Enumerate Nested Users via LDAP ADSI- Can be VB

Posted on 2005-05-03
Last Modified: 2007-12-19
I am trying to build a group access report.  You can assume that the starting group ADSI path is passed into a ASP page.  I need to take that AD group, look at all the nested users and groups and build a report with all users and the containers (nested groups) that they have access to.  So I want a complete view of every user that has access to the group (like the adminstrators group) listed on one report and not have to manually look in each nested group to see who is there.  For the example below:   Domain2\Enterprise Admins and Domain1\Domain Admins are nested in Domain1\Administrators.

UserName    Fullname   Description    Group Name
--------         --------     -----------       ---------------
user1        Jones,Bob  CA User            Domain1\Administrators
user2        Hots,Bob    NC User            Domain1\Domain Admins
user3        Tots,Bob    SC User            Domain1\Domain Admins
user4          Otts,Deb    US Field        Domain2\Enterprise Admins
4 Users found

So a group can potentially have multiple nestings (like Domain2\Enterprise Admins could have groups nested in it too) and I need the logic to be able to go as deep as it needs to back out all the users from each nested group.  That is what makes this one so much fun :)  This can be done in VB or VBscript.  Would like it sorted by the Group Name columns if possible and show the same user again and again if they are members of multiple nested groups.  Should be able to handle hundreds of entries, but I won't be running it on the Domain Users group of course.
Question by:sbdunn
    1 Comment
    LVL 7

    Accepted Solution

    If you're looking for additional ADSI scripting, you may receive a faster response by posting here:

    The code below should provide the information you desire.  The constants near the top of the script should be modified to reflect the appropriate values.  Running this may be frightening :)

    Option Explicit
    On Error Resume Next

    Const GROUP_DN = "WinNT://YOURDOMAIN/Administrators"
    Const OUTPUT_FILE_NAME = "Groups.txt"
    Const DELIMITER = "      "

    Dim intCounter, objFileOutput, objFSO, objGroup, objMember, strDomainName

    Sub EnumGroups(strDN, strGroupName)
        Set objGroup = GetObject(strDN)
        For Each objMember In objGroup.Members
            Select Case objMember.Class
                Case "User"
                    objFileOutput.WriteLine Replace(Mid(objMember.ADsPath, 9), "/", "\") & DELIMITER & objMember.FullName & DELIMITER & objMember.Description & DELIMITER & strGroupName
                    intCounter = intCounter + 1
                Case "Group"
                    EnumGroups objMember.ADsPath, Replace(Mid(objMember.ADsPath, 9), "/", "\")
                Case Else
                    objFileOutput.WriteLine Replace(Mid(objMember.ADsPath, 9), "/", "\") & DELIMITER & DELIMITER & DELIMITER & DELIMITER & strGroupName
                    intCounter = intCounter + 1
            End Select
    End Sub

    Set objFSO = WScript.CreateObject("Scripting.FileSystemObject")
    Set objFileOutput = objFSO.CreateTextFile(OUTPUT_FILE_NAME)
    objFileOutput.WriteLine Replace(Mid(GROUP_DN, 9), "/", "\") & vbCrLf & "------------------------------------------" & vbCrLf & "UserName" & DELIMITER & "FullName" & DELIMITER & "Description" & DELIMITER & "Group Name" & vbCrLf & "----------------------------------------------------------------------------------------------------------------"
    EnumGroups GROUP_DN, Replace(Mid(GROUP_DN, 9), "/", "\")
    objFileOutput.WriteLine intCounter & " user(s) found"

    MsgBox "Completed enumerating users.", vbInformation, "Execution completed"

    This creates a delimited file (fields separated by the value you specify in the DELIMITER constant, currently a tab).  If you have any questions, please let me know.  Good luck!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    This post first appeared at Oracleinaction  ( Anju Garg (Myself). I  will demonstrate that undo for DML’s is stored both in undo tablespace and online redo logs. Then, we will analyze the reaso…
    NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now