Re: How to tally group membership for huge group +10k accounts?
- From: "Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 28 Mar 2007 22:18:46 -0500
Sport wrote:
Need a count of users/computers in a group membership that is upwards
of 13-15k accounts.
ADSI is no go and stops at 1500
ADO putters out at 6110
csvde dies at 1500 as well
ldifde gets a bit more, at least 10k, but the format is terrible.
Don't really need a long list would be happy with just a echo of the
number of accounts in group.
To document groups with more than 1500 members you have to use ADO range
limits to retrieve all values of the member attribute of the group. I have a
sample VBScript that uses this technique to document large groups linked
here:
http://www.rlmueller.net/DocumentLargeGroup.htm
However, you can also query for all objects that have the group DN in the
memberOf attribute. Instead of one row with thousands of values, you get a
recordset with thousands of rows. You just need to use paging if you
enumerate the recordset, but if all you need is the count you can use the
RecordCount property. In brief:
===========
' Specify Distinguished Name of the large group.
strGroupDN = "cn=Big Group,ou=Sales,dc=MyDomain,dc=com"
' Use ADO to search the domain for members of the group.
Set adoConnection = CreateObject("ADODB.Connection")
Set adoCommand = CreateObject("ADODB.Command")
adoConnection.Provider = "ADsDSOOBject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection
' Determine the DNS domain from the RootDSE object.
Set objRootDSE = GetObject("LDAP://RootDSE";)
strDNSDomain = objRootDSE.Get("defaultNamingContext")
' Filter on all objects that are members of the group.
strFilter = "(memberOf=" & strGroupDN & ")"
' Construct the LDAP syntax query.
strQuery = "<LDAP://"; & strDNSDomain & ">;" & strFilter _
& ";distinguishedName;subtree"
' Run the query.
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
Set adoRecordset = adoCommand.Execute
' Retrieve number of records.
strNumber = adoRecordset.RecordCount
Wscript.Echo "Number of members: " & strNumber
' Clean up.
adoRecordset.Close
adoConnection.Close
============
Or, you could enumerate the recordset with:
' Enumerate all members.
Set adoRecordset = adoCommand.Execute
Do Until adoRecordset.EOF
strDN = adoRecordset.Fields("distinguishedName").Value
Wscript.Echo strDN
adoRecordset.MoveNext
Loop
But if you do both (enumerate and retrieve the count), you must use:
adoRecordset.CursorType = 3
and after retrieving the count use:
adoRecordset.MoveFirst
before the loop to enumerate the recordset. However, I suspect you just want
the count.
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--
.
- Follow-Ups:
- References:
- Prev by Date: Re: Compare and Add AD Groups?
- Next by Date: Re: Where the Active Directory User logged on
- Previous by thread: How to tally group membership for huge group +10k accounts?
- Next by thread: Re: How to tally group membership for huge group +10k accounts?
- Index(es):
Relevant Pages
|
