itsmevic
asked on
HTA / VBScript That Pulls Group Membership in AD
Hi Experts!
I'm curious if one of you guys has a HTA (preferrably) that allows you to enter in the name of a group and then the HTA queries AD and pulls the group membership of that group and gives the option to save/export as either a .txt or .csv file?
I have an some example HTA code attached which is really quite amazing. It basically scans the entire AD tree's parent OU's and sub OU's and enumerates each OU and then determines what permissions that OU and it's sub OU's have. It also allows me to filter out readings that I do not want to see. Is there anyway we could add to the below code what I'm requested above? Or if you have a completely separate HTA that does this that's fine too.
Your help is GREATLY APPRECIATED!!!
I'm curious if one of you guys has a HTA (preferrably) that allows you to enter in the name of a group and then the HTA queries AD and pulls the group membership of that group and gives the option to save/export as either a .txt or .csv file?
I have an some example HTA code attached which is really quite amazing. It basically scans the entire AD tree's parent OU's and sub OU's and enumerates each OU and then determines what permissions that OU and it's sub OU's have. It also allows me to filter out readings that I do not want to see. Is there anyway we could add to the below code what I'm requested above? Or if you have a completely separate HTA that does this that's fine too.
Your help is GREATLY APPRECIATED!!!
<html>
<hta:application
ID="objOUPermissions"
APPLICATIONNAME="OUPermissions"
SCROLL="yes"
SINGLEINSTANCE="yes"
WINDOWSTATE="normal"
>
<head>
<script language="vbscript">
Dim html
Dim strTitle
Dim arrExcludeList
Dim strExcludeList
Dim intAceCount
strExcludeList="System Admin,Domain Admins,Scheme Admins,Account Operators,Print Operators,Enterprise Domain Controllers,Password Manager,System"
arrExcludeList=split(strExcludeList,",")
strTitle="AD OU Permissions"
Sub Window_OnLoad
document.title=strTitle
CommentArea.innerHTML="<b>Excluded from listing:</b><br>" & strExcludeList & "<hr>"
Get_OU_List
End Sub
Sub Get_OU_List
Const ADS_SCOPE_SUBTREE = 2
Set objRootDSE = GetObject("LDAP://rootDSE")
strADsPath = "LDAP://" & objRootDSE.Get("defaultNamingContext")
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 4000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.CommandText = _
"SELECT Name,ADsPath FROM '" & strADsPath & "' WHERE objectCategory='OrganizationalUnit'"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
While NOT objRecordSet.EOF
strADsPathOU = objRecordSet.Fields("ADsPath").Value
Set objNewOption = document.createElement("OPTION")
posStart=instr(strADsPathOU,"//")+2
posEnd=instr(ucase(strADsPathOU),",DC=")
strName=mid(strADsPathOU,posStart,posEnd-posStart)
objNewOption.Text = strName
objNewOption.Value= strADsPathOU
select1.options.Add(objNewOption)
objRecordSet.MoveNext
Wend
End Sub
Sub AddHtml(myLine)
html=html & myLine
End Sub
Sub GetPermissions
html=""
For Each objOption In select1.Options
If objOption.Selected = True Then
myOU=objOption.text
myADsPath=objOption.Value
End If
Next
If myAdsPath="" then Exit Sub
GetSecurityDescriptor myADsPath
If html <> "" then AddButtons
DataArea.innerHTML=html
End Sub
Sub AddButtons
html = "<button id=""b1"" onmouseover=Highlight('b1') onmouseout=Highlight('b1') onclick=Collapse('ShowMe')>Expand All</button>" & _
"<button id=""b2"" onmouseover=Highlight('b2') onmouseout=Highlight('b2') onclick=Collapse('HideMe')>Collapse All</button><br><br>" & html
End Sub
Sub Collapse(myClass)
for i = 1 to intAceCount
Set myElement = document.getElementById("divEntryData" & i)
myElement.className=myClass
next
End Sub
Sub Highlight(elem)
Set myElement = document.getElementById(elem)
If myElement.className="darkborder" then
myElement.className="lightborder"
Else
myElement.className="darkborder"
End If
End Sub
Sub ClearOUs
For Each objOption In select1.Options
If objOption.text<> "" then select1.removeChild(objOption)
Next
End Sub
Sub ShowHide(elem)
Set myElement = document.getElementById(elem)
if myElement.className="HideMe" then
myElement.className="ShowMe"
Else
myElement.className="HideMe"
End If
End Sub
Sub GetSecurityDescriptor(myOU)
Const SE_DACL_PROTECTED = &H1000
Set objContainer = GetObject(myOU)
Set objNtSecurityDescriptor = objContainer.Get("ntSecurityDescriptor")
intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control
AddHtml "<b>Permissions Tab</b><br>"
AddHtml "Allow inheritable permissions from the parent to" & _
"propogate to this object and all child objects "
If (intNtSecurityDescriptorControl And SE_DACL_PROTECTED) Then
AddHtml "is disabled."
Else
AddHtml "is enabled."
End If
AddHtml "<br><br>"
Set objDiscretionaryAcl = objNtSecurityDescriptor.DiscretionaryAcl
DisplayAceInformation objDiscretionaryAcl, "DACL"
End Sub
Sub DisplayAceInformation(SecurityStructure, strType)
Const ADS_ACETYPE_ACCESS_ALLOWED = &H0
Const ADS_ACETYPE_ACCESS_DENIED = &H1
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
intAceCount = 0
For Each objAce In SecurityStructure
strTrustee = objAce.Trustee
If instr(strTrustee,"\") then
tmpTrustee=mid(strTrustee,Instr(strTrustee,"\")+1)
Else
tmpTrustee=strTrustee
End If
go=True
For each blah in arrExcludeList
If lcase(blah)=lcase(tmpTrustee) then go=False
Next
If Instr(strTrustee,"NT AUTHORITY")=False and go=True Then
intAceCount = intAceCount + 1
'AddHtml strType & " permission entry: " & intAceCount
AddHtml "<div id=""divTrusteeName" & intAceCount & """ onclick=ShowHide('divEntryData" & intAceCount & "') class=""TrusteeName"">Entry #" & intAceCount & " " & objAce.Trustee & "</div>"
AddHtml "<div id=""divEntryData" & intAceCount & """ class=""HideMe"">"
AddHtml "<hr>"
divCount=divCount+1
intAceType = objAce.AceType
If (intAceType = ADS_ACETYPE_ACCESS_ALLOWED Or _
intAceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT) Then
AddHtml "Type: Allow Access"
ElseIf (intAceType = ADS_ACETYPE_ACCESS_DENIED Or _
intAceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) Then
AddHtml "Type: Deny Acess"
Else
AddHtml "Access Type Unknown."
End If
ReadBitsInAccessMask(objAce.AccessMask)
AddHtml "<br>"
AddHtml "</div>"
End If
Next
End Sub
Sub ReadBitsInAccessMask(AccessMask)
Const ADS_RIGHT_DELETE = &H10000
Const ADS_RIGHT_READ_CONTROL = &H20000
Const ADS_RIGHT_WRITE_DAC = &H40000
Const ADS_RIGHT_WRITE_OWNER = &H80000
Const ADS_RIGHT_DS_CREATE_CHILD = &H1
Const ADS_RIGHT_DS_DELETE_CHILD = &H2
Const ADS_RIGHT_ACTRL_DS_LIST = &H4
Const ADS_RIGHT_DS_SELF = &H8
Const ADS_RIGHT_DS_READ_PROP = &H10
Const ADS_RIGHT_DS_WRITE_PROP = &H20
Const ADS_RIGHT_DS_DELETE_TREE = &H40
Const ADS_RIGHT_DS_LIST_OBJECT = &H80
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
AddHtml "<br>Standard Access Rights"
If (AccessMask And ADS_RIGHT_DELETE) Then _
AddHtml "<li>Delete an object.</li>"
If (AccessMask And ADS_RIGHT_READ_CONTROL) Then _
AddHtml "<li>Read permissions.</li>"
If (AccessMask And ADS_RIGHT_WRITE_DAC) Then _
AddHtml "<li>Write permissions.</li>"
If (AccessMask And ADS_RIGHT_WRITE_OWNER) Then _
AddHtml "<li>Modify owner.</li>"
AddHtml "<br>Directory Service Specific Access Rights"
If (AccessMask And ADS_RIGHT_DS_CREATE_CHILD) Then _
AddHtml "<li>Create child objects."
If (AccessMask And ADS_RIGHT_DS_DELETE_CHILD) Then _
AddHtml "<li>Delete child objects.</li>"
If (AccessMask And ADS_RIGHT_ACTRL_DS_LIST) Then _
AddHtml "<li>Enumerate an object.</li>"
If (AccessMask And ADS_RIGHT_DS_READ_PROP) Then _
AddHtml "<li>Read the properties of an object.</li>"
If (AccessMask And ADS_RIGHT_DS_WRITE_PROP) Then _
AddHtml "<li>Write the properties of an object.</li>"
If (AccessMask And ADS_RIGHT_DS_DELETE_TREE) Then _
AddHtml "<li>Delete a tree of objects</li>"
If (AccessMask And ADS_RIGHT_DS_LIST_OBJECT) Then _
AddHtml "<li>List a tree of objects.</li>"
AddHtml "<br>Control Access Rights"
If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) + _
(AccessMask And ADS_RIGHT_DS_SELF) = 0 Then
AddHtml "<li>None</li>"
Else
If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) Then _
AddHtml "<li>Extended access rights.</li>"
If (AccessMask And ADS_RIGHT_DS_SELF) Then
AddHtml "<li>Active Directory must validate a property "
AddHtml " write operation beyond the schema definition "
AddHtml " for the attribute.</li>"
End If
End If
End Sub
</script>
<style>
body {
font: 10pt arial;
background-color: buttonface;
}
button
{
font-family: arial;
font-size: 8pt;
width: 70px;
border: 2px solid gray;
margin: 3px;
cursor: hand;
}
.lightborder {
border: 2px solid gray;
}
.darkborder {
border: 2px solid black;
}
.ShowMe {
display: block;
color: gray;
}
.HideMe {
display: none;
}
.TrusteeName {
font-weight: bold;
cursor: hand;
color: gray;
}
</style>
</head>
<body>
Organizational Unit:<br>
<select size="0" name="select1" id="select1" onchange="GetPermissions"><option value=""></option></select><BR><BR>
<div id="CommentArea"></div><br>
<div id="DataArea"></div>
</body>
</html>
Somarsoft's DumpSec program can pull a ton of data and save it to a file. It is free. It is distributed by SystemTools, the makers of Hyena. It is quite an amazing tool.
ASKER
Hi there MrFixit, that looks like promising software, however if we could do this without having to install 3rd party software that would be great (Can't install 3rd party software for obvious reasons). That's why I provided the example above hoping to add to it.
Hi,
This one would be a start, but I can't modify it until Monday.
https://www.experts-exchange.com/questions/23863991/VB-Script-lists-members-of-OU-Need-it-to-query-Group-as-well-List-common-members-of-both-the-group-and-OU.html
What that one does is, you select an OU, then a group, and when you click Get Members, the users that are in BOTH the OU and the group are listed.
When I modify it, I'll just take out the OU listing, and have it list the members of the group.
Exporting after that is pretty easy.
On the other hand, someone else may jump in with a solution before then.
Regards,
Rob.
This one would be a start, but I can't modify it until Monday.
https://www.experts-exchange.com/questions/23863991/VB-Script-lists-members-of-OU-Need-it-to-query-Group-as-well-List-common-members-of-both-the-group-and-OU.html
What that one does is, you select an OU, then a group, and when you click Get Members, the users that are in BOTH the OU and the group are listed.
When I modify it, I'll just take out the OU listing, and have it list the members of the group.
Exporting after that is pretty easy.
On the other hand, someone else may jump in with a solution before then.
Regards,
Rob.
ASKER
Hey there Rob, I'll take a look at this first thing on Monday. Thanks for jumping in on this : )
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Very cool Rob, thank you. I'll test this first thing and let ya know.
ASKER
Oh WOW, Rob this is great man! I'm just looking it over now....
ASKER
As always, simply superb.
Sure. It's nothing terribly special....just a list of group names.....hopefully it's what you're after.
Rob.
Rob.
This script is AWESOME!!! So glad I found it! Thanks A MILLION, Rob!!!
@603currier, no problem. I'm glad you find it useful.
Regards,
Rob.
Regards,
Rob.