Using the Active Directory command-line tools , UserPGID.bat, and primaryGroupID.bat, I have scripted GroupMembers.bat to generate a CSV (Comma Separated Value) file of all domain group membership.
The syntax for using GroupMembers.bat is:
GroupMembers CSVFile
Where CSVFile is the path to a file that will contain the following information:
"Domain Group","SecDist","Scope","User or Group","MbrType"GroupMembers.bat contains:Where:
"Domain Group" is the distinguished name of a domain group. "SecDist" is a Y if the "Domain Group" is a security group or an N if it is distribution group. "Scope" is the group scope: G - Global, L - Domain Local, U - Universal. "User or Group" is the distinguished name of a "Domain Group" member. "MbrType" is a U if the "Domain Group" member is a user, or a G if the "Domain Group" member is a group.Partial Sample:
"CN=accountants,CN=Users,DC=JSIINC,DC=COM","Y","G","CN=Accounts Payables,CN=Users,DC=JSIINC,DC=COM","G" "CN=accountants,CN=Users,DC=JSIINC,DC=COM","Y","G","CN=Jerold Schulman,CN=Users,DC=JSIINC,DC=COM","U" "CN=Accounts Payables,CN=Users,DC=JSIINC,DC=COM","Y","G","CN=Jennifer Schulman,CN=Users,DC=JSIINC,DC=COM","U"
@echo off if \{%1\}==\{\} @echo Syntax GroupMembers CSVFile&goto :EOF setlocal ENABLEDELAYEDEXPANSION set report=%1 if exist %report% del /q %report% set wrk="%TEMP%\GroupMembers_%RANDOM%.TMP" if exist %wrk% del /q %wrk% for /f "Tokens=*" %%g in ('dsquery group domainroot -name * -LIMIT 0') do ( for /f "Tokens=*" %%d in ('dsget group %%g -secgrp -scope -L^|findstr /i "secgrp: scope:" ') do ( set wrk1=%%d if /i "!wrk1:~0,7!" EQU "scope: " set scope=!wrk1:~7! if /i "!wrk1:~0,8!" EQU "secgrp: " set grp=!wrk1:~8! ) if /i "!grp!" EQU "yes" (set grp=Y) ELSE (set grp=N) if /i "!scope:~0,1!" EQU "g" set scope=G if /i "!scope:~0,1!" EQU "u" set scope=U if /i "!scope:~0,1!" EQU "d" set scope=L for /f "Tokens=*" %%m in ('dsget group %%g -members') do ( set mbr=%%m set mbr=!mbr:"=! for /f "Tokens=*" %%t in ('dsquery * domainroot -filter "(&(distinguishedName=!mbr!))" -attr objectClass -L^|Findstr /I /L "user group"') do ( set ug=%%t set ug=!ug:user=U! set ug=!ug:group=G! @echo %%g,"!grp!","!scope!",%%m,"!ug!">>%wrk% ) ) ) for /f "Tokens=1* Delims=#" %%g in ('call UserPgid') do ( for /f "Tokens=*" %%d in ('dsget group %%g -secgrp -scope -L^|findstr /i "secgrp: scope:" ') do ( set wrk1=%%d if /i "!wrk1:~0,7!" EQU "scope: " set scope=!wrk1:~7! if /i "!wrk1:~0,8!" EQU "secgrp: " set grp=!wrk1:~8! ) if /i "!grp!" EQU "yes" (set grp=Y) ELSE (set grp=N) if /i "!scope:~0,1!" EQU "g" set scope=G if /i "!scope:~0,1!" EQU "u" set scope=U if /i "!scope:~0,1!" EQU "d" set scope=L @echo %%g,"!grp!","!scope!",%%h,"U">>%wrk% ) sort %wrk% /O %report% del /q %wrk% endlocal
0 comments
Hide comments