy Creator Owners
       Administrator
    for my normal users it doesn't look good as their format is
    Last name, First name

    resulting in:
    Code:
    Group=Backup Operators
       Lastname\
    It just removed the first name completely which is annoying to say the least [think or a Mr Smith example...]
    Anyone have a clue on what I'd have to change to make it just display the full name?


    #2

    I'm running the following query:
    Code:
    adfind -b "ou=Employees,dc=shieldmark,dc=local" -f "&(objectcategory=person)(samaccountname=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)" CanonicalName -nodn >>F:\Active_User_accounts.txt
    This query will give me all the active [non-disabled] user accounts in the Employees OU and show me their names as CanonicalName.

    However if I want to have more information from them, such as ProxyAddress:SMTP [their primary email address], DisplayName etc, I'd do something like:

    Code:
    adfind -b "ou=Employees,dc=shieldmark,dc=local" -f "&(objectcategory=person)(samaccountname=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)" CanonicalName DisplayName ProxyAddress:SMTP -nodn >>F:\Active_User_accounts.txt
    but then I get no good results or only CanonicalName.

    any clue?

    Tnx

  • #2
    Re: [ADFind] 2 Query issues

    1) Do you have more than one domain in the forest ? Querying "member" attribute in multi-domain forest is not reliable.

    2) Try:

    Code:
    adfind -default -sc exchprimarysmtp -f "&(objectcategory=person)(samaccountname=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)" -nodn CanonicalName DisplayName ProxyAddress:SMTP
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"

    Comment


    • #3
      Re: [ADFind] 2 Query issues

      1) There most likely is a comma in the 'common name' of the users?

      A Distinguished Name can contain special characters. These characters are , (comma), = (equals), + (plus), < (less than), > (greater than), # (number sign), ; (semicolon), \ (backslash), and “” (quotation marks).

      To escape these special characters or other characters in an attribute value in a DN string, the preferred method to use is to precede it by a backslash ('\' ASCII 92). And this is what ADFind use.

      And that is the backslash you see after the lastname, indicating a special character is embedded in the name. Then.. , your batch is using the "comma character" and "equals character" for delimiters - and that causes the common name breaking into multiple tokens ( %%j AND %%k and maybe more). That is why you only see the lastname (%%j) and not what follows after the comma.


      \Rems

      This posting is provided "AS IS" with no warranties, and confers no rights.

      __________________

      ** Remember to give credit where credit's due **
      and leave Reputation Points for meaningful posts

      Comment


      • #4
        Re: [ADFind] 2 Query issues

        1) For creating a user friendly list of groups and members you can try this batch:

        Code:
        :: show just the common names of groups and members
        :: (note, not include primairy-group membership !)
        
        @echo off & color 72 & cls
        Set "_Title=AdFind group members"
        call:Titlebar
        
        Set "outputFile=C:\AdFindGroups.txt"
        
        Set "AdFind=AdFind.exe" (provide fullpath if necessary)
        
        call:AdFindGroups "dc=shieldmark,dc=local" >"%outputFile%"
        
        :: Show results
        echo\Done.
        start ""/b notepad.exe "%outputFile%"
        :end ...................................................
        
        goto:eoAdFindGroups
           :AdFindGroups
             Set "basedn=%~1"
             Set "sep=__________________________________________"
             Set "sep=%sep%_____________________________________"
             echo\List created on %date% %time%&echo\startNode: %basedn%
        
             setlocal enabledelayedexpansion
             If NOT Defined basedn (
               Set AdFind="%AdFind%") ELSE (
               Set AdFind="%AdFind%" -b "%basedn%")
        
             For /F "skip=3 tokens=1,2 delims==" %%i in (
               'call !AdFind! -f objectcategory^=group member'
               ) Do (
               call:Titlebar
               Set name=%%j&Set name=!name:\=!&Set "name=!name:~0,-3!"
               >nul (echo\%%i|Findstr /ic:"dn:CN") &&(
                 echo\!sep!&echo\&echo\Group: !name!) ||(
                 echo\   !name!)
             )
             echo\&echo\***********&echo\end of list&echo\***********
             exit/b 0
        :eoAdFindGroups
        
        goto:eoTitlebar
           :Titlebar
             IF DEFINED _mill (call:updtitle) ELSE (Set _mill=\ )
             title %_Title%  %_mill% & exit/b
               :updtitle
                 If "%_mill:~-2%"=="\ " (Set "_mill=^|" & exit/b)
                 If "%_mill:~-2%"=="^|" (Set "_mill=/ " & exit/b)
                 If "%_mill:~-2%"=="/ " (Set "_mill=--" & exit/b)
                                        (Set "_mill=\ " & exit/b)
        :eoTitlebar
        \Rems


        Similar Thread: http://forums.petri.com/showthread.p...802#post166802

        _

        This posting is provided "AS IS" with no warranties, and confers no rights.

        __________________

        ** Remember to give credit where credit's due **
        and leave Reputation Points for meaningful posts

        Comment


        • #5
          Re: [ADFind] 2 Query issues

          Moved to Scripting forum as most appropriate place
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Re: [ADFind] 2 Query issues

            Originally posted by guyt View Post
            1) Do you have more than one domain in the forest ? Querying "member" attribute in multi-domain forest is not reliable.
            I have only one domain in the forest, so thought it would be fine.
            In cases of multi-domained forest I'll definately keep this in mind.

            Let me give both your and Rems' solution a shot, thanks for the help!
            I think I definately need some more scripting skills when I see what you guys make of it

            Comment


            • #7
              Re: [ADFind] 2 Query issues

              I've checked and used both scripts and they work perfectly.
              However now I'm being a perfectionist and I'm trying to find out how i can get this second script cleaned like Rems' script did on the first one.

              I've tried some tinkering, but came to this:
              Code:
              @echo off & cls
              Set "_Title=SMZ Find Active user accounts"
              
              Set "outputFile=F:\testing123.txt"
              
              Set "AdFind=AdFind.exe"
              
              call:AdFindAccounts "dc=shieldmark,dc=local" >"%outputFile%"
              
              :: Show results
              echo\Done.
              start ""/b notepad.exe "%outputFile%"
              :end ...................................................
              
              goto:eoAdFindAccounts
                 :AdFindAccounts
                   Set "basedn=%~1"
                   Set "sep=__________________________________________"
                   Set "sep=%sep%_____________________________________"
                   echo\List created on %date% %time%&echo\startNode: %basedn%
              
                   setlocal enabledelayedexpansion
                   If NOT Defined basedn (
                     Set AdFind="%AdFind%") ELSE (
                     Set AdFind="%AdFind%" -b "%basedn%")
              
                   For /F "skip=3 tokens=1,2 delims==" %%i in (
                     'call !AdFind! -default -sc exchprimarysmtp -f "&(objectcategory^=person)(samaccountname=*)(!userAccountControl:1.2.840.113556.1.4.803:^=2)" -nodn CanonicalName DisplayName ProxyAddress:SMTP'
                     ) Do (
                     Set name=%%j&Set name=!name:\=!&Set "name=!name:~0,-3!"
                     >nul (echo\%%i|Findstr /ic:">displayName") &&(
                       echo\!sep!&echo\&echo\AccountName: !name!) ||(
                       echo\   !name!)
                   )
                  Do (
                     Set name=%%j&Set name=!name:\=!&Set "name=!name:~0,-3!"
                     >nul (echo\%%i|Findstr /ic:">proxyAddresses: SMTP") &&(
                       echo\!sep!&echo\&echo\E-mail Address: !name!) ||(
                       echo\   !name!)
                   )
                  Do (
                     Set name=%%j&Set name=!name:\=!&Set "name=!name:~0,-3!"
                     >nul (echo\%%i|Findstr /ic:">canonicalName") &&(
                       echo\!sep!&echo\&echo\CN: !name!) ||(
                       echo\   !name!)
                   )
                   echo\&echo\***********&echo\end of list&echo\***********
                   exit/b 0
              :eoAdFindAccounts
              But this gave me an error

              Code:
              AdFind V01.40.00cpp Joe Richards ([email protected]) February 2009
              
              'Support' is not recognized as an internal or external command,
              operable program or batch file.
              'O' is not recognized as an internal or external command,
              operable program or batch file.
              'O' is not recognized as an internal or external command,
              operable program or batch file.
              'Do' is not recognized as an internal or external command,
              operable program or batch file.
              'Do' is not recognized as an internal or external command,
              operable program or batch file.
              Done.
              and created 3 files without extention:
              DisplayName
              ProxyAddress
              CanonicalName

              I thought it might be the fact that i'm using special characters in my adfind query, but i fear that if I start tampering with that line I'll screw it up even worse.

              *puppy eyes to Rems or someone else*
              Can you let me know what i'm doing wrong here?

              Comment


              • #8
                Re: [ADFind] 2 Query issues

                Each "Do" should be part of a own For_Do statement.
                And, special characters in a Name string can sometimes cause unexpected behaviour of a batch.

                try this sample
                Code:
                @echo off & color 72 & cls
                Set "_Title=AdFind group members"
                call:Titlebar
                
                Set "outputFile=F:\testing123.txt"
                Call :AdFindSMTP "ou=Employees,dc=shieldmark,dc=local" >"%outputFile%"
                
                :: Show results
                echo\Done.
                start ""/b notepad.exe "%outputFile%"
                :end
                
                
                goto:eoAdFindSMTP
                   :AdFindSMTP
                     Set "basedn=%~1"
                     Set "sep=__________________________________________"
                     Set "sep=%sep%_____________________________________"
                     echo\List created on %date% %time%&echo\startNode: %basedn%
                
                     Set "AdFind=AdFind.exe" (provide fullpath if necessary)
                (Set AdArgs=-default -sc exchprimarysmtp -f "&(objectcategory=person)(samaccountname=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)" -nodn CN DisplayName ProxyAddress:SMTP)
                
                     setlocal enabledelayedexpansion
                     If NOT Defined basedn (
                       Set AdFind="%AdFind%") ELSE (
                       Set AdFind="%AdFind%" -b "%basedn%")
                
                     For /F "skip=3 tokens=1-3 delims=:" %%i in (
                       'call %adfind% %AdArgs%') Do (
                       call:Titlebar
                
                       If /i "%%i"==">cn" (
                         echo\ & echo\%sep% & echo\
                         Set "displayName="
                         call:Trim "%%j" "%%k"
                         echo\Object: !o:\,=,!)
                
                       If /i "%%i"==">displayName" (
                         call:Trim "%%j" "%%k"
                         Set Displayname=!o!)
                       If /i "%%i"==">proxyAddresses" (
                         call:Trim "%%j" "%%k"
                         echo\email : "!Displayname!" ^<!o!^>)
                     )
                     echo\&echo\***********&echo\end of list&echo\***********
                   exit/b 0
                :eoAdFindSMTP
                
                goto:eoTitlebar
                   :Titlebar
                     IF DEFINED _mill (call:updtitle) ELSE (Set _mill=\ )
                     title %_Title%  %_mill% & exit/b
                       :updtitle
                         If "%_mill:~-2%"=="\ " (Set "_mill=^|" & exit/b)
                         If "%_mill:~-2%"=="^|" (Set "_mill=/ " & exit/b)
                         If "%_mill:~-2%"=="/ " (Set "_mill=--" & exit/b)
                                                (Set "_mill=\ " & exit/b)
                :eoTitlebar
                
                goto:eoTrim
                   :Trim
                    (Set o=%~2)
                    If not defined o (Set o=%1) Else (Set o=%2)
                    (Set o=!o:~1,-1!)
                    :LeftTrim
                    If "!o:~0,1!"==" " (
                      Set o=!o:~1!&Goto:LeftTrim)
                    :RightTrim
                    If "!o:~-1!"==" " (
                      Set o=!o:~0,-1!&Goto:RightTrim)
                   exit/b
                :eoTrim
                In the sample I used the format parameters: -nodn CN DisplayName ProxyAddress:SMTP . But if you like you can change the CN with CanonicalName, in that case you also have to change cn to canonicalname in this line: If /i "%%i"==">cn" ( .
                This batch will fail if there is a colon (:) in the name somewhere.


                \Rems
                Last edited by Rems; 11th August 2009, 17:10.

                This posting is provided "AS IS" with no warranties, and confers no rights.

                __________________

                ** Remember to give credit where credit's due **
                and leave Reputation Points for meaningful posts

                Comment


                • #9
                  Re: [ADFind] 2 Query issues

                  The script below works fantastic and thank you Rems for providing this. I am looking to use the same output format, but to include the 'Managed By' field for each group but can't quite get the script to work. Any chance of some help please.





                  Originally posted by Rems View Post
                  1) For creating a user friendly list of groups and members you can try this batch:

                  Code:
                  :: show just the common names of groups and members
                  :: (note, not include primairy-group membership !)
                   
                  @echo off & color 72 & cls
                  Set "_Title=AdFind group members"
                  call:Titlebar
                   
                  Set "outputFile=C:\AdFindGroups.txt"
                   
                  Set "AdFind=AdFind.exe" (provide fullpath if necessary)
                   
                  call:AdFindGroups "dc=shieldmark,dc=local" >"%outputFile%"
                   
                  :: Show results
                  echo\Done.
                  start ""/b notepad.exe "%outputFile%"
                  :end ...................................................
                   
                  goto:eoAdFindGroups
                     :AdFindGroups
                       Set "basedn=%~1"
                       Set "sep=__________________________________________"
                       Set "sep=%sep%_____________________________________"
                       echo\List created on %date% %time%&echo\startNode: %basedn%
                   
                       setlocal enabledelayedexpansion
                       If NOT Defined basedn (
                         Set AdFind="%AdFind%") ELSE (
                         Set AdFind="%AdFind%" -b "%basedn%")
                   
                       For /F "skip=3 tokens=1,2 delims==" %%i in (
                         'call !AdFind! -f objectcategory^=group member'
                         ) Do (
                         call:Titlebar
                         Set name=%%j&Set name=!name:\=!&Set "name=!name:~0,-3!"
                         >nul (echo\%%i|Findstr /ic:"dn:CN") &&(
                           echo\!sep!&echo\&echo\Group: !name!) ||(
                           echo\   !name!)
                       )
                       echo\&echo\***********&echo\end of list&echo\***********
                       exit/b 0
                  :eoAdFindGroups
                   
                  goto:eoTitlebar
                     :Titlebar
                       IF DEFINED _mill (call:updtitle) ELSE (Set _mill=\ )
                       title %_Title%  %_mill% & exit/b
                         :updtitle
                           If "%_mill:~-2%"=="\ " (Set "_mill=^|" & exit/b)
                           If "%_mill:~-2%"=="^|" (Set "_mill=/ " & exit/b)
                           If "%_mill:~-2%"=="/ " (Set "_mill=--" & exit/b)
                                                  (Set "_mill=\ " & exit/b)
                  :eoTitlebar
                  \Rems


                  Similar Thread: http://forums.petri.com/showthread.p...802#post166802

                  _

                  Comment


                  • #10
                    Re: [ADFind] 2 Query issues

                    Hi Rems,

                    Wonderful script and works good for me, except one issue. I have cross forest users and they are reported with their foreign security principal names.
                    I tried to modify the batch file by adding "-asq member objectsid -resolvesids -list" to the line
                    'call !AdFind! -f objectcategory^=group member'

                    But, the result is not good. I get an empty output file (ofcourse header and footer is there!!).

                    How to get this fixed?

                    Thanks,

                    Comment

                    Working...
                    X