how to get out the members of a group in MS Active Directory with commands not GUI

Want to get all the members in one group in MS Active Directory with ldap commands. For example, get all the members in the group Domain Users
jl66Asked:
Who is Participating?
 
Chris DentConnect With a Mentor PowerShell DeveloperCommented:

Fixed it.

Anyway, it doesn't deviate much from the documentation above. Members of the Domain Users group can be retrieved as below. In an ideal world the filter would be modified to return the correct results rather than trying to filter a larger result set within the code.

An example of a filter to return members of a standard group would be:

$filter = "(memberOf=CN=groupname,OU=somewhere,DC=yourdomain,DC=com)";

It is also possible to loop through the "member" attribute on a group, like the search below that will return the distinguishedName value of each member.

Chris
use NET::LDAP;
use Net::LDAP::Util qw(ldap_error_text);
 
my $server = "aserver";
my $binddn = "cn=someone,ou=somewhere,dc=yourdomain,dc=com";
my $password = "password";
 
my $basedn = "dc=yourdomain,dc=com";
my $filter = "(&(objectClass=user)(objectCategory=person)(primaryGroupID=513))";
 
my $ldap = Net::LDAP->new($server);
 
my $mesg = $ldap->bind($bindn, password => $password);
if ( $mesg->code ) {
    my $errstr = $mesg->code;
    print "Error code:  $errstr\n";
    $errstr = ldap_error_text($errstr);
    print "$errstr\n";
}
 
my $mesg = $ldap->search(
  base => $basedn,
  filter => $filter
);
 
my $max = $mesg->count; 
 
for( my $index = 0 ; $index < $max ; $index++) {
  my $entry = $mesg->entry($index);
  my $dn = $entry->dn; # Obtain DN of this entry
 
  print "$dn\n";
}

Open in new window

0
 
Chris DentConnect With a Mentor PowerShell DeveloperCommented:

You had to pick one of the harder groups to start with ;) Most groups are listed in a users "memberOf" attribute, which cross links to the "member" attribute on the group.

The Domain Users group is a bit of an exception because by default it's an accounts Primary Group. The Primary Group for an account isn't listed in memberOf, and consequently the users aren't listed in member. Instead they're linked by PrimaryGroupID (on the user account) and PrimaryGroupToken (on the group).

Still there are plenty of ways to get information out of Active Directory, whether using scripts or tools built specifically to query AD.

On the tools side you have these to start with:

DsQuery / DsGet / DsMod / DsAdd / DsDel / DsMove - Should come pre-installed
AdFind / AdMod - Written by Joe Richards and available here: http://www.joeware.net/freetools/

On the scripting side you have:

VbScript - uses ADSI to access information in AD
JavaScript - can also use ADSI
Perl - has lots of LDAP modules available
PowerShell - can use classes from the .NET Framework and has pre-built commands available (http://www.microsoft.com/windowsserver2003/technologies/management/powershell/default.mspx with additional free CmdLets here http://www.quest.com/powershell/)

Then of course you can program your own. Managed code options include VB .NET and C# .NET (both through ADSI and a bit deeper using System.DirectoryService.Protocols). You can pretty much do what you please in C++ if you prefer serious programming. VB 6 can as well, but I have no experience with that and cannot comment on it further.

Is there any particular avenue you would like to explore further? What are you looking to get from  this?

Chris
0
 
jl66Author Commented:
Thanks for the info. Perl is good. Do you have some example on it?
0
 
Chris DentConnect With a Mentor PowerShell DeveloperCommented:

Afraid not, I've been having problems grabbing ActivePerl for my PC which is making testing rather tricky. The documentation for it is pretty good though:

http://ldap.perl.org/FAQ.html

If I can get it to download properly I'll post some examples for you.

Chris
0
 
jl66Author Commented:
Chris,
Thanks for info and code. I will try it out and get back to you.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.