JSI Tip 7409. How can I display all the User accounts who are members of all / not members of all specified groups?

Using the Active Directory command-line tools, in a Windows 2000 domain, or Windows Server 2003 domain, and REWB.bat, I have scripted AllGroups.bat to display a list of users who are members of all the groups you specify, or who are not members of all the groups you specify.

The syntax for using AllGroups.bat is:

AllGroups /\[I or N\] Group1 \[Group2 ... GroupN\]


/I        will display users who are members of all the GroupX that you specifiy.

/N        will display users who are NOT members of all the GroupX that you specifiy.

GroupX    is one or more groups, using either NetBIOS ("Domain Users"),
          or Distinguished Name ("CN=Domain Users,CN=Users,DC=JSIINC,DC=COM") format,
          as long as the string you enter is unique. It would not make sense to use User or Users,
          as this string exists in all the Distinguished Names. 

NOTE: All arguments are case insensitive.

NOTE: The output is displayed on the console in both Distinguished Name and SamID format, as in:
"CN=Jerold Schulman,CN=Users,DC=JSIINC,DC=COM"#"Jerry"
"CN=Jennifer Schulman,CN=Users,DC=JSIINC,DC=COM"#"Jennifer"

You can use this output in your own script, as in the following example:

for /f "Tokens=1* Delims=#" %%u in ('allgroups /n "CAD Users" "Engineering"') do call :process %%u %%v
goto :EOF

NOTE: AllGroups.BAT uses recursion, so it will find indirect domain group membership.
         If the Accounts Payables group is a member of the Accounting group,
         members of the Accounts Payables group are also members of the Accounting group.
AllGroups.bat contains:
@echo off
if \{%2\}

\{\} @echo Syntax AllGroups /\[I or N\] Group1 \[Group2 ... GroupN\]&goto :EOF if /i \{%1\} EQU \{/I\} goto OK if /i \{%1\} EQU \{/N\} goto OK @echo Syntax AllGroups /\[I or N\] Group1 \[Group2 ... GroupN\] goto :EOF :OK setlocal set IorN=%1 shift set /a cnt=0 :loop if \{%1\}

\{\} goto start set /a cnt=%cnt% + 1 set wrk=%1 call rewb %wrk% newwrk set newwrk=%newwrk:"=% set group%cnt%=%newwrk% shift goto loop :start set prevuser=N for /f "Tokens=*" %%u in ('dsquery user domainroot -name *') do ( for /f "Tokens=*" %%b in ('dsget user %%u -memberof -expand') Do call :whatgrp %%u %%b ) call :test endlocal goto :EOF :whatgrp set user=%1 set user=%user:"=% set oldgrp=%2 call rewb %oldgrp% grp set grp=%grp:"=% if "%prevuser%" EQU "%user%" goto adduser if "%prevuser%" EQU "N" goto newuser call :test :newuser set prevuser=%user% set line=%grp% goto :EOF :adduser set line=%line% %grp% goto :EOF :test set /a NI=0 for /l %%f in (1,1,%cnt%) do call set grpn=%%group%%f%%&call :test1 if /i "%IorN%" EQU "/I" If %NI% EQU %cnt% goto report if /i "%IorN%" EQU "/N" if %NI% NEQ %cnt% goto report goto :EOF :report for /f "Skip=1 Tokens=*" %%f in ('dsget user "%prevuser%" -samid') do call :report1 "%%f" goto :EOF :report1 If /i %1 EQU "dsget succeeded" goto :EOF set samid=%1 set samid=%samid: "="% set samid=%samid: "="% @echo "%prevuser%"#%samid% goto :EOF :test1 call set wrk=%%line:%grpn%=%% if "%line%" EQU "%wrk%" goto :EOF set /a NI=%NI% + 1

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.