[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

List AD groups that contain nested groups

Posted on 2010-11-23
6
Medium Priority
?
820 Views
Last Modified: 2012-05-10
Need a script to list only the AD groups that contain groups.  Would like to have an option to include or exclude listing all group members.  Output needs to show full AD path where the main group and nested groups are located.

Thanks
0
Comment
Question by:Carl Webster
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 27

Expert Comment

by:KenMcF
ID: 34198886
If you are able to use the quest cmdlets from your other question you can try this

to get group memebrs you can add this

get-qadgroupmember $g | select name
$groups = get-qadgroup -searchroot "OU=Groups,dc=Domain,dc=Local" | where{$_.memberof -ne ""} 
foreach ($Group in $Groups){
write-host $group.name
$grp = get-qadmemberof $Group
foreach ($g in $grp){
write-host `t $g.dn
}}

Open in new window

0
 
LVL 4

Expert Comment

by:Vishal Patel
ID: 34204107
You can use AD Manager Plus (A ManageEngine tool, free to try) for the purpose.
0
 
LVL 37

Author Comment

by:Carl Webster
ID: 34232373
I am now on this network and it is a 2000 AD system and all the DCs are running 2000 SP4.

Anyone have a VBScript I could use to list which of their 416 AD groups contain groups?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 27

Accepted Solution

by:
KenMcF earned 2000 total points
ID: 34232490
I do nopt have a vbscript but could create one if needed later.
You could try to use ADFind or just a query in ADUC

(&(objectcategory=group)(memberof=*))

adfind -default -f "&(objectcategory=group)(memberof=*)" dn

you could also get the members from ADFind or you could output the list from ADFInd to a test and use vbscript to get all the members

http://www.activexperts.com/activmonitor/windowsmanagement/adminscripts/usersgroups/groups/#EnumGroupmembership.htm
0
 
LVL 37

Author Comment

by:Carl Webster
ID: 34232582
I can't find out how in 2000's ADUC how to do a search to list only groups that contain groups.

I was able to use ADFind to list all the groups.  ADFind says there are 479 groups and ADUC says there are 416.  I'll trust ADFind and Joe.

Just tried your ADFind line and it worked.  Gave me a list of 62 groups.  Let me verify a random sample.
0
 
LVL 37

Author Comment

by:Carl Webster
ID: 34232630
I guess this will work.  Your "adfind -default -f "&(objectcategory=group)(memberof=*)" dn" gives me a list of groups that contain groups or groups that are members of other groups.

i.e. Domain Admins contains other groups but GroupABC has no members but is a member of GroupXYZ.  WHen I look at GroupXYZ it shows GroupABC as a member.  

That should work for this purpose.

Thanks
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question