Seeing the members of an AD group

Hi Karlchen,

Good news: multiple adfind passes will list all group members

It will work like this:

• Have adfind the primaryGroupToken for a given group.


• Have adfind collect all account names below BaseDN having primaryGroupID=primaryGroupToken.
  (These are the users my previous sample script would miss.)


• Have adfind query all secondary users in the given group.


• Join both userlists and sort them.

And here is the extended adgroupmembers.cmd script:

@echo off :: Programm: adgroupmembers.cmd :: Function: query an AD and generate a sorted list of all users (primary and ::           secondary) in an AD user group, specified on the commandline :: Requires: adfind.exe by Joeware :: Flaws:    rough and dirty sample, no error checking added so far :-( :: :: Get commandline parameters if "%1"=="" (    echo Usage: %~n0 Name_of_AD_group    echo Note: Do not enclose the name in quotes.    exit /b 1 ) cd "%temp%" setlocal set GROUP=%* :: Set BASEDN to the appropriate value: BaseDN of your AD, not MINE! set BASEDN=my=de,dc=domain,dc=net :: We need to create unique temp filenames set RAND=%RANDOM% :: echo Group=%GROUP% BaseDN=%BASEDN% Rand=%RAND% :: Get the primaryGroupToken for this group echo Getting primaryGroupToken for group %GROUP% ... adfind -q -b %BASEDN% -f "&(objectclass=group)(sAMAccountName=%GROUP%)" primaryGroupToken > adfind_%RAND%_1.txt for /F "skip=2 tokens=1,2,3*" %%a in ('type adfind_%RAND%_1.txt') do (    :: echo %%a %%b %%c Rest=%%d    set PRIMGR=%%b ) echo PRIMARYGROUP=%PRIMGR% :: Get all account names below baseDN having primaryGroupID=PRIMGR echo Getting all primary users in group %GROUP% ... adfind -q -dn -b %BASEDN% -f "&(objectcategory=person)(objectclass=user)(primaryGroupID=%PRIMGR%)" sAMAccountName > adfind_%RAND%_2.txt del adfind_%RAND%_E.txt > nul 2>&1 for /F "skip=2 tokens=1,2,3* delims=,=" %%a in ('type adfind_%RAND%_2.txt') do (    :: echo %%a %%b %%c Rest=%%d    echo %%b ) >> adfind_%RAND%_E.txt :: Get all secondary members inside the group GROUP echo Getting all secondary users in group %GROUP% ... adfind -q -b %BASEDN% -f "&(objectcategory=group)(objectclass=group)(sAMAccountName=%GROUP%)" member > adfind_%RAND%_3.txt for /F "skip=2 tokens=1,2,3* delims=,=" %%a in ('type adfind_%RAND%_3.txt') do (    :: echo %%a %%b %%c Rest=%%d    echo %%b ) >> adfind_%RAND%_E.txt :: Sort the output file sort adfind_%RAND%_E.txt /O adgroupmembers%RAND%.TXT :: Show results start adgroupmembers%RAND%.TXT echo Done. :: cleanup del adfind_%RAND%_?.txt >nul 2>&1 endlocal

Call it like this:

adgroupmembers name_of_AD_group

But before you do so, you will at minimum have to adapt this line to match your AD:

set BASEDN=my=de,dc=domain,dc=net

Known restriction:
If a group member is not a person, but another group, the members of this group will not be determined and listed, i.e. no recursion is done to resolve nested groups.

It should be pretty easy to modify this sample in such a way that it will
+ interactively ask for the AD group,
+ interactively ask for a loginname,
+ at the end tell you if "loginname" is a member of the AD group. (Rather use MemberOf for this purpose.)

HTH,
Karl


Edited by Karlchen - 05 July 2007 at 2:41am

Good evening, Mark.

So far I have not managed to persuade LG to show me a complete list of all our domain user groups including all members, either.

Here is a somewhat rough and still unfinished adfind solution. (adfind by Joeware):

• Domain name: my.domain.net => dc=my,dc=domain,dc=net
• the command

  adfind -b dc=my,dc=domain,dc=net -f "objectcategory=group" member

  will list each domain user group and each member in every group and produce an output which looks like this in our environement:
  

  Using server: domcontroller.my.domain.net:port Directory: Windows Server 2xxx dn:CN=HelpSvcGroup,CN=Users,dc=my,dc=domain,dc=net >member: CN=SUPPORT_388945a0,CN=Users,dc=my,dc=domain,dc=net dn:CN=TelnetClients,CN=Users,dc=my,dc=domain,dc=net dn:CN=Administrators,CN=Builtin,dc=my,dc=domain,dc=net >member: CN=imperator,CN=Users,dc=my,dc=domain,dc=net ....(lots lines skipped).... 1987 Objects returned

• Limitation:
  Group members can be either persons or groups.
  The output of the adfind command given above will not show if a member is a person or a group directly.
  If a member is a group this group will be listed as dn:CN=Group further down as well and its members will be listed, too.
  But, it is hard to tell if a member is a person or a group.

Anyway: here is the first script draft which uses adfind to get all user groups existing in my.domain.net (dc=my,dc=domain,dc=net) and which will output each user group and the members of the group 1 per line:

@echo off :: Programm: adgroupmembers.bat :: Function: use Joeware adfind.exe to get a list of domain user groups ::           and their members (groups/users) :: Requires: adfind.exe inside the search path ::           DNS forward lookup needs to work ::           you need to be logged on as domain user on a domain computer :: Flaws:    rough and dirty sample, no error checking added so far :-( :: cd "%temp%" :: use adfind.exe to collect all domain computers :: suppose your domain is my.domain.com echo Collecting domain groups and members ... adfind -b dc=my,dc=domain,dc=net -f "objectcategory=group" member > adgroups.txt echo Stripping down output ... (for /F "skip=2 delims=,= tokens=1,2,3*" %%i in ('type adgroups.txt') do (    if "%%i"=="dn:CN" (       echo.       echo Group=%%j    ) else (       echo.   %%j    ) )) > adgrusers.txt echo Done. start adgrusers.txt

If someone knows a more effective approach, using "adfind" or "dsquery", kindly share your knowledge with us.

Originally posted by robbinma Any ideas on how to find the server hosting the group?

As "adfind" queries the domain controller, you do not need to know in order to get the members.

Originally posted by robbinma It would be great to have a tool that could accept a group name e.g. DOMAIN\SH_TOOL and list the members.

The "adfind" command given above will list all domain user groups and their members.
Yet, you can limit the query scope by adding the appropriate "OU=<organizational unit>" to the "adfind" command, i.e. by running "adfind" like this:

adfind -b ou=sh_tool,dc=my,dc=domain,dc=net -f "objectcategory=group" member

The output of the unrestricted adfind command my help find out which "OU=<unit1>,OU=<unit2>,.." need to be prefixed in order to reduce the scopy to the 1 user group you wish to query.

Example:
This command will list the members of 1 domain user group for me:

adfind -b OU=StdUsr,OU=CompanyName,OU=Location,dc=my,dc=domain,dc=net -f "objectcategory=person" cn

The real names of the OU's will depend on your domain hierarchy.

Originally posted by robbina Ideally the tool would be easy to use so I can give it to the support staff

I wish "adfind" were easy to use. Yet, personally I will be satisfied if I find a way to build a handful of scripts which I only need to feed 1 or 2 arguments on the commandline and the scripts will launch some weird adfind commandline and come up with the correct results.
Cannot judge if this approach will do for you as well.

Kind regards,
Karl

Edited by Karlchen - 02 July 2007 at 3:25pm

Hello, Mark.

No warranty given that this utility will be appropriate (have not tried it myself so far), yet it may be worth a try: LG by joe@joeware.net.
Seems as if viewing does not require admin privileges. Usage: cf. here, please.

Hm, maybe this one may be of use as well: MemberOf by joe@joeware.net.
Usage: cf. here, please.


Karl



Edited by Karlchen - 16 June 2007 at 4:59am