We help IT Professionals succeed at work.

Scan all the groups in the domain where all  disabled user is a member

447 Views
Last Modified: 2010-03-05
Hi,

I want a script to Scan all the groups in the domain and find all  disabled user is a member to file.

Ex:
Groupname and member's

regards
Sharath
Comment
Watch Question

Commented:
ADManager will scan and u can export results to csv file for example for further processing.

http://manageengine.adventnet.com/products/ad-manager/index.html

Author

Commented:
Hio,

Where in this software can i check for these data...?

Commented:
Yes, you can. check this:

http://manageengine.adventnet.com/products/ad-manager/active_directory_user_reports.html

Also here is a screenshot on how to do it:

http://manageengine.adventnet.com/products/ad-manager/images/disabled_users.jpg

Then when u get the report you want, you can click on Export as, and choose the format you like to save (.doc, pdf, csv..etc.)
Farhan KaziSystems Engineer
CERTIFIED EXPERT
Top Expert 2007

Commented:
:: ===============
:: READ THIS FIRST
:: ===============
:: * Successful run will generate "DisabledMembersRpt.txt" file on C: drive root.
:: * Copy and paste following script in notepad and save it with any name having .cmd extension.
:: *** SCRIPT START ***

@Echo Off
SETLOCAL EnableDelayedExpansion

DSQuery Group -name * >C:\GroupsTmp.txt
IF NOT EXIST C:\GroupsTmp.txt Goto ShowErr
FOR %%R IN (C:\GroupsTmp.txt) Do IF %%~zR EQU 0 Goto ShowErr
IF EXIST C:\DisabledMembersRpt.txt DEL /F /Q C:\DisabledMembersRpt.txt

FOR /F "delims=#" %%g IN ('Type C:\GroupsTmp.txt') Do (
      Echo Querying Group: %%g
      Echo ------------------------->>C:\DisabledMembersRpt.txt
         DSQuery * %%g -Attr sAMAccountName -L >>C:\DisabledMembersRpt.txt
      Echo ------------------------->>C:\DisabledMembersRpt.txt
      SET Qry=DSGet group %%g -members
      FOR /F "delims=#" %%c IN ('!Qry!') Do (
            DSQuery * %%c -Filter "(userAccountControl:1.2.840.113556.1.4.803:=2)" -Attr sAMAccountName -L >>C:\DisabledMembersRpt.txt)
         Echo.>>C:\DisabledMembersRpt.txt
      Echo.>>C:\DisabledMembersRpt.txt
)

Goto EndScript
:ShowErr
Echo Unable to create "C:\GroupsTmp.txt" file or file is empty!
:EndScript
IF EXIST C:\GroupsTmp.txt DEL /F /Q C:\GroupsTmp.txt
ENDLOCAL
:: *** SCRIPT END ***

Author

Commented:
I get this.

Dsquery has reached the default limit.

Will it scan the groups of the root domain ?
Farhan KaziSystems Engineer
CERTIFIED EXPERT
Top Expert 2007

Commented:
:: ===============
:: READ THIS FIRST
:: ===============
:: * Successful run will generate "DisabledMembersRpt.txt" file on C: drive root.
:: * Copy and paste following script in notepad and save it with any name having .cmd extension.
:: *** SCRIPT START ***

@Echo Off
SETLOCAL EnableDelayedExpansion

DSQuery Group -name * -Limit 0 >C:\GroupsTmp.txt
IF NOT EXIST C:\GroupsTmp.txt Goto ShowErr
FOR %%R IN (C:\GroupsTmp.txt) Do IF %%~zR EQU 0 Goto ShowErr
IF EXIST C:\DisabledMembersRpt.txt DEL /F /Q C:\DisabledMembersRpt.txt

FOR /F "delims=#" %%g IN ('Type C:\GroupsTmp.txt') Do (
      Echo Querying Group: %%g
      Echo ------------------------->>C:\DisabledMembersRpt.txt
         DSQuery * %%g -Attr sAMAccountName -L >>C:\DisabledMembersRpt.txt
      Echo ------------------------->>C:\DisabledMembersRpt.txt
      SET Qry=DSGet group %%g -members
      FOR /F "delims=#" %%c IN ('!Qry!') Do (
            DSQuery * %%c -Filter "(userAccountControl:1.2.840.113556.1.4.803:=2)" -Attr sAMAccountName -L >>C:\DisabledMembersRpt.txt)
         Echo.>>C:\DisabledMembersRpt.txt
      Echo.>>C:\DisabledMembersRpt.txt
)

Goto EndScript
:ShowErr
Echo Unable to create "C:\GroupsTmp.txt" file or file is empty!
:EndScript
IF EXIST C:\GroupsTmp.txt DEL /F /Q C:\GroupsTmp.txt
ENDLOCAL
:: *** SCRIPT END ***

Author

Commented:
Will it scan the groups of the root domain ?
Farhan KaziSystems Engineer
CERTIFIED EXPERT
Top Expert 2007

Commented:
Yes!

Author

Commented:
No Farhan.This is not fetching the details from Root domain.Any way to specify the Dc,and CN?

Commented:
bsharath, did u try ADManager the way i showed you, also thre is a free edition of this program here:

http://manageengine.adventnet.com/products/ad-manager/download.html?free

Author

Commented:
infernum

yes i checked but it is limiting me for scanning and taking reports more that 1000.As i have 8,00 emp to scan
Farhan KaziSystems Engineer
CERTIFIED EXPERT
Top Expert 2007

Commented:
Click Start -> Run -> Cmd.exe

DSQuery Group ForestRoot -name * >C:\AllGroups.txt

--> Check AllGroups.txt and let me know if you get all your groups inside the file.

DSQuery Group DomainRoot -name * >C:\AllGroups.txt

--> Check AllGroups.txt and let me know if you get all your groups inside the file.

Author

Commented:
Sorry Dsquery reacheced to max limit.Where should i put the -limit

Commented:
how come man, it should work as the PLUS edition, which is fully loaded for 30 days then it will downgrade to the free edition
Farhan KaziSystems Engineer
CERTIFIED EXPERT
Top Expert 2007

Commented:
Click Start -> Run -> Cmd.exe

DSQuery Group ForestRoot -name * -Limit 0 >C:\AllGroups.txt

--> Check AllGroups.txt and let me know if you get all your groups inside the file.

DSQuery Group DomainRoot -name * -Limit 0 >C:\AllGroups.txt

--> Check AllGroups.txt and let me know if you get all your groups inside the file.

Author

Commented:
This command gets all the groups.

DSQuery Group ForestRoot -name * -Limit 0 >C:\AllGroups.txt

Commented:
Now i know why you get only 1000 objects per time, this is because a "default" limitation in active directory.     Active Directory, by default, is confugured with a maximum page size of 1000 for any LDAP request.  So, in a default configuration, if we have 1001 objects that would be returned by the LDAP query, the query will return no results.  We can potentially encounter performance issues prior to hitting the 1000 object limit (depending on your environment's design), but the hard limit is 1000.

Follow this page to remove this limitation and try again ADManager.

http://support.microsoft.com/?id=315071

Commented:
This is the object which you should change using ntdsutil

"      MaxPageSize - This value controls the maximum number of objects that are returned in a single search result, independent of how large each returned object is. To perform a search where the result might exceed this number of objects, the client must specify the paged search control. This is to group the returned results in groups that are no larger than the MaxPageSize value. To summarize, MaxPageSize controls the number of objects that are returned in a single search result.

http://support.microsoft.com/?id=315071
Systems Engineer
CERTIFIED EXPERT
Top Expert 2007
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
infernum

For this job i shall take Farhan's script as i need to search say 7 domain and 8,00 users.With this software i may be able to it but a little difficult one as of now.

Thanks any way...

Author

Commented:
Thanks a lot farhan....

Commented:
No problems at all bsharath, you are the one who should decide whats best for you :) and congrats farhan!
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.