Using the Active Directory command-line tools and the
primaryGroupID.bat batch, I have scripted
AllUsrSecGrp.bat to display all users security group membership,
including nested groups, in a semi-colon delimited format, like:
"User Distinguished Name";"Group Distinguished Name"
The syntax for using AllUsrSecGrp.bat is:
AllUsrSecGrp
AllUsrSecGrp.bat contains:
@echo off
setlocal ENABLEDELAYEDEXPANSION
if exist "%TEMP%\AllUsrSecGrp.TM1" del /q "%TEMP%\AllUsrSecGrp.TM1"
set qry1=dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User))" -attr primaryGroupID distinguishedName -limit 0
for /f "Skip=1 Tokens=1*" %%t in ('%qry1%') do (
set usr="%%u"
set usr=!usr: =!
set usr=!usr: "="!
call primaryGroupID %%t pgidn
for /f "Tokens=1" %%s in ('dsget group !pgidn! -secgrp^|find "yes"') do (
@echo !usr!;!pgidn!>>"%TEMP%\AllUsrSecGrp.TM1"
)
for /f "Tokens=*" %%g in ('dsget user !usr! -memberof -expand') do (
for /f "Tokens=1" %%s in ('dsget group %%g -secgrp^|find "yes"') do (
@echo !usr!;%%g>>"%TEMP%\AllUsrSecGrp.TM1"
)
)
)
if not exist "%TEMP%\AllUsrSecGrp.TM1" @echo No group membership&endlocal&goto :EOF
sort "%TEMP%\AllUsrSecGrp.TM1" /O "%TEMP%\AllUsrSecGrp.TM2"
del /q "%TEMP%\AllUsrSecGrp.TM1"
set prev=NONE
for /f "Tokens=*" %%u in ('type "%TEMP%\AllUsrSecGrp.TM2"') do (
set line=%%u
set line=!line:"=!
if "!prev!" NEQ "!line!" @echo %%u
set prev=!line!
)
del /q "%TEMP%\AllUsrSecGrp.TM2"
endlocal
0 comments
Hide comments
