JSI Tip 9244. How can I generate a CSV file of all domain group membership?

Using the Active Directory command-line tools , UserPGID.bat, and primaryGroupID.bat, I have scripted GroupMembers.bat to generate a CSV (Comma Separated Value) file of all domain group membership.

The syntax for using GroupMembers.bat is:

GroupMembers CSVFile

Where CSVFile is the path to a file that will contain the following information:

"Domain Group","SecDist","Scope","User or Group","MbrType"

Where:

"Domain Group"    is the distinguished name of a domain group.

"SecDist"         is a Y if the "Domain Group" is a security group or an N if it is distribution group.

"Scope"           is the group scope: G - Global, L - Domain Local, U - Universal.

"User or Group"   is the distinguished name of a "Domain Group" member.

"MbrType"        is a U if the "Domain Group" member is a user, or a G if the "Domain Group" member is a group.

Partial Sample:

"CN=accountants,CN=Users,DC=JSIINC,DC=COM","Y","G","CN=Accounts Payables,CN=Users,DC=JSIINC,DC=COM","G" "CN=accountants,CN=Users,DC=JSIINC,DC=COM","Y","G","CN=Jerold Schulman,CN=Users,DC=JSIINC,DC=COM","U" "CN=Accounts Payables,CN=Users,DC=JSIINC,DC=COM","Y","G","CN=Jennifer Schulman,CN=Users,DC=JSIINC,DC=COM","U"
GroupMembers.bat contains:
@echo off
if \{%1\}==\{\} @echo Syntax GroupMembers CSVFile&goto :EOF
setlocal ENABLEDELAYEDEXPANSION
set report=%1
if exist %report% del /q %report%
set wrk="%TEMP%\GroupMembers_%RANDOM%.TMP"
if exist %wrk% del /q %wrk%
for /f "Tokens=*" %%g in ('dsquery group domainroot -name * -LIMIT 0') do (
 for /f "Tokens=*" %%d in ('dsget group %%g -secgrp -scope -L^|findstr /i "secgrp: scope:" ') do (
  set wrk1=%%d
  if /i "!wrk1:~0,7!" EQU "scope: " set scope=!wrk1:~7!
  if /i "!wrk1:~0,8!" EQU "secgrp: " set grp=!wrk1:~8!
 )
 if /i "!grp!" EQU "yes" (set grp=Y) ELSE (set grp=N)
 if /i "!scope:~0,1!" EQU "g" set scope=G
 if /i "!scope:~0,1!" EQU "u" set scope=U
 if /i "!scope:~0,1!" EQU "d" set scope=L
  for /f "Tokens=*" %%m in ('dsget group %%g -members') do (
   set mbr=%%m
   set mbr=!mbr:"=!
   for /f "Tokens=*" %%t in ('dsquery * domainroot -filter "(&(distinguishedName=!mbr!))" -attr objectClass -L^|Findstr /I /L "user group"') do (
    set ug=%%t
    set ug=!ug:user=U!
    set ug=!ug:group=G!
    @echo %%g,"!grp!","!scope!",%%m,"!ug!">>%wrk%
   )
  )
)
for /f "Tokens=1* Delims=#" %%g in ('call UserPgid') do (
 for /f "Tokens=*" %%d in ('dsget group %%g -secgrp -scope -L^|findstr /i "secgrp: scope:" ') do (
  set wrk1=%%d
  if /i "!wrk1:~0,7!" EQU "scope: " set scope=!wrk1:~7!
  if /i "!wrk1:~0,8!" EQU "secgrp: " set grp=!wrk1:~8!
 )
 if /i "!grp!" EQU "yes" (set grp=Y) ELSE (set grp=N)
 if /i "!scope:~0,1!" EQU "g" set scope=G
 if /i "!scope:~0,1!" EQU "u" set scope=U
 if /i "!scope:~0,1!" EQU "d" set scope=L
 @echo %%g,"!grp!","!scope!",%%h,"U">>%wrk%
) 
sort %wrk% /O %report%
del /q %wrk%
endlocal



Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish