Using the Active Directory command-line tools, in a Windows 2000 domain, or Windows Server 2003
domain, and REWB.bat,
I have scripted AllGroups.bat to display a list of users who are members of all the groups you specify, or who are not
members of all the groups you specify.
The syntax for using AllGroups.bat is:
AllGroups /\[I or N\] Group1 \[Group2 ... GroupN\]
Where: /I will display users who are members of all the GroupX that you specifiy. /N will display users who are NOT members of all the GroupX that you specifiy. GroupX is one or more groups, using either NetBIOS ("Domain Users"), or Distinguished Name ("CN=Domain Users,CN=Users,DC=JSIINC,DC=COM") format, as long as the string you enter is unique. It would not make sense to use User or Users, as this string exists in all the Distinguished Names. NOTE: All arguments are case insensitive. NOTE: The output is displayed on the console in both Distinguished Name and SamID format, as in: "CN=Jerold Schulman,CN=Users,DC=JSIINC,DC=COM"#"Jerry" "CN=Jennifer Schulman,CN=Users,DC=JSIINC,DC=COM"#"Jennifer" You can use this output in your own script, as in the following example: for /f "Tokens=1* Delims=#" %%u in ('allgroups /n "CAD Users" "Engineering"') do call :process %%u %%v ... ... goto :EOF :process ... ... NOTE: AllGroups.BAT uses recursion, so it will find indirect domain group membership. If the Accounts Payables group is a member of the Accounting group, members of the Accounts Payables group are also members of the Accounting group.AllGroups.bat contains:
@echo off if \{%2\}\{\} @echo Syntax AllGroups /\[I or N\] Group1 \[Group2 ... GroupN\]&goto :EOF if /i \{%1\} EQU \{/I\} goto OK if /i \{%1\} EQU \{/N\} goto OK @echo Syntax AllGroups /\[I or N\] Group1 \[Group2 ... GroupN\] goto :EOF :OK setlocal set IorN=%1 shift set /a cnt=0 :loop if \{%1\}
\{\} goto start set /a cnt=%cnt% + 1 set wrk=%1 call rewb %wrk% newwrk set newwrk=%newwrk:"=% set group%cnt%=%newwrk% shift goto loop :start set prevuser=N for /f "Tokens=*" %%u in ('dsquery user domainroot -name *') do ( for /f "Tokens=*" %%b in ('dsget user %%u -memberof -expand') Do call :whatgrp %%u %%b ) call :test endlocal goto :EOF :whatgrp set user=%1 set user=%user:"=% set oldgrp=%2 call rewb %oldgrp% grp set grp=%grp:"=% if "%prevuser%" EQU "%user%" goto adduser if "%prevuser%" EQU "N" goto newuser call :test :newuser set prevuser=%user% set line=%grp% goto :EOF :adduser set line=%line% %grp% goto :EOF :test set /a NI=0 for /l %%f in (1,1,%cnt%) do call set grpn=%%group%%f%%&call :test1 if /i "%IorN%" EQU "/I" If %NI% EQU %cnt% goto report if /i "%IorN%" EQU "/N" if %NI% NEQ %cnt% goto report goto :EOF :report for /f "Skip=1 Tokens=*" %%f in ('dsget user "%prevuser%" -samid') do call :report1 "%%f" goto :EOF :report1 If /i %1 EQU "dsget succeeded" goto :EOF set samid=%1 set samid=%samid: "="% set samid=%samid: "="% @echo "%prevuser%"#%samid% goto :EOF :test1 call set wrk=%%line:%grpn%=%% if "%line%" EQU "%wrk%" goto :EOF set /a NI=%NI% + 1
0 comments
Hide comments