Solved

how to get out the members of a group in MS Active Directory with commands not GUI

Posted on 2009-05-08
5
441 Views
Last Modified: 2013-12-24
Want to get all the members in one group in MS Active Directory with ldap commands. For example, get all the members in the group Domain Users
0
Comment
Question by:jl66
  • 3
  • 2
5 Comments
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 500 total points
ID: 24343212

You had to pick one of the harder groups to start with ;) Most groups are listed in a users "memberOf" attribute, which cross links to the "member" attribute on the group.

The Domain Users group is a bit of an exception because by default it's an accounts Primary Group. The Primary Group for an account isn't listed in memberOf, and consequently the users aren't listed in member. Instead they're linked by PrimaryGroupID (on the user account) and PrimaryGroupToken (on the group).

Still there are plenty of ways to get information out of Active Directory, whether using scripts or tools built specifically to query AD.

On the tools side you have these to start with:

DsQuery / DsGet / DsMod / DsAdd / DsDel / DsMove - Should come pre-installed
AdFind / AdMod - Written by Joe Richards and available here: http://www.joeware.net/freetools/

On the scripting side you have:

VbScript - uses ADSI to access information in AD
JavaScript - can also use ADSI
Perl - has lots of LDAP modules available
PowerShell - can use classes from the .NET Framework and has pre-built commands available (http://www.microsoft.com/windowsserver2003/technologies/management/powershell/default.mspx with additional free CmdLets here http://www.quest.com/powershell/)

Then of course you can program your own. Managed code options include VB .NET and C# .NET (both through ADSI and a bit deeper using System.DirectoryService.Protocols). You can pretty much do what you please in C++ if you prefer serious programming. VB 6 can as well, but I have no experience with that and cannot comment on it further.

Is there any particular avenue you would like to explore further? What are you looking to get from  this?

Chris
0
 

Author Comment

by:jl66
ID: 24343665
Thanks for the info. Perl is good. Do you have some example on it?
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 500 total points
ID: 24355199

Afraid not, I've been having problems grabbing ActivePerl for my PC which is making testing rather tricky. The documentation for it is pretty good though:

http://ldap.perl.org/FAQ.html

If I can get it to download properly I'll post some examples for you.

Chris
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 24355961

Fixed it.

Anyway, it doesn't deviate much from the documentation above. Members of the Domain Users group can be retrieved as below. In an ideal world the filter would be modified to return the correct results rather than trying to filter a larger result set within the code.

An example of a filter to return members of a standard group would be:

$filter = "(memberOf=CN=groupname,OU=somewhere,DC=yourdomain,DC=com)";

It is also possible to loop through the "member" attribute on a group, like the search below that will return the distinguishedName value of each member.

Chris
use NET::LDAP;

use Net::LDAP::Util qw(ldap_error_text);
 

my $server = "aserver";

my $binddn = "cn=someone,ou=somewhere,dc=yourdomain,dc=com";

my $password = "password";
 

my $basedn = "dc=yourdomain,dc=com";

my $filter = "(&(objectClass=user)(objectCategory=person)(primaryGroupID=513))";
 

my $ldap = Net::LDAP->new($server);
 

my $mesg = $ldap->bind($bindn, password => $password);

if ( $mesg->code ) {

    my $errstr = $mesg->code;

    print "Error code:  $errstr\n";

    $errstr = ldap_error_text($errstr);

    print "$errstr\n";

}
 

my $mesg = $ldap->search(

  base => $basedn,

  filter => $filter

);
 

my $max = $mesg->count; 
 

for( my $index = 0 ; $index < $max ; $index++) {

  my $entry = $mesg->entry($index);

  my $dn = $entry->dn; # Obtain DN of this entry
 

  print "$dn\n";

}

Open in new window

0
 

Author Comment

by:jl66
ID: 24360300
Chris,
Thanks for info and code. I will try it out and get back to you.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Recently Microsoft released a brand new function called CONCAT. It's supposed to replace its predecessor CONCATENATE. But how does it work? And what's new? In this article, we take a closer look at all of this - we even included an exercise file for…
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now