We value your feedback.
Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!
Solved
Interface to query Active Directory
Posted on 2013-12-19
Hi experts,
I have another question open for querying AD with VBScript - this is for testing and reporting purposes.
I also need to provide my team of business consultants with a user interface that they can use to test various file share security issues.
Typical tasks they need to perform:
I've been searching the web and there are millions of tools. The problem is I have to download, install and test all of them.
I was hoping to get to an answer quicker based on expert experience.
Many thanks
I have another question open for querying AD with VBScript - this is for testing and reporting purposes.
I also need to provide my team of business consultants with a user interface that they can use to test various file share security issues.
Typical tasks they need to perform:
Use a given group name to get all members of the group
Use a given user account to get all groups that a user is a member of
Use a given folder path to get a view on which groups have what rights on the group
I've been searching the web and there are millions of tools. The problem is I have to download, install and test all of them.
I was hoping to get to an answer quicker based on expert experience.
Many thanks
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
11
3
3
17 Comments
Look at Dumpsec from Somarsoft: http://www.systemtools.com/somarsoft/?somarsoft.com
Active today
If you are not apposed to use Powershell you can do this very easily with 3 different commands... See below...
1. Import-Module activedirectory
Get-ADGroupMember -Identity <GroupName> | Select Name, sAMAccountName
2. Import-module activedirectory
Get-ADUser -Identity <Username> -Properties | Select MemberOf | ft -wrap
3. Get-Acl <yourPath> | fl
You can save each of these comamnds in notepad (save as .ps1 file extension) and create a shortcut to the users Desktop that need to be able to use it.
Will.
1. Import-Module activedirectory
Get-ADGroupMember -Identity <GroupName> | Select Name, sAMAccountName
2. Import-module activedirectory
Get-ADUser -Identity <Username> -Properties | Select MemberOf | ft -wrap
3. Get-Acl <yourPath> | fl
You can save each of these comamnds in notepad (save as .ps1 file extension) and create a shortcut to the users Desktop that need to be able to use it.
Will.
Thanks Will,
I'm not opposed to powershell... I just know NOTHING about it.
Even the simple samples in your post are foreign to me. How do I execute PowerShell scripts?
(Sorry for looking really dumb but I'm use to old school batch scripts, VBScripts or full .Net 2.0 applications).
Thanks again
I'm not opposed to powershell... I just know NOTHING about it.
Even the simple samples in your post are foreign to me. How do I execute PowerShell scripts?
(Sorry for looking really dumb but I'm use to old school batch scripts, VBScripts or full .Net 2.0 applications).
Thanks again
Active today
You need to have powershell installed on the local machine (Win7/2008 and above has this built-in) You will also need to have ADMT (Active Direcroty Management Tools) installed on the PC's that will be running the scripts as well.
Once you have that the 3 basic commands above will provide the info you are looking for.
You can run the commands right from the powershell window or you can save the powershell commands (individually) to notepad and give them a name with a .PS1 file extension.
Example.
ADgroupMemberLookup.ps1
ADUserMemberOf.PS1
AclLookup.PS1
Will.
Once you have that the 3 basic commands above will provide the info you are looking for.
You can run the commands right from the powershell window or you can save the powershell commands (individually) to notepad and give them a name with a .PS1 file extension.
Example.
ADgroupMemberLookup.ps1
ADUserMemberOf.PS1
AclLookup.PS1
Will.
pony10us,
I'm trying Dumpsec. It's fairly easy with a specific local machine but I'm struggling to find how to do what I was looking for.
If I have a specific domain user account, how do I see with Dumpsec what groups this user belongs to?
Thanks
I'm trying Dumpsec. It's fairly easy with a specific local machine but I'm struggling to find how to do what I was looking for.
If I have a specific domain user account, how do I see with Dumpsec what groups this user belongs to?
Thanks
Will,
I'm getting this error when running the PS1 file: <fileName> cannot be loaded because the execution of scripts is disabled on this system.
I'm googling it now...
I'm getting this error when running the PS1 file: <fileName> cannot be loaded because the execution of scripts is disabled on this system.
I'm googling it now...
If you don't mind the command line then maybe try using dsget
Here is the syntax for getting the group membership of a user (as shown in the help)
To display the list of groups, recursively expanded, to which a given user
"Jon Smith" belongs, type:
dsget user "cn=Jon Smith,cn=users,dc=microsof
You can get the help by typing dsget /? at a command prompt. It will also mention some of other tools such as dsquery.
Part of the problem with dumpsec is it isn't granule enough for what you want.
Here is the syntax for getting the group membership of a user (as shown in the help)
To display the list of groups, recursively expanded, to which a given user
"Jon Smith" belongs, type:
dsget user "cn=Jon Smith,cn=users,dc=microsof
You can get the help by typing dsget /? at a command prompt. It will also mention some of other tools such as dsquery.
Part of the problem with dumpsec is it isn't granule enough for what you want.
Will,
I set ExecutionPolicy to unrstricted to solve my problem.
I now a 2nd problem with query number 2.
The results i get is a list of OU's. I used my own userID in the query but none of the groups I am a member of are listed. Only OU's.
How do I get the groups?
I set ExecutionPolicy to unrstricted to solve my problem.
I now a 2nd problem with query number 2.
The results i get is a list of OU's. I used my own userID in the query but none of the groups I am a member of are listed. Only OU's.
How do I get the groups?
pony10us,
I'm struggling with dsGet user also.
I only get back a message saying directory object was not found. What needs to go in place of Jon Smith? The user's alias? Display Name? I tied everything I could thing of.
I'm struggling with dsGet user also.
I only get back a message saying directory object was not found. What needs to go in place of Jon Smith? The user's alias? Display Name? I tied everything I could thing of.
Use display name.
There is an error in the help
Where it has "cn=users" it should be "ou=users"
This is an example where my display name was 4 OU's down in the tree.
There is an error in the help
Where it has "cn=users" it should be "ou=users"
c:\dsget user "cn=<display name>,ou=LV4,ou=LV3,ou=LV2,ou=LV1,dc=domain,dc=local" -memberof -expand
This is an example where my display name was 4 OU's down in the tree.
Active today
Sorry i was referring to a different command for #2. Use the below command to find the GroupMemberShip of a single user...
Import-module activedirectory
Get-ADPrincipalGroupMember
That will give you all of the groups the individual user is part of. Also regarding the post above, you are correct you need to have the machines running the command to have ExecutionPolicy set to "remote signed".
Will.
Import-module activedirectory
Get-ADPrincipalGroupMember
That will give you all of the groups the individual user is part of. Also regarding the post above, you are correct you need to have the machines running the command to have ExecutionPolicy set to "remote signed".
Will.
I'm doing OK with the Powershell script for now - but I have two small prpoblems:
My script to get all groups for a user is as follows:
Import-module ActiveDirectory
(GET-ADUSER –Identity holds –Properties MemberOf | Select-Object MemberOf).MemberOf | Sort
First problem is that when I right click the PS1 file and select run in powershell, the command window opens, stays open for a while and then closes - no result displayed.
The groups returned by my above script, are a lot. Many users have 50+ groups. The groups I want to see all come from one container. Is it possible to filter the query results to show groups only from OU=Documentum_ShareData ?
I searched for samples online and it seems -Identity cannot be used with -Filter.
Please assist.
My script to get all groups for a user is as follows:
Import-module ActiveDirectory
(GET-ADUSER –Identity holds –Properties MemberOf | Select-Object MemberOf).MemberOf | Sort
First problem is that when I right click the PS1 file and select run in powershell, the command window opens, stays open for a while and then closes - no result displayed.
The groups returned by my above script, are a lot. Many users have 50+ groups. The groups I want to see all come from one container. Is it possible to filter the query results to show groups only from OU=Documentum_ShareData ?
I searched for samples online and it seems -Identity cannot be used with -Filter.
Please assist.
So this is my final attempt for the day:
Get-ADPrincipalGroupMember
That sort of takes care of the groups a user belongs to.
Not sure how to do this recursively though. Any ideas?
Get-ADPrincipalGroupMember
That sort of takes care of the groups a user belongs to.
Not sure how to do this recursively though. Any ideas?
Experts,
Making slow progress with the powershell script.
Please remember my original post - was looking for a GUI for my business consultants - that would still be first prize.
Thanks
Making slow progress with the powershell script.
Please remember my original post - was looking for a GUI for my business consultants - that would still be first prize.
Thanks
I ended up developing my own tool in VB.Net.
Once a day it extracts all groups in a specific AD container from AD and writes them into my SQL database. Then it queries the database to get the groups back and queries AD again for the membership of each group individually. Nested groups/recursion is handled well here too. Membership is written to the SQL database too.
Thirdly, the tool traverses the shared folder structure and extracts all the groups with their permissions on each folder and writes that back to the database too.
Then the tool allows querying through a user interface for group membership, a user's group membership or groups/users permissions on specific folders.
Once a day it extracts all groups in a specific AD container from AD and writes them into my SQL database. Then it queries the database to get the groups back and queries AD again for the membership of each group individually. Nested groups/recursion is handled well here too. Membership is written to the SQL database too.
Thirdly, the tool traverses the shared folder structure and extracts all the groups with their permissions on each folder and writes that back to the database too.
Then the tool allows querying through a user interface for group membership, a user's group membership or groups/users permissions on specific folders.
Featured Post
Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies. Only from Platform Scholar.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008.
Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses
Course of the Month9 days, 3 hours left to enroll
721 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.