[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 243
  • Last Modified:

Need to list out all accounts that have permissions to a folder

I have some folders with many groups and accounts in it's permission list. I need to dump all the user accounts to a excel file. Can this be done with dsquery? If so how?

  • 3
  • 3
  • 2
2 Solutions
Joseph DalyCommented:
Im assuming when you say a folder you mean an OU in active directory?

This can not be done with DSquery you will need to run dsrevoke on the folder.

rdefinoAuthor Commented:
It's just a folder in a directory structure that has certain permissions assigned to it.
use the command:

cacls c:\windows or whatever your path is
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Joseph DalyCommented:
The dsrevoke syntax is as follows

Using Dsrevoke
Dsrevoke.exe has the following syntax:

dsrevoke/report|/remove[/domain:domainname] [/username:username]

[/password:password|*] [/root:domain/OU] securityprincipal

Descriptions for each option are as follows:

/report: Reports the explicit ACEs that are currently set for the specified security principal on OU objects in the specified domain or an OU subtree. By default, the command dsrevoke /report starts at the domain root and searches every OU below that root for explicit ACEs that are granted to the specified security principal. If you are sure that the permissions for a security group are set only on or below a specific OU, you can specify the scope of the search by using the /OU switch to make the search more efficient.

/remove: Reports all explicit ACEs and then, after prompting for confirmation, removes the ACEs that are currently set for the security principal, including all inherited ACEs.

/domain: The DNS or NetBIOS name of the domain in which the permissions are to be removed. This value must be specified only when the ACEs that you want to remove are set on OUs in a domain other than the domain of the logged-on user.

/username: The user name of the user who is using the tool. This value is required when:

The user is not logged on as an administrator.

ACEs are being removed in a domain other than the domain of the logged-on user.

/password: The password of the tool user. If the command is entered with an asterisk (*) in place of a password, the tool prompts the user for a password.

/root: The OU or domain root at which to start the search for ACEs. If no value is specified, the search begins at the root of the specified domain. If no domain is specified, the search begins at the root of the domain of the logged-on user. When specifying a root domain or OU, you must use the distinguished name (for example, /root:OU=BusUnits=DC=DomainA,DC=com). If spaces occur in any part of the distinguished name, enclose the entire option in quotation marks (for example, /root:OU=Product Development,OU=Delegation,OU=Business Units,DC=DomainA,DC=com).

/securityprincipal: The identity of the user or group in the form DomainName\UserName or DomainName\GroupName. Use the DNS name or NetBIOS name of the domain
Joseph DalyCommented:
disregard my comments crokeefe has it.

cacls c:\windows >c:\testing.xls
rdefinoAuthor Commented:
That worked to the point of giving me the security group that have permissions to the folder. How would I modify that syntax to list all of the users with-in all of the security groups.

Without downloading something like Hyena or any other tools, it is pretty difficult to pipe the format into something like dsquery or dsget to perform the query that you are looking for.  Attached is a script that I found a while ago, and I do not know who to give props to, but it is pretty awesome.  It basically goes to AD and lists all groups with descriptions and members into an HTML doc where you launched the program from.  Just copy the code into notepad and name it whatever you like with the VBS extension.  

As for doing it in a command line....the closest that you will get will probably be something like the following:

dsquery group -name NameOfYourGroup | dsget group -members | dsget user -samid>c:\whatever.txt

This will pipe the groupname to get the members and list them by the sAMAccountName.  you can use this in combination with the CACLS command but I could not figure out how to pipe the information to the above command.  Your choice, but there it is.  Sorry it took so long to get back to you.

' VBScript program to document all groups in Active Directory. 
' Outputs group name, type of group, all members, and types of member. 
' Lists all groups that are members, but does not list the nested group 
' membership. 
Option Explicit 
Dim objConnection, objCommand, objRootDSE, strDNSDomain, strQuery 
Dim objRecordSet, strDN, objGroup 
Dim FileSystem, oFile 
' Open Text File for Output 
Set FileSystem = WScript.CreateObject("Scripting.FileSystemObject") 
Set oFile = FileSystem.CreateTextFile("GroupMemebrshipNew.html", True) 
oFile.writeLine "<HTML><HEAD><TITLE>Group Membership for MyDomain.com</TITLE><HEAD><BODY>" 
oFile.writeLine "<h4><TABLE width=100% border=0 padding=0 cellspacing=0 valign=top>" 
' Use ADO to search Active Directory. 
Set objConnection = CreateObject("ADODB.Connection") 
Set objCommand = CreateObject("ADODB.Command") 
objConnection.Provider = "ADsDSOObject" 
objConnection.Open "Active Directory Provider" 
Set objCommand.ActiveConnection = objConnection 
' Determine the DNS domain from the RootDSE object. 
Set objRootDSE = GetObject("LDAP://RootDSE") 
strDNSDomain = objRootDSE.Get("defaultNamingContext") 
' Search for all groups, return the Distinguished Name of each. 
strQuery = "<LDAP://" & strDNSDomain _ 
& ">;(objectClass=group);distinguishedName;subtree" 
objCommand.CommandText = strQuery 
objCommand.Properties("Page Size") = 100 
objCommand.Properties("Timeout") = 30 
objCommand.Properties("Cache Results") = False 
Set objRecordSet = objCommand.Execute 
If objRecordSet.EOF Then 
Wscript.Echo "No groups found" 
Set objRootDSE = Nothing 
Set objConnection = Nothing 
Set objCommand = Nothing 
Set objRecordSet = Nothing 
End If 
' Enumerate all groups, bind to each, and document group members. 
Do Until objRecordSet.EOF 
strDN = objRecordSet.Fields("distinguishedName") 
Set objGroup = GetObject("LDAP://" & strDN) 
oFile.writeLine "<TR>" 
oFile.writeLine "<TD width=20% valign=top bgcolor=black><font color=white><strong><u>" & "Group Name:" &_ 
"</u></strong></font></TD><TD width=80% valign=top><strong>" &_ 
objGroup.SAMaccountName & "</strong></TD>" 
oFile.writeLine "</TR><TR>" 
oFile.writeLine "<TD valign=top bgcolor=black><font color=white><strong><u>" & "Distinguished Name:" &_ 
"</u></strong></font></TD><TD valign=top><strong>" &_ 
objGroup.distinguishedName & "</strong></TD>" 
oFile.writeLine "</TR><TR>" 
oFile.writeLine "<TD valign=top bgcolor=black><font color=white><strong><u>" & "Description:" &_ 
"</u></strong></font></TD><TD valign=top><strong>" &_ 
objGroup.description & "</strong></TD>" 
oFile.writeLine "</TR><TR>" 
oFile.writeLine "<TD valign=top bgcolor=black><font color=white><strong><u>" & "Type:" & "</u></strong></font></TD><TD valign=top><strong>" & GetType(objGroup.groupType) & "</strong></TD>" 
oFile.writeLine "</TR>" 
oFile.writeLine "<TR><TD valign=top bgcolor=black><font color=white><strong><u>Members:</font></TD><TD align=left valign=top>" 
oFile.writeLine "<TABLE width=70% border=0 cellspacing=0 cellpadding=0>" 
oFile.writeLine "<Tr>" 
oFile.writeLine " <TD valign=top><strong><u> Name </u></strong></TD>" 
oFile.writeLine " <TD valign=top><strong><u> Account </u></strong></TD>" 
oFile.writeLine " <TD valign=top><strong><u> Type </u></strong></TD>" 
oFile.writeLine "</Tr>" 
Call GetMembers(objGroup) 
oFile.writeLine "</TABLE>" 
oFile.writeLine "</TD></TR>" 
oFile.writeLine "<TR><TD COLSPAN=2><hr width=90%></TD></TR>" 
oFile.writeLine "</TABLE></BODY></HTML>" 
msgBox "Done !!!" 
' Clean up. 
Set objRootDSE = Nothing 
Set objGroup = Nothing 
Set objConnection = Nothing 
Set objCommand = Nothing 
Set objRecordSet = Nothing 
Function GetType(intType) 
' Function to determine group type from the GroupType attribute. 
If (intType And &h01) <> 0 Then 
GetType = "Built-in" 
ElseIf (intType And &h02) <> 0 Then 
GetType = "Global" 
ElseIf (intType And &h04) <> 0 Then 
GetType = "Local" 
ElseIf (intType And &h08) <> 0 Then 
GetType = "Universal" 
End If 
If (intType And &h80000000) <> 0 Then 
GetType = GetType & "/Security" 
GetType = GetType & "/Distribution" 
End If 
End Function 
Sub GetMembers(objADObject) 
' Subroutine to document group membership. 
' Members can be users or groups. 
Dim objMember, strType 
For Each objMember In objADObject.Members 
If UCase(Left(objMember.objectCategory, 8)) = "CN=GROUP" Then 
strType = "Group" 
strType = "User" 
End If 
oFile.writeLine "<TR>" 
oFile.writeLine "<TD valign=top>" & objMember.displayName & _ 
"</TD><TD valign=top>" & objMember.SAMaccountName & _ 
"</TD><TD valign=top>" & strType & "</TD>" 
oFile.writeLine "</TR>" 
' Wscript.Echo " Member: " & objMember.sAMAccountName & " (" & strType & ")" 
Set objMember = Nothing 
End Sub

Open in new window


Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now