Using the Active Directory command-line tools, in a Windows 2000 domain, or Windows Server 2003
domain, and REWB.bat,
I have scripted AllGroups.bat to display a list of users who are members of all the groups you specify, or who are not
members of all the groups you specify.
The syntax for using AllGroups.bat is:
AllGroups /\[I or N\] Group1 \[Group2 ... GroupN\]
Where:
/I will display users who are members of all the GroupX that you specifiy.
/N will display users who are NOT members of all the GroupX that you specifiy.
GroupX is one or more groups, using either NetBIOS ("Domain Users"),
or Distinguished Name ("CN=Domain Users,CN=Users,DC=JSIINC,DC=COM") format,
as long as the string you enter is unique. It would not make sense to use User or Users,
as this string exists in all the Distinguished Names.
NOTE: All arguments are case insensitive.
NOTE: The output is displayed on the console in both Distinguished Name and SamID format, as in:
"CN=Jerold Schulman,CN=Users,DC=JSIINC,DC=COM"#"Jerry"
"CN=Jennifer Schulman,CN=Users,DC=JSIINC,DC=COM"#"Jennifer"
You can use this output in your own script, as in the following example:
for /f "Tokens=1* Delims=#" %%u in ('allgroups /n "CAD Users" "Engineering"') do call :process %%u %%v
...
...
goto :EOF
:process
...
...
NOTE: AllGroups.BAT uses recursion, so it will find indirect domain group membership.
If the Accounts Payables group is a member of the Accounting group,
members of the Accounts Payables group are also members of the Accounting group.
AllGroups.bat contains:
@echo off
if \{%2\}\{\} @echo Syntax AllGroups /\[I or N\] Group1 \[Group2 ... GroupN\]&goto :EOF
if /i \{%1\} EQU \{/I\} goto OK
if /i \{%1\} EQU \{/N\} goto OK
@echo Syntax AllGroups /\[I or N\] Group1 \[Group2 ... GroupN\]
goto :EOF
:OK
setlocal
set IorN=%1
shift
set /a cnt=0
:loop
if \{%1\}
\{\} goto start
set /a cnt=%cnt% + 1
set wrk=%1
call rewb %wrk% newwrk
set newwrk=%newwrk:"=%
set group%cnt%=%newwrk%
shift
goto loop
:start
set prevuser=N
for /f "Tokens=*" %%u in ('dsquery user domainroot -name *') do (
for /f "Tokens=*" %%b in ('dsget user %%u -memberof -expand') Do call :whatgrp %%u %%b
)
call :test
endlocal
goto :EOF
:whatgrp
set user=%1
set user=%user:"=%
set oldgrp=%2
call rewb %oldgrp% grp
set grp=%grp:"=%
if "%prevuser%" EQU "%user%" goto adduser
if "%prevuser%" EQU "N" goto newuser
call :test
:newuser
set prevuser=%user%
set line=%grp%
goto :EOF
:adduser
set line=%line% %grp%
goto :EOF
:test
set /a NI=0
for /l %%f in (1,1,%cnt%) do call set grpn=%%group%%f%%&call :test1
if /i "%IorN%" EQU "/I" If %NI% EQU %cnt% goto report
if /i "%IorN%" EQU "/N" if %NI% NEQ %cnt% goto report
goto :EOF
:report
for /f "Skip=1 Tokens=*" %%f in ('dsget user "%prevuser%" -samid') do call :report1 "%%f"
goto :EOF
:report1
If /i %1 EQU "dsget succeeded" goto :EOF
set samid=%1
set samid=%samid: "="%
set samid=%samid: "="%
@echo "%prevuser%"#%samid%
goto :EOF
:test1
call set wrk=%%line:%grpn%=%%
if "%line%" EQU "%wrk%" goto :EOF
set /a NI=%NI% + 1
0 comments
Hide comments
