list of users in security groups and distribution groups

Home Forums Microsoft Networking and Management Services Active Directory list of users in security groups and distribution groups

This topic contains 6 replies, has 4 voices, and was last updated by Avatar Anonymous 9 years, 10 months ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • Avatar
    bavisimo
    Member
    #144981

    Hi i am tring to make a list of all users in our active directory database and say what security group and distribution groups they are in, i have tried using the query function in active directoy users and computer and there doesn’t seem to be anything to help?

    Avatar
    ikon
    Member
    #354239

    Re: list of users in security groups and distribution groups

    you can use csvde to export an OU to csv file and read the attributes.

    http://www.computerperformance.co.uk/Logon/Logon_CSVDE.htm

    Avatar
    bavisimo
    Member
    #352936

    Re: list of users in security groups and distribution groups

    There are two different OU but what I need is say every one who is a member of the “administrator” group or “sales” group or “IT staff” distribution list.

    Can this be done via CSVDE? If so is there a syntax as i have not done this before.

    Avatar
    stamandster
    Member
    #280356

    Re: list of users in security groups and distribution groups

    Try this

    create a vb script called documentgroups.vbs

    ‘ DocumentGroups.vbs
    ‘ VBScript program to document all groups in Active Directory.
    ‘ Outputs group name, type of group, all members, and types of member.
    ‘ Lists all groups that are members, but does not list the nested group
    ‘ membership.

    ‘ ———————————————————————-
    ‘ Copyright (c) 2002 Richard L. Mueller
    ‘ Hilltop Lab web site – http://www.rlmueller.net
    ‘ Version 1.0 – November 10, 2002
    ‘ Version 1.1 – February 19, 2003 – Standardize Hungarian notation.
    ‘ Version 1.2 – March 11, 2003 – Remove SearchScope property.
    ‘ Version 1.3 – July 6, 2007 – Modify use of Fields collection of
    ‘ Recordset object.
    ‘ Version 1.4 – July 27, 2007 – Bug fix if group name has “/” character
    ‘ Version 1.5 – Sept 2009 – CMS – Edited to used TSV instead of CSV.

    ‘ This script is designed to be run at a command prompt, using the
    ‘ Cscript host. The output can be redirected to a text file.
    ‘ For example:
    ‘ cscript //nologo DocumentGroups.vbs > groups.txt

    ‘ You have a royalty-free right to use, modify, reproduce, and
    ‘ distribute this script file in any way you find useful, provided that
    ‘ you agree that the copyright owner above has no warranty, obligations,
    ‘ or liability for such use.

    Option Explicit

    Dim adoConnection, adoCommand, objRootDSE, strDNSDomain, strQuery
    Dim adoRecordset, strDN, objGroup

    ‘ Use ADO to search Active Directory.
    Set adoConnection = CreateObject(“ADODB.Connection”)
    Set adoCommand = CreateObject(“ADODB.Command”)
    adoConnection.Provider = “ADsDSOObject”
    adoConnection.Open “Active Directory Provider”
    Set adoCommand.ActiveConnection = adoConnection

    ‘ Determine the DNS domain from the RootDSE object.
    Set objRootDSE = GetObject(“LDAP://RootDSE”)
    strDNSDomain = objRootDSE.Get(“defaultNamingContext”)

    ‘ Search for all groups, return the Distinguished Name of each.
    strQuery = “;(objectClass=group);distinguishedName;subtree”
    adoCommand.CommandText = strQuery
    adoCommand.Properties(“Page Size”) = 100
    adoCommand.Properties(“Timeout”) = 30
    adoCommand.Properties(“Cache Results”) = False

    Set adoRecordset = adoCommand.Execute
    If (adoRecordset.EOF = True) Then
    Wscript.Echo “No groups found”
    adoRecordset.Close
    adoConnection.Close
    Set objRootDSE = Nothing
    Set adoConnection = Nothing
    Set adoCommand = Nothing
    Set adoRecordset = Nothing
    Wscript.Quit
    End If

    ‘ Enumerate all groups, bind to each, and document group members.
    Wscript.Echo “Group” & vbTab & vbTab & “Full Name” & vbTab & “Username” & vbTab & “Type” ‘& vbTab & “Description”
    Do Until adoRecordset.EOF
    strDN = adoRecordset.Fields(“distinguishedName”).Value
    ‘ Escape any forward slash characters with backslash.
    strDN = Replace(strDN, “/”, “/”)
    Set objGroup = GetObject(“LDAP://” & strDN)
    Wscript.Echo objGroup.sAMAccountName _
    & vbTab & “Type: ” & GetType(objGroup.groupType) ‘& vbTab & vbTab & vbTab & vbTab & objGroup.description
    Wscript.Echo objGroup.sAMAccountName & vbTab & “Desc: ” & objGroup.description
    Call GetMembers(objGroup)
    ‘Wscript.Echo vbCrLf
    Wscript.Echo vbTab
    adoRecordset.MoveNext
    Loop
    Wscript.Echo vbCrLf & “– Export on ” & DateValue(now) & ” at ” & TimeValue(now) & ” –”
    adoRecordset.Close

    ‘ Clean up.
    adoConnection.Close
    Set objRootDSE = Nothing
    Set objGroup = Nothing
    Set adoConnection = Nothing
    Set adoCommand = Nothing
    Set adoRecordset = Nothing

    Function GetType(ByVal intType)
    ‘ Function to determine group type from the GroupType attribute.
    If ((intType And &h01) 0) Then
    GetType = “Built-in”
    ElseIf ((intType And &h02) 0) Then
    GetType = “Global”
    ElseIf ((intType And &h04) 0) Then
    GetType = “Local”
    ElseIf ((intType And &h08) 0) Then
    GetType = “Universal”
    End If
    If ((intType And &h80000000) 0) Then
    GetType = GetType & “/Security”
    Else
    GetType = GetType & “/Distribution”
    End If
    End Function

    Sub GetMembers(ByVal objADObject)
    ‘ Subroutine to document group membership.
    ‘ Members can be users or groups.
    Dim objMember, strType
    For Each objMember In objADObject.Members
    If (UCase(Left(objMember.objectCategory, 8)) = “CN=GROUP”) Then
    strType = “Group”
    Else
    strType = “User”
    End If
    Wscript.Echo objGroup.sAMAccountName & vbTab & vbTab & objMember.CN & vbTab & objMember.sAMAccountName _
    & vbTab & strType ‘& vbTab & objMember.Description
    Next
    Set objMember = Nothing
    End Sub
    [/CODE]

    Then create a bat called documentgroups.bat
    this file should have

    [CODE]
    @echo off
    cscript.exe //nologo DocumentGroups.vbs > DocumentGroups.tsv
    [/CODE]

    Run the batch script to create documentgroups.tsv. Then you can manipulate it in excel.[CODE]’ DocumentGroups.vbs
    ‘ VBScript program to document all groups in Active Directory.
    ‘ Outputs group name, type of group, all members, and types of member.
    ‘ Lists all groups that are members, but does not list the nested group
    ‘ membership.


    ‘ Copyright (c) 2002 Richard L. Mueller
    ‘ Hilltop Lab web site – http://www.rlmueller.net
    ‘ Version 1.0 – November 10, 2002
    ‘ Version 1.1 – February 19, 2003 – Standardize Hungarian notation.
    ‘ Version 1.2 – March 11, 2003 – Remove SearchScope property.
    ‘ Version 1.3 – July 6, 2007 – Modify use of Fields collection of
    ‘ Recordset object.
    ‘ Version 1.4 – July 27, 2007 – Bug fix if group name has “/” character
    ‘ Version 1.5 – Sept 2009 – CMS – Edited to used TSV instead of CSV.

    ‘ This script is designed to be run at a command prompt, using the
    ‘ Cscript host. The output can be redirected to a text file.
    ‘ For example:
    ‘ cscript //nologo DocumentGroups.vbs > groups.txt

    ‘ You have a royalty-free right to use, modify, reproduce, and
    ‘ distribute this script file in any way you find useful, provided that
    ‘ you agree that the copyright owner above has no warranty, obligations,
    ‘ or liability for such use.

    Option Explicit

    Dim adoConnection, adoCommand, objRootDSE, strDNSDomain, strQuery
    Dim adoRecordset, strDN, objGroup

    ‘ Use ADO to search Active Directory.
    Set adoConnection = CreateObject(“ADODB.Connection”)
    Set adoCommand = CreateObject(“ADODB.Command”)
    adoConnection.Provider = “ADsDSOObject”
    adoConnection.Open “Active Directory Provider”
    Set adoCommand.ActiveConnection = adoConnection

    ‘ Determine the DNS domain from the RootDSE object.
    Set objRootDSE = GetObject(“LDAP://RootDSE”)
    strDNSDomain = objRootDSE.Get(“defaultNamingContext”)

    ‘ Search for all groups, return the Distinguished Name of each.
    strQuery = “<ldap: //" & strDNSDomain _
    & “>;(objectClass=group);distinguishedName;subtree”
    adoCommand.CommandText = strQuery
    adoCommand.Properties(“Page Size”) = 100
    adoCommand.Properties(“Timeout”) = 30
    adoCommand.Properties(“Cache Results”) = False

    Set adoRecordset = adoCommand.Execute
    If (adoRecordset.EOF = True) Then
    Wscript.Echo “No groups found”
    adoRecordset.Close
    adoConnection.Close
    Set objRootDSE = Nothing
    Set adoConnection = Nothing
    Set adoCommand = Nothing
    Set adoRecordset = Nothing
    Wscript.Quit
    End If

    ‘ Enumerate all groups, bind to each, and document group members.
    Wscript.Echo “Group” & vbTab & vbTab & “Full Name” & vbTab & “Username” & vbTab & “Type” ‘& vbTab & “Description”
    Do Until adoRecordset.EOF
    strDN = adoRecordset.Fields(“distinguishedName”).Value
    ‘ Escape any forward slash characters with backslash.
    strDN = Replace(strDN, “/”, “/”)
    Set objGroup = GetObject(“LDAP://” & strDN)
    Wscript.Echo objGroup.sAMAccountName _
    & vbTab & “Type: ” & GetType(objGroup.groupType) ‘& vbTab & vbTab & vbTab & vbTab & objGroup.description
    Wscript.Echo objGroup.sAMAccountName & vbTab & “Desc: ” & objGroup.description
    Call GetMembers(objGroup)
    ‘Wscript.Echo vbCrLf
    Wscript.Echo vbTab
    adoRecordset.MoveNext
    Loop
    Wscript.Echo vbCrLf & “– Export on ” & DateValue(now) & ” at ” & TimeValue(now) & ” –“
    adoRecordset.Close

    ‘ Clean up.
    adoConnection.Close
    Set objRootDSE = Nothing
    Set objGroup = Nothing
    Set adoConnection = Nothing
    Set adoCommand = Nothing
    Set adoRecordset = Nothing

    Function GetType(ByVal intType)
    ‘ Function to determine group type from the GroupType attribute.
    If ((intType And &h01) 0) Then
    GetType = “Built-in”
    ElseIf ((intType And &h02) 0) Then
    GetType = “Global”
    ElseIf ((intType And &h04) 0) Then
    GetType = “Local”
    ElseIf ((intType And &h08) 0) Then
    GetType = “Universal”
    End If
    If ((intType And &h80000000) 0) Then
    GetType = GetType & “/Security”
    Else
    GetType = GetType & “/Distribution”
    End If
    End Function

    Sub GetMembers(ByVal objADObject)
    ‘ Subroutine to document group membership.
    ‘ Members can be users or groups.
    Dim objMember, strType
    For Each objMember In objADObject.Members
    If (UCase(Left(objMember.objectCategory, 8)) = “CN=GROUP”) Then
    strType = “Group”
    Else
    strType = “User”
    End If
    Wscript.Echo objGroup.sAMAccountName & vbTab & vbTab & objMember.CN & vbTab & objMember.sAMAccountName _
    & vbTab & strType ‘& vbTab & objMember.Description
    Next
    Set objMember = Nothing
    End Sub
    [/CODE]

    Then create a bat called documentgroups.bat
    this file should have

    @echo off
    cscript.exe //nologo DocumentGroups.vbs > DocumentGroups.tsv
    [/CODE]

    Run the batch script to create documentgroups.tsv. Then you can manipulate it in excel.[CODE]
    @echo off
    cscript.exe //nologo DocumentGroups.vbs > DocumentGroups.tsv
    [/CODE]

    Run the batch script to create documentgroups.tsv. Then you can manipulate it in excel.

    Avatar
    bavisimo
    Member
    #352937

    Re: list of users in security groups and distribution groups

    Thanks, this might seem like a stupid question but am I doing it right by copy and pasting the vbs script then saving it via notepad as documentgroups.vbs? the doing the same for the bat, only the tsv file is black after?

    Avatar
    bavisimo
    Member
    #352938

    Re: list of users in security groups and distribution groups

    Hi Thanks,

    I was looking online for this solution and I came across this code, which did the job spot on,

    Option Explicit
    Dim objConnection, objCommand, objRecordSet, objGroup, objRootDSE,objFile, objFileSystem, objMember
    Dim strLine
    Set objFileSystem = CreateObject(“Scripting.FileSystemObject”)
    Set objFile = objFileSystem.OpenTextFile(“Groups.xls”, 2, True, 0)
    objFile.WriteLine “Group Name” & VbTab & “Number of Members” & VbTab & “Members”

    Set objConnection = CreateObject(“ADODB.Connection”)
    objConnection.Provider = “ADsDSOObject”
    objConnection.Open “Active Directory Provider”
    Set objCommand = CreateObject(“ADODB.Command”)
    objCommand.ActiveConnection = objConnection
    Set objRootDSE = GetObject(“[URL]ldap://RootDSE[/URL]”)
    objCommand.CommandText = “SELECT name, aDSPath,mail ” &_
    “FROM ‘LDAP://” & objRootDSE.Get(“defaultNamingContext”) & “‘ WHERE objectClass=’group'”
    Set objRootDSE = Nothing
    objCommand.Properties(“Page Size”) = 1000
    objCommand.Properties(“Timeout”) = 600
    objCommand.Properties(“Cache Results”) = False
    Set objRecordSet = objCommand.Execute
    While Not objRecordSet.EOF
    Set objGroup = GetObject(objRecordSet.Fields(“aDSPath”))

    strLine = objRecordSet.Fields(“name”) & VbTab

    strLine = strLine & objGroup.Members.Count & VbTab

    For Each objMember in objGroup.Members
    strLine = strLine & objMember.Get(“name”) & “,”
    Next
    If Right(strLine, 1) = “,” Then
    strLine = Left(strLine, Len(strLine) – 1)
    End If
    objFile.WriteLine strLine

    Set objGroup = Nothing
    objRecordSet.MoveNext
    Wend
    objConnection.Close
    Set objRecordSet = Nothing
    Set objCommand = Nothing
    Set objConnection = Nothing
    Set objFile = Nothing
    Set objFileSystem = Nothing

    Avatar
    Anonymous
    #369925

    Re: list of users in security groups and distribution groups

    ikon;183529 wrote:
    you can use csvde to export an OU to csv file and read the attributes.

    http://www.computerperformance.co.uk/Logon/Logon_CSVDE.htm

    Security/Distribution Groups are NOT Organizational Units (OU).

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.