Using the Active Directory command-line tools and the
primaryGroupID.bat batch, I have scripted
AllUsrSecGrp.bat to display all users security group membership,
including nested groups, in a semi-colon delimited format, like:
"User Distinguished Name";"Group Distinguished Name"
The syntax for using AllUsrSecGrp.bat is:
AllUsrSecGrp
AllUsrSecGrp.bat contains:
@echo off setlocal ENABLEDELAYEDEXPANSION if exist "%TEMP%\AllUsrSecGrp.TM1" del /q "%TEMP%\AllUsrSecGrp.TM1" set qry1=dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User))" -attr primaryGroupID distinguishedName -limit 0 for /f "Skip=1 Tokens=1*" %%t in ('%qry1%') do ( set usr="%%u" set usr=!usr: =! set usr=!usr: "="! call primaryGroupID %%t pgidn for /f "Tokens=1" %%s in ('dsget group !pgidn! -secgrp^|find "yes"') do ( @echo !usr!;!pgidn!>>"%TEMP%\AllUsrSecGrp.TM1" ) for /f "Tokens=*" %%g in ('dsget user !usr! -memberof -expand') do ( for /f "Tokens=1" %%s in ('dsget group %%g -secgrp^|find "yes"') do ( @echo !usr!;%%g>>"%TEMP%\AllUsrSecGrp.TM1" ) ) ) if not exist "%TEMP%\AllUsrSecGrp.TM1" @echo No group membership&endlocal&goto :EOF sort "%TEMP%\AllUsrSecGrp.TM1" /O "%TEMP%\AllUsrSecGrp.TM2" del /q "%TEMP%\AllUsrSecGrp.TM1" set prev=NONE for /f "Tokens=*" %%u in ('type "%TEMP%\AllUsrSecGrp.TM2"') do ( set line=%%u set line=!line:"=! if "!prev!" NEQ "!line!" @echo %%u set prev=!line! ) del /q "%TEMP%\AllUsrSecGrp.TM2" endlocal
0 comments
Hide comments