Re: Returning only a subset of groups in AD
- From: "Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 22 May 2008 19:08:35 -0500
"KarenI" <karen@xxxxxxxxxxxxxx> wrote in message
news:c1c3c36e-12bf-4627-9968-8de0ef3232a8@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I found a script online by Neil Hobson to output the members of all
groups. I'd like to modify that to include only a certain subset, all
of which have similar names. When I tried this, however, I /still/
get all groups, and I'm really new to scripting so I don't know why
and would appreciate any suggestions as to threads on the group to
read, references, URLs, etc.:
Set ADSIResult = ADSICommand.Execute
Do While not ADSIResult.EOF
set ADSIName = (left(ADSIResult.Fields("Name").Value, 25))
set targetname = "XXXXXX xx-xxXXX XXXXXxxXXXxxx"
mycomp = strcomp(ADSIName, targetname, 1)
if mycomp = 0 then
'wscript.echo "matches"
'Left(budgetcode,4)
Output.WriteLine
Output.WriteLine
Output.WriteLine "Group: " & ADSIResult.Fields("name").Value
Output.WriteLine
"==============================================================="
Set GetDN = GetObject("LDAP://"; &
ADSIResult.Fields("distinguishedName").Value)
strAllValues = GetDN.GetEx("member")
iGroupCount = 0
For each strValue in strAllValues
If Len(strValue) = 0 Then
Output.WriteLine "There are no members in this group."
Else
iGroupCount = iGroupCount + 1
If objArgs(0)<>"-dn" Then
Output.WriteLine strValue
Else
Call Stripper(strValue)
Output.WriteLine tmp
End If
End If
Next
Output.WriteLine "Total members in group: " & iGroupCount
Set strAllValues = Nothing
ADSIResult.MoveNext
I assume that ADSICommand is an ADO command object, but we don't see the
value assigned to the CommandText property, which is the ADO query. In any
case, the query should return the value of the "member" attribute of the
group objects, so there should not be a need to bind to all of the group
objects. The extra binding slows down the script.
If all of the groups have similar names, it might be possible to design a
filter that only retrieves values for the groups you want. For example, you
could retrieve information on all groups with the text "test" in the Common
Name of the group. The ADO query should specify to return not just the
distinguishedName attribute, but also the member attribute of the group
objects. I would suggest code similar to below:
============
Option Explicit
Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
Dim objRootDSE, strDNSDomain, strQuery, adoRecordset
Dim strDN, strNTName, arrMembers, strMember
' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection
' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE";)
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://"; & strDNSDomain & ">"
' Filter on group objects where the Common Name
' contains the string "test".
strFilter = "(&(objectCategory=group)(cn=*test*))"
' Comma delimited list of attribute values to retrieve.
strAttributes = "sAMAccountName,distinguishedName,member"
' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
' Run the query.
Set adoRecordset = adoCommand.Execute
' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
' Retrieve values and display.
strDN = adoRecordset.Fields("distinguishedName").Value
strNTName = adoRecordset.Fields("sAMAccountName").Value
' Output DN and NT name of group.
Wscript.Echo "Group: " & strNTName & " - DN: " & & strDN
' Retrieve direct group membership and display.
arrMembers = adoRecordset.Fields("member").Value
If IsNull(arrMembers) Then
Wscript.Echo "-- No members"
Else
For Each strMember In arrMembers
Wscript.Echo "-- " & strMember
Next
End If
' Move to the next record in the recordset.
adoRecordset.MoveNext
Loop
' Clean up.
adoRecordset.Close
adoConnection.Close
============
For more on using ADO to retrieve information from AD see this link:
http://www.rlmueller.net/ADOSearchTips.htm
To only get info on certain groups you need to design the clause that
restricts by group name, either the Common Name (value of the cn attribute)
or NT name (also called the NetBIOS name, the value of the sAMAccountName
attribute). If all names start with "engr", the clause could be:
(cn=engr*)
If all names end with "dept" the clause could be:
(cn=*dept)
The values are not case sensitive. If you want to count the number of
members it is easy to increment a counter in the For Next loop, and reset
the counter for each group.
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
.
- References:
- Returning only a subset of groups in AD
- From: KarenI
- Returning only a subset of groups in AD
- Prev by Date: script for Robocopy
- Next by Date: Re: script for Robocopy
- Previous by thread: Returning only a subset of groups in AD
- Next by thread: script for Robocopy
- Index(es):
Relevant Pages
|
