Re: An application, script, or AD Saved query that ...
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Wed, 30 Aug 2006 21:10:53 -0400
You are going to have to script this. It is a multi-step operation as you can't create a query that says give me all users who aren't in a mail enabled group.
First off, note that if we are talking about Exchange, security groups can and often are mail enabled even if the Admins didn't set it up that way. If ANYONE, yes, I mean ANYONE including non-admin anyone's decides to use a DL for securing something in a mailbox or public folder, Exchange will security enable the group.
So the most efficient way I can visualize this is that your script will need to find all members of all mailenabled groups. You will do this with one or more queries. If you have a single domain or at least a single domain that is Exchange enabled then you can use a single query. If you have multiple domains it is safest to use multiple queries, one for each domain. While the standard is to use Universal groups for DLs, it isn't required nor enforced by the OS. If all you care about are Universal groups, then you can do a single query against a GC.
The query itself will be from the root of namespace you are searching and should have a filter of the type
(&(objectcategory=group)(proxyaddresses=*))
and you will want to return the member attribute. This you will enumerate the members and stick them in a hash/dictionary/whatever it is called in the scripting language you use, basically you want an associative array. Why? Because users could be duplicated and you want to weed things down to unique members.
Once that is done you you will retrieve a list of all users and check their DNs against the DNs in the hash. Any DNs that aren't in the hash are users who aren't in an Exchange mail enabled group.
Now there is a alternate way of doing this if you are using universal groups OR you have a single Exchange enabled domain. It uses a new trick on Windows Server 2003 AD called Attribute Scoped Queries. Unfortunately you cannot do it from ADSI/WMI scripts. You have to call out to an exe that can do it or write your own (probably .NET EXE - See Joe Kaplan's and Ryan Dunn's excellent book on the subject). With an ASQ query you could have a script that hits a GC and runs through all users and does an ASQ query for each user against the memberof attribute returning any groups that have a proxyaddresses value. An example to do this with a single user follows
G:\Temp>adfind -e -b CN=$joe,CN=Users,DC=joe,DC=com -s base -asq memberof -f proxyaddresses=* -dn
AdFind V01.31.00cpp Joe Richards (joe@xxxxxxxxxxx) March 2006
Using server: 2k3dc02.joe.com:389
Directory: Windows Server 2003
dn:CN=TestMailDL,OU=MailGroups,OU=joeware2,OU=Exchange,DC=joe,DC=com
dn:CN=NestGroup,OU=RuleCheck,OU=joeware2,OU=Exchange,DC=joe,DC=com
dn:CN=NestGroup2,OU=RuleCheck,OU=joeware2,OU=Exchange,DC=joe,DC=com
dn:CN=NestGroup3,OU=RuleCheck,OU=joeware2,OU=Exchange,DC=joe,DC=com
4 Objects returned
If I just dump the memberof attribute for that user it looks like
G:\Temp>adfind -e -b CN=$jricha34,CN=Users,DC=joe,DC=com -s base memberof
AdFind V01.31.00cpp Joe Richards (joe@xxxxxxxxxxx) March 2006
Using server: 2k3dc02.joe.com:389
Directory: Windows Server 2003
dn:CN=$joe,CN=Users,DC=joe,DC=com
>memberOf: CN=CHILDTESTUG,CN=Users,DC=child1,DC=joe,DC=com
>memberOf: CN=testlocalgroup,CN=Users,DC=joe,DC=com
>memberOf: CN=NestGroup3,OU=RuleCheck,OU=joeware2,OU=Exchange,DC=joe,DC=com
>memberOf: CN=NestGroup2,OU=RuleCheck,OU=joeware2,OU=Exchange,DC=joe,DC=com
>memberOf: CN=NestGroup,OU=RuleCheck,OU=joeware2,OU=Exchange,DC=joe,DC=com
>memberOf: CN=TestMailDL,OU=MailGroups,OU=joeware2,OU=Exchange,DC=joe,DC=com
>memberOf: CN=Domain Admins,CN=Users,DC=joe,DC=com
>memberOf: CN=Schema Admins,CN=Users,DC=joe,DC=com
>memberOf: CN=Enterprise Admins,CN=Users,DC=joe,DC=com
1 Objects returned
Obviously if you use the ASQ mechanism, any users who don't return DNs for groups aren't in any mail enabled groups.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Eric B wrote:
Sorry, this a repost with added information only because I really am stumped!.
Is there a way to determine which users are not a part of any distribution group? That is, they may be a part of a security group, but not a part of any distribution group for the purpose of e-mail. We want to be able to find these users, and then put them in there proper group. We have 500+ users.
To ensure that when HR sends out email to all contractors we normally add the contractor user account to the DL ==> Contractor.
The same applies to different departments, etc, however, we have been informed that some users do not receive the emails sent out. Upon further investigation it was found that these particular individuals were not apart of any email DL (happens when you have too many hands in the kitty).
What we need:
An application, script, or AD Saved query that will show us all users who do not belong to any Distribution List/Group what-so-ever.
- Prev by Date: Re: hiding contacts from directory search (LDAP)
- Next by Date: Re: Audit file move
- Previous by thread: Re: An application, script, or AD Saved query that ...
- Next by thread: Re: Searching AD using vbscript
- Index(es):
Relevant Pages
|
Loading
