Solved

Script that can query all Security groups in a OU and get me the user names and the shares he is in.

Posted on 2008-09-30
22
464 Views
Last Modified: 2008-10-14
Hi,

Script that can query all Security groups in a OU and get me the user names and the shares he is in.

Like if an user is in 5 groups that are in that particular OU. then

Username
Group1
Group2
Group3
Group4
Group5

So i know how many shared folders a user has access to.

Need to do this for all groups in one OU. In some cases there are Nested groups in that security group. In that case pull the nested group users also.

Regards
Sharath
0
Comment
Question by:bsharath
  • 13
  • 5
  • 4
22 Comments
 
LVL 67

Expert Comment

by:sirbounty
ID: 22614243
Not sure this is possible the way you've asked it.
You can enumerate the security groups, and perhaps the folks attached to it, but locating all shares that user has access to is probably not possible...
0
 
LVL 11

Author Comment

by:bsharath
ID: 22615800
Ok then is it possible like
Query all groups in the OU in ADS and find each user and match him in all other groups.
So the results would be as

User Name
Group Name1
Group Name2
Group Name3

So finally i will know which all groups a user is in a particular OU.
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 22634648
Sorry for the delay here Sharath.  I'm not quite certain that I fully understand what you're looking for.
What do you mean by query all groups in the OU and find him in all other groups?

Should be able to list the user and all groups he/she is a member of - is that what you're asking for?
0
 
LVL 11

Author Comment

by:bsharath
ID: 22634860
Sirbounty.

Sharath can be a member of 5 groups. So i want the details like this. I want this to be queried in just 1 particulat ADS OU.
So i get the output as this
Sharath
Group1
Group2
Group3
Group4
Group5

This will help me find out whcih user is a member of what groups. As all these groups in the OU are only used for our file server shares reason. So i know which user has which folder access...
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 22635564
I guess I'm having difficulty understanding why you're limiting it to OU.
Why not print out all the groups that the user belongs to?
Or even print out the groups and then list all the users in that group?
0
 
LVL 11

Author Comment

by:bsharath
ID: 22635673
A user can be a member of 10 + groups and a group will have 100+ members.
As one OU i have 100 + Security groups that has 100's of users in each.

All the Groups in this OU are only related to my File servers. Now when i need to know which user has access to which share i can use this script to get a users and group names. So this would help me find the folders they have access.

The shares in the file server names are identical to the group names.

Say i have a share name as

HR Files

then i have groups as

HR Files-SGW
HR Files-SGR

SGW = Security group Write
SGR = Security group Read.

So if i get the names i can remove the SGW & SGR and then the users and folder names are ready...

Hope this makes sense...
0
 
LVL 21

Expert Comment

by:AmazingTech
ID: 22669616
OK. This is going to take a little effort to do.

So let me rephrase what I think you want. You want to get all groups and nested groups under a particular OU which ends with -SGW and -SGR. With all the user members consolidate all their memberships. Do you want the keep the NestedGroup relationship in some way?

Output example 1:
User1
Group1
Group2
NestedGroup1
NestedGroup2
Group3

Output example 2:
User1
Group1
Group2;NestedGroup1;NestedGroup2
Group3
0
 
LVL 11

Author Comment

by:bsharath
ID: 22669940
Any group that's in the OU has to be scanned.

Ok for example "Sharath" is a member of 5 groups in the OU.

So the script has to scan all groups in the OU and get the results as this.

Sharath
Group1
Group2
Nestedgroup1      Group3
Groups4

So at the end i know all the folders where these groups are used and there members.As the folder name and the group name match.




0
 
LVL 21

Expert Comment

by:AmazingTech
ID: 22679959
OK. So in your example with names it could be this. Where Domain Admins is nested into Manager Files-SGW?

Sharath
IT Files-SGW
Sales Files-SGR
Domain Admins      Manager Files-SGW
Shared Files-SGW
0
 
LVL 11

Author Comment

by:bsharath
ID: 22687496
Yes right...

Just wanted to let you know my joy.

I have been blessed with a Boy baby today... :-)
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 22687603
Congratulations! :^)
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 11

Author Comment

by:bsharath
ID: 22687613
Thank U...
0
 
LVL 21

Expert Comment

by:AmazingTech
ID: 22687782
Congratulations!
0
 
LVL 11

Author Comment

by:bsharath
ID: 22687813
Thank U AT
0
 
LVL 21

Expert Comment

by:AmazingTech
ID: 22693247
OK. Is this how you want it to work. The output is not correct yet.

Gets all groups under an OU with -SGW or -SGR and list group members + list nested group members

I will need to consolidate the data and output it sorted by user if this is what you want.
Const E_ADS_PROPERTY_NOT_FOUND = &H8000500D
 

On Error Resume Next
 

Set objOU = GetObject _

    ("LDAP://ou=groups,dc=domain,dc=com")

  

objOU.Filter = Array("Group")

 

For Each objOUGroup In objOU

    If UCase(Right(objOUGroup.cn, 4)) = "-SGW" Or UCase(Right(objOUGroup.cn, 4)) = "-SGR" Then

        wscript.echo objOUGroup.cn

  

        arrMembers = objOUGroup.GetEx("member")

  

        If Err.Number <> E_ADS_PROPERTY_NOT_FOUND Then

            For Each strmember In arrMembers

                wscript.echo vbTab & strmember

                Call NestedGroup(strmember, 2)

            Next

        Else

            wscript.echo vbTab & "No Members"

            Err.Clear

        End If

    End If

Next
 

Sub NestedGroup(Group, NumTabs)

    On Error Resume Next

    Set objGroup = GetObject _

        ("LDAP://" & Group)

    objGroup.GetInfo

    If LCase(objGroup.Class) = "group" Then

        PrintTabs = ""
 

        For I = 1 To NumTabs

            PrintTabs = PrintTabs + vbTab

        Next
 

        arrGroupMembers = objGroup.GetEx("member")
 

        If Err.Number <> E_ADS_PROPERTY_NOT_FOUND Then

            For Each strmember In arrGroupMembers

                wscript.echo PrintTabs & strmember

                Call NestedGroup(strmember, NumTabs + 1)

            Next

        End If

    End If

End Sub

Open in new window

0
 
LVL 11

Author Comment

by:bsharath
ID: 22694888
Thanks AT this is the right one...
0
 
LVL 11

Author Comment

by:bsharath
ID: 22709373
Works but gets the data on the screen . Can i have the results to a csv with formatting please...
0
 
LVL 11

Author Comment

by:bsharath
ID: 22709374
Works but gets the data on the screen . Can i have the results to a csv with formatting please...
0
 
LVL 11

Author Comment

by:bsharath
ID: 22713567
AT just a reminder...
0
 
LVL 21

Accepted Solution

by:
AmazingTech earned 500 total points
ID: 22713675
Try this. I was adjusting the output.

This formatting is a little different than your other post.

Change the OU to search from.

OUToSearch = "cn=user,dc=domain,dc=com"
Const E_ADS_PROPERTY_NOT_FOUND = &H8000500D

Const ForWriting = 2

CSVFile = "C:\OUGroupMembership.csv"

OUToSearch = "cn=user,dc=domain,dc=com"

On Error Resume Next
 

Set objDict = CreateObject("Scripting.Dictionary")

Set objFSO = CreateObject("Scripting.FileSystemObject")

Set objCSVFile = objFSO.OpenTextFile(CSVFile, ForWriting, True)

Set objOU = GetObject _

    ("LDAP://" & OUToSearch)

  

objOU.Filter = Array("Group")

 

For Each objOUGroup In objOU

    If UCase(Right(objOUGroup.cn, 4)) = "-SGW" Or UCase(Right(objOUGroup.cn, 4)) = "-SGR" Then

        wscript.echo objOUGroup.cn

  

        arrMembers = objOUGroup.GetEx("member")

  

        If Err.Number <> E_ADS_PROPERTY_NOT_FOUND Then

            For Each strmember In arrMembers

                wscript.echo vbTab & strmember

                Call NestedGroup(strmember, Chr(34) & objOUGroup.cn & Chr(34))

            Next

        Else

            wscript.echo vbTab & "No Members"

            Err.Clear

        End If

    End If

Next
 

For Each User In objDict.Keys

    arrMultipleGroups = split(objDict(User),"#")

    objCSVFile.WriteLine Chr(34) & User & Chr(34)

    For Each GroupMembership in arrMultipleGroups

        objCSVFile.WriteLine GroupMembership

    Next

    objCSVFile.WriteLine Chr(34) & Chr(34)

    objCSVFile.WriteLine Chr(34) & Chr(34)

Next

 

Set objFSO = Nothing

objCSVFile.Close
 

wscript.echo

Sub NestedGroup(strGroup, ParentGroup)

On Error Resume Next

    Set objGroup = GetObject _

        ("LDAP://" & strGroup)

    objGroup.GetInfo

    strGroupName = objGroup.sAMAccountName
 

    If LCase(objGroup.Class) = "group" Then

        PGroup = objGroup.cn

        arrGroupMembers = objGroup.GetEx("member")
 

        If Err.Number <> E_ADS_PROPERTY_NOT_FOUND Then

            For Each strmember In arrGroupMembers

                wscript.echo strmember, Chr(34) & PGroup & Chr(34) & "," & ParentGroup

                Call NestedGroup(strmember, Chr(34) & PGroup & Chr(34) & "," & ParentGroup)

            Next

        End If

    ELSE

        If objDict.Exists(strGroupName) Then

            objDict.Item(strGroupName) =  ParentGroup & "#" & objDict.Item(strGroupName)

        Else

            objDict.Add strGroupName, ParentGroup

        End If        

    End If

End Sub

Open in new window

0
 
LVL 11

Author Comment

by:bsharath
ID: 22713741

Worked perfect thank's a lot...
0
 
LVL 11

Author Comment

by:bsharath
ID: 22806600
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If like me you are one who spends a lot of time working and scripting with cmd.exe, sometimes it is handy to be able to quickly view a calendar for a given month and year. This script will quickly do just that!  Save the code posted below to a .bat …
This article was inspired by a question here at Experts Exchange (http://www.experts-exchange.com/Software/Photos_Graphics/Images_and_Photos/Q_28629170.html). The requirements stated in that question are (1) reduce the file size of a large number of…
Learn the basics of modules and packages in Python. Every Python file is a module, ending in the suffix: .py: Modules are a collection of functions and variables.: Packages are a collection of modules.: Module functions and variables are accessed us…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…

947 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now