Link to home
Start Free TrialLog in
Avatar of itsmevic
itsmevicFlag for United States of America

asked on

HTA / VBScript That Pulls Group Membership in AD

Hi Experts!

     I'm curious if one of you guys has a HTA (preferrably) that allows you to enter in the name of a  group and then the HTA queries AD and pulls the group membership of that group and gives the option to save/export as either a .txt or .csv file?

     I have an some example HTA code attached which is really quite amazing.   It basically scans the entire AD tree's parent OU's and sub OU's and enumerates each OU and then determines what permissions that OU and it's sub OU's have.  It also allows me to filter out readings that I do not want to see.  Is there anyway we could add to the below code what I'm requested above?  Or if you have a completely separate HTA that does this that's fine too.  

     Your help is GREATLY APPRECIATED!!!

     
<html>
<hta:application
	  ID="objOUPermissions" 
	  APPLICATIONNAME="OUPermissions"
	  SCROLL="yes"
	  SINGLEINSTANCE="yes"
	  WINDOWSTATE="normal"
>

<head>

<script language="vbscript">

Dim html
Dim strTitle
Dim arrExcludeList
Dim strExcludeList
Dim intAceCount

strExcludeList="System Admin,Domain Admins,Scheme Admins,Account Operators,Print Operators,Enterprise Domain Controllers,Password Manager,System"
arrExcludeList=split(strExcludeList,",")

strTitle="AD OU Permissions"

Sub Window_OnLoad
	document.title=strTitle
	CommentArea.innerHTML="<b>Excluded from listing:</b><br>" & strExcludeList & "<hr>"
	Get_OU_List
End Sub


Sub Get_OU_List
	

	Const ADS_SCOPE_SUBTREE = 2
	
	Set objRootDSE = GetObject("LDAP://rootDSE")
	strADsPath = "LDAP://" & objRootDSE.Get("defaultNamingContext")
	
	Set objConnection = CreateObject("ADODB.Connection")
	Set objCommand = CreateObject("ADODB.Command")
	objConnection.Provider = "ADsDSOObject"
	objConnection.Open "Active Directory Provider"
	Set objCommand.ActiveConnection = objConnection
	
	objCommand.Properties("Page Size") = 4000
	objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
	
	
	objCommand.CommandText = _
		"SELECT Name,ADsPath FROM '" & strADsPath & "' WHERE objectCategory='OrganizationalUnit'"
	
	Set objRecordSet = objCommand.Execute
	
	objRecordSet.MoveFirst
	While NOT objRecordSet.EOF
		strADsPathOU = objRecordSet.Fields("ADsPath").Value
		
		Set objNewOption = document.createElement("OPTION")
		posStart=instr(strADsPathOU,"//")+2
		posEnd=instr(ucase(strADsPathOU),",DC=")
		strName=mid(strADsPathOU,posStart,posEnd-posStart)
		
		objNewOption.Text = strName
		objNewOption.Value= strADsPathOU
		select1.options.Add(objNewOption)
		
		objRecordSet.MoveNext
	Wend
	

End Sub




Sub AddHtml(myLine)
	html=html &  myLine 
End Sub



Sub GetPermissions
	html=""
	
	For Each objOption In select1.Options
		If objOption.Selected = True Then
			myOU=objOption.text
			myADsPath=objOption.Value
		End If
	Next
	
	If myAdsPath="" then Exit Sub
	
	
	GetSecurityDescriptor myADsPath

	If html <> "" then AddButtons
	
	DataArea.innerHTML=html
	
End Sub

Sub AddButtons
	html = "<button id=""b1"" onmouseover=Highlight('b1') onmouseout=Highlight('b1') onclick=Collapse('ShowMe')>Expand All</button>" & _
		"<button id=""b2"" onmouseover=Highlight('b2') onmouseout=Highlight('b2') onclick=Collapse('HideMe')>Collapse All</button><br><br>" & html
End Sub

Sub Collapse(myClass)
	
	for i = 1 to intAceCount
		Set myElement = document.getElementById("divEntryData" & i)
		myElement.className=myClass
	next
End Sub

Sub Highlight(elem)
	Set myElement = document.getElementById(elem)
	If myElement.className="darkborder" then
		myElement.className="lightborder"
	Else
		myElement.className="darkborder"
	End If
End Sub

Sub ClearOUs
	For Each objOption In select1.Options
		If objOption.text<> "" then select1.removeChild(objOption)
	Next
End Sub


Sub ShowHide(elem)
	Set myElement = document.getElementById(elem)
	if myElement.className="HideMe" then
		myElement.className="ShowMe"
	Else
		myElement.className="HideMe"
	End If
End Sub



Sub GetSecurityDescriptor(myOU)
	Const SE_DACL_PROTECTED = &H1000 
	 
	Set objContainer = GetObject(myOU)
	 
	Set objNtSecurityDescriptor = objContainer.Get("ntSecurityDescriptor")
	 
	intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control
	 
	AddHtml "<b>Permissions Tab</b><br>"
	AddHtml "Allow inheritable permissions from the parent to" & _
		"propogate to this object and all child objects "
		
	If (intNtSecurityDescriptorControl And SE_DACL_PROTECTED) Then
		AddHtml "is disabled."
	Else
		AddHtml "is enabled."
	End If
	AddHtml "<br><br>"
	 
	Set objDiscretionaryAcl = objNtSecurityDescriptor.DiscretionaryAcl
	DisplayAceInformation objDiscretionaryAcl, "DACL"


End Sub


 
Sub DisplayAceInformation(SecurityStructure, strType)
    Const ADS_ACETYPE_ACCESS_ALLOWED = &H0 
    Const ADS_ACETYPE_ACCESS_DENIED = &H1 
    Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5 
    Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6 
    intAceCount = 0
    For Each objAce In SecurityStructure
        strTrustee = objAce.Trustee
		If instr(strTrustee,"\") then
			tmpTrustee=mid(strTrustee,Instr(strTrustee,"\")+1)
		Else
			tmpTrustee=strTrustee
		End If
		go=True
		For each blah in arrExcludeList
			If lcase(blah)=lcase(tmpTrustee) then go=False
		Next 
		
        If Instr(strTrustee,"NT AUTHORITY")=False and go=True Then
		
            intAceCount = intAceCount + 1
            'AddHtml strType & " permission entry: " & intAceCount
            AddHtml "<div id=""divTrusteeName" & intAceCount & """ onclick=ShowHide('divEntryData" & intAceCount & "') class=""TrusteeName"">Entry #" & intAceCount & "&nbsp;" & objAce.Trustee & "</div>"
			AddHtml "<div id=""divEntryData" & intAceCount & """ class=""HideMe"">"
			AddHtml "<hr>"
			divCount=divCount+1

            intAceType = objAce.AceType
			If (intAceType = ADS_ACETYPE_ACCESS_ALLOWED Or _
				intAceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT) Then
				AddHtml "Type: Allow Access"
			ElseIf (intAceType = ADS_ACETYPE_ACCESS_DENIED Or _
				intAceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) Then
				AddHtml "Type: Deny Acess"
			Else
				AddHtml "Access Type Unknown."
			End If
			ReadBitsInAccessMask(objAce.AccessMask)
			AddHtml "<br>"
			AddHtml "</div>"
		End If

    Next
End Sub
 
Sub ReadBitsInAccessMask(AccessMask)
    Const ADS_RIGHT_DELETE = &H10000
    Const ADS_RIGHT_READ_CONTROL = &H20000
    Const ADS_RIGHT_WRITE_DAC = &H40000
    Const ADS_RIGHT_WRITE_OWNER = &H80000
    Const ADS_RIGHT_DS_CREATE_CHILD = &H1
    Const ADS_RIGHT_DS_DELETE_CHILD = &H2
    Const ADS_RIGHT_ACTRL_DS_LIST = &H4
    Const ADS_RIGHT_DS_SELF = &H8
    Const ADS_RIGHT_DS_READ_PROP = &H10
    Const ADS_RIGHT_DS_WRITE_PROP = &H20
    Const ADS_RIGHT_DS_DELETE_TREE = &H40
    Const ADS_RIGHT_DS_LIST_OBJECT = &H80
    Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
 
    AddHtml "<br>Standard Access Rights"
    If (AccessMask And ADS_RIGHT_DELETE) Then _
        AddHtml "<li>Delete an object.</li>"
    If (AccessMask And ADS_RIGHT_READ_CONTROL) Then _
        AddHtml "<li>Read permissions.</li>"
    If (AccessMask And ADS_RIGHT_WRITE_DAC) Then _
        AddHtml "<li>Write permissions.</li>"
    If (AccessMask And ADS_RIGHT_WRITE_OWNER) Then _
        AddHtml "<li>Modify owner.</li>"
  
    AddHtml "<br>Directory Service Specific Access Rights"
    If (AccessMask And ADS_RIGHT_DS_CREATE_CHILD) Then _
      AddHtml "<li>Create child objects."
    If (AccessMask And ADS_RIGHT_DS_DELETE_CHILD) Then _
        AddHtml "<li>Delete child objects.</li>"
    If (AccessMask And ADS_RIGHT_ACTRL_DS_LIST) Then _
        AddHtml "<li>Enumerate an object.</li>"
    If (AccessMask And ADS_RIGHT_DS_READ_PROP) Then _
        AddHtml "<li>Read the properties of an object.</li>"
    If (AccessMask And ADS_RIGHT_DS_WRITE_PROP) Then _
        AddHtml "<li>Write the properties of an object.</li>"
    If (AccessMask And ADS_RIGHT_DS_DELETE_TREE) Then _
        AddHtml "<li>Delete a tree of objects</li>"
    If (AccessMask And ADS_RIGHT_DS_LIST_OBJECT) Then _
        AddHtml "<li>List a tree of objects.</li>"
 
    AddHtml "<br>Control Access Rights"
    If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) + _
        (AccessMask And ADS_RIGHT_DS_SELF) = 0 Then
          AddHtml "<li>None</li>"
      Else 
      If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) Then _
          AddHtml "<li>Extended access rights.</li>"
      If (AccessMask And ADS_RIGHT_DS_SELF) Then
          AddHtml "<li>Active Directory must validate a property "
          AddHtml " write operation beyond the schema definition "
          AddHtml " for the attribute.</li>"
      End If
    End If
End Sub

</script>

<style>

body {
	font: 10pt arial;
	background-color: buttonface;
}

button
{
	font-family: arial;
	font-size: 8pt;
	width: 70px;
	border: 2px solid gray;
	margin: 3px;
	cursor: hand;
}

.lightborder {
	border: 2px solid gray;
}
.darkborder {
	border: 2px solid black;
}


.ShowMe {
	display: block;
	color: gray;
}

.HideMe {
	display: none;
}

.TrusteeName {
	font-weight: bold;
	cursor: hand;
	color: gray;
}

</style>

</head>

<body>
Organizational Unit:<br>
<select size="0" name="select1" id="select1" onchange="GetPermissions"><option value=""></option></select><BR><BR>
<div id="CommentArea"></div><br>
<div id="DataArea"></div>
</body>
</html>

Open in new window

Avatar of mrfixit584
mrfixit584
Somarsoft's DumpSec program can pull a ton of data and save it to a file. It is free. It is distributed by SystemTools, the makers of Hyena. It is quite an amazing tool.
Avatar of itsmevic
itsmevic
Flag of United States of America image

ASKER

Hi there MrFixit, that looks like promising software, however if we could do this without having to install 3rd party software that would be great (Can't install 3rd party software for obvious reasons).  That's why I provided the example above hoping to add to it.  
Avatar of RobSampson
RobSampson
Flag of Australia image
Hi,

This one would be a start, but I can't modify it until Monday.
https://www.experts-exchange.com/questions/23863991/VB-Script-lists-members-of-OU-Need-it-to-query-Group-as-well-List-common-members-of-both-the-group-and-OU.html

What that one does is, you select an OU, then a group, and when you click Get Members, the users that are in BOTH the OU and the group are listed.

When I modify it, I'll just take out the OU listing, and have it list the members of the group.

Exporting after that is pretty easy.

On the other hand, someone else may jump in with a solution before then.

Regards,

Rob.
Avatar of itsmevic
itsmevic
Flag of United States of America image

ASKER

Hey there Rob, I'll take a look at this first thing on Monday.  Thanks for jumping in on this : )
ASKER CERTIFIED SOLUTION
Avatar of RobSampson
RobSampson
Flag of Australia image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of itsmevic
itsmevic
Flag of United States of America image

ASKER

Very cool Rob, thank you.  I'll test this first thing and let ya know.
Avatar of itsmevic
itsmevic
Flag of United States of America image

ASKER

Oh WOW, Rob this is great man!  I'm just looking it over now....
Avatar of itsmevic
itsmevic
Flag of United States of America image

ASKER

As always, simply superb.
Avatar of RobSampson
RobSampson
Flag of Australia image
Sure. It's nothing terribly special....just a list of group names.....hopefully it's what you're after.

Rob.
Avatar of 603currier
603currier
This script is AWESOME!!! So glad I found it! Thanks A MILLION, Rob!!!
Avatar of RobSampson
RobSampson
Flag of Australia image
@603currier, no problem.  I'm glad you find it useful.

Regards,

Rob.