Solved

Script that can query all Security groups in a OU and get me the user names and the shares he is in.

Posted on 2008-09-30
22
461 Views
Last Modified: 2008-10-14
Hi,

Script that can query all Security groups in a OU and get me the user names and the shares he is in.

Like if an user is in 5 groups that are in that particular OU. then

Username
Group1
Group2
Group3
Group4
Group5

So i know how many shared folders a user has access to.

Need to do this for all groups in one OU. In some cases there are Nested groups in that security group. In that case pull the nested group users also.

Regards
Sharath
0
Comment
Question by:bsharath
  • 13
  • 5
  • 4
22 Comments
 
LVL 67

Expert Comment

by:sirbounty
ID: 22614243
Not sure this is possible the way you've asked it.
You can enumerate the security groups, and perhaps the folks attached to it, but locating all shares that user has access to is probably not possible...
0
 
LVL 11

Author Comment

by:bsharath
ID: 22615800
Ok then is it possible like
Query all groups in the OU in ADS and find each user and match him in all other groups.
So the results would be as

User Name
Group Name1
Group Name2
Group Name3

So finally i will know which all groups a user is in a particular OU.
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 22634648
Sorry for the delay here Sharath.  I'm not quite certain that I fully understand what you're looking for.
What do you mean by query all groups in the OU and find him in all other groups?

Should be able to list the user and all groups he/she is a member of - is that what you're asking for?
0
 
LVL 11

Author Comment

by:bsharath
ID: 22634860
Sirbounty.

Sharath can be a member of 5 groups. So i want the details like this. I want this to be queried in just 1 particulat ADS OU.
So i get the output as this
Sharath
Group1
Group2
Group3
Group4
Group5

This will help me find out whcih user is a member of what groups. As all these groups in the OU are only used for our file server shares reason. So i know which user has which folder access...
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 22635564
I guess I'm having difficulty understanding why you're limiting it to OU.
Why not print out all the groups that the user belongs to?
Or even print out the groups and then list all the users in that group?
0
 
LVL 11

Author Comment

by:bsharath
ID: 22635673
A user can be a member of 10 + groups and a group will have 100+ members.
As one OU i have 100 + Security groups that has 100's of users in each.

All the Groups in this OU are only related to my File servers. Now when i need to know which user has access to which share i can use this script to get a users and group names. So this would help me find the folders they have access.

The shares in the file server names are identical to the group names.

Say i have a share name as

HR Files

then i have groups as

HR Files-SGW
HR Files-SGR

SGW = Security group Write
SGR = Security group Read.

So if i get the names i can remove the SGW & SGR and then the users and folder names are ready...

Hope this makes sense...
0
 
LVL 21

Expert Comment

by:AmazingTech
ID: 22669616
OK. This is going to take a little effort to do.

So let me rephrase what I think you want. You want to get all groups and nested groups under a particular OU which ends with -SGW and -SGR. With all the user members consolidate all their memberships. Do you want the keep the NestedGroup relationship in some way?

Output example 1:
User1
Group1
Group2
NestedGroup1
NestedGroup2
Group3

Output example 2:
User1
Group1
Group2;NestedGroup1;NestedGroup2
Group3
0
 
LVL 11

Author Comment

by:bsharath
ID: 22669940
Any group that's in the OU has to be scanned.

Ok for example "Sharath" is a member of 5 groups in the OU.

So the script has to scan all groups in the OU and get the results as this.

Sharath
Group1
Group2
Nestedgroup1      Group3
Groups4

So at the end i know all the folders where these groups are used and there members.As the folder name and the group name match.




0
 
LVL 21

Expert Comment

by:AmazingTech
ID: 22679959
OK. So in your example with names it could be this. Where Domain Admins is nested into Manager Files-SGW?

Sharath
IT Files-SGW
Sales Files-SGR
Domain Admins      Manager Files-SGW
Shared Files-SGW
0
 
LVL 11

Author Comment

by:bsharath
ID: 22687496
Yes right...

Just wanted to let you know my joy.

I have been blessed with a Boy baby today... :-)
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 22687603
Congratulations! :^)
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 11

Author Comment

by:bsharath
ID: 22687613
Thank U...
0
 
LVL 21

Expert Comment

by:AmazingTech
ID: 22687782
Congratulations!
0
 
LVL 11

Author Comment

by:bsharath
ID: 22687813
Thank U AT
0
 
LVL 21

Expert Comment

by:AmazingTech
ID: 22693247
OK. Is this how you want it to work. The output is not correct yet.

Gets all groups under an OU with -SGW or -SGR and list group members + list nested group members

I will need to consolidate the data and output it sorted by user if this is what you want.
Const E_ADS_PROPERTY_NOT_FOUND = &H8000500D
 

On Error Resume Next
 

Set objOU = GetObject _

    ("LDAP://ou=groups,dc=domain,dc=com")

  

objOU.Filter = Array("Group")

 

For Each objOUGroup In objOU

    If UCase(Right(objOUGroup.cn, 4)) = "-SGW" Or UCase(Right(objOUGroup.cn, 4)) = "-SGR" Then

        wscript.echo objOUGroup.cn

  

        arrMembers = objOUGroup.GetEx("member")

  

        If Err.Number <> E_ADS_PROPERTY_NOT_FOUND Then

            For Each strmember In arrMembers

                wscript.echo vbTab & strmember

                Call NestedGroup(strmember, 2)

            Next

        Else

            wscript.echo vbTab & "No Members"

            Err.Clear

        End If

    End If

Next
 

Sub NestedGroup(Group, NumTabs)

    On Error Resume Next

    Set objGroup = GetObject _

        ("LDAP://" & Group)

    objGroup.GetInfo

    If LCase(objGroup.Class) = "group" Then

        PrintTabs = ""
 

        For I = 1 To NumTabs

            PrintTabs = PrintTabs + vbTab

        Next
 

        arrGroupMembers = objGroup.GetEx("member")
 

        If Err.Number <> E_ADS_PROPERTY_NOT_FOUND Then

            For Each strmember In arrGroupMembers

                wscript.echo PrintTabs & strmember

                Call NestedGroup(strmember, NumTabs + 1)

            Next

        End If

    End If

End Sub

Open in new window

0
 
LVL 11

Author Comment

by:bsharath
ID: 22694888
Thanks AT this is the right one...
0
 
LVL 11

Author Comment

by:bsharath
ID: 22709373
Works but gets the data on the screen . Can i have the results to a csv with formatting please...
0
 
LVL 11

Author Comment

by:bsharath
ID: 22709374
Works but gets the data on the screen . Can i have the results to a csv with formatting please...
0
 
LVL 11

Author Comment

by:bsharath
ID: 22713567
AT just a reminder...
0
 
LVL 21

Accepted Solution

by:
AmazingTech earned 500 total points
ID: 22713675
Try this. I was adjusting the output.

This formatting is a little different than your other post.

Change the OU to search from.

OUToSearch = "cn=user,dc=domain,dc=com"
Const E_ADS_PROPERTY_NOT_FOUND = &H8000500D

Const ForWriting = 2

CSVFile = "C:\OUGroupMembership.csv"

OUToSearch = "cn=user,dc=domain,dc=com"

On Error Resume Next
 

Set objDict = CreateObject("Scripting.Dictionary")

Set objFSO = CreateObject("Scripting.FileSystemObject")

Set objCSVFile = objFSO.OpenTextFile(CSVFile, ForWriting, True)

Set objOU = GetObject _

    ("LDAP://" & OUToSearch)

  

objOU.Filter = Array("Group")

 

For Each objOUGroup In objOU

    If UCase(Right(objOUGroup.cn, 4)) = "-SGW" Or UCase(Right(objOUGroup.cn, 4)) = "-SGR" Then

        wscript.echo objOUGroup.cn

  

        arrMembers = objOUGroup.GetEx("member")

  

        If Err.Number <> E_ADS_PROPERTY_NOT_FOUND Then

            For Each strmember In arrMembers

                wscript.echo vbTab & strmember

                Call NestedGroup(strmember, Chr(34) & objOUGroup.cn & Chr(34))

            Next

        Else

            wscript.echo vbTab & "No Members"

            Err.Clear

        End If

    End If

Next
 

For Each User In objDict.Keys

    arrMultipleGroups = split(objDict(User),"#")

    objCSVFile.WriteLine Chr(34) & User & Chr(34)

    For Each GroupMembership in arrMultipleGroups

        objCSVFile.WriteLine GroupMembership

    Next

    objCSVFile.WriteLine Chr(34) & Chr(34)

    objCSVFile.WriteLine Chr(34) & Chr(34)

Next

 

Set objFSO = Nothing

objCSVFile.Close
 

wscript.echo

Sub NestedGroup(strGroup, ParentGroup)

On Error Resume Next

    Set objGroup = GetObject _

        ("LDAP://" & strGroup)

    objGroup.GetInfo

    strGroupName = objGroup.sAMAccountName
 

    If LCase(objGroup.Class) = "group" Then

        PGroup = objGroup.cn

        arrGroupMembers = objGroup.GetEx("member")
 

        If Err.Number <> E_ADS_PROPERTY_NOT_FOUND Then

            For Each strmember In arrGroupMembers

                wscript.echo strmember, Chr(34) & PGroup & Chr(34) & "," & ParentGroup

                Call NestedGroup(strmember, Chr(34) & PGroup & Chr(34) & "," & ParentGroup)

            Next

        End If

    ELSE

        If objDict.Exists(strGroupName) Then

            objDict.Item(strGroupName) =  ParentGroup & "#" & objDict.Item(strGroupName)

        Else

            objDict.Add strGroupName, ParentGroup

        End If        

    End If

End Sub

Open in new window

0
 
LVL 11

Author Comment

by:bsharath
ID: 22713741

Worked perfect thank's a lot...
0
 
LVL 11

Author Comment

by:bsharath
ID: 22806600
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Not long ago I saw a question in the VB Script forum that I thought would not take much time. You can read that question (Question ID  (http://www.experts-exchange.com/Programming/Languages/Visual_Basic/VB_Script/Q_28455246.html)28455246) Here (http…
Introduction: Recently, I got a requirement to zip all files individually with batch file script in Windows OS. I don't know much about scripting, but I searched Google and found a lot of examples and websites to complete my task. Finally, I was ab…
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now