Re: [ActiveDir] Enumerating Group type and Mebership...

[Mathieu CHATEAU]

Hello Mike,

Try this one:
-
Option Explicit
Dim objDomain, objUser, objGroup


Set objDomain = GetObject("WinNT://MyDomain")
objDomain.Filter = Array("user")


For Each objUser In objDomain
 Wscript.Echo "User: "  objUser.Name
 For Each objGroup In objUser.Groups
  Wscript.Echo "-- Member of group: "  objGroup.Name
 Next
Next


objDomain.Filter = Array("group")


For Each objGroup In objDomain
 Wscript.Echo "Group: "  objGroup.Name
 For Each objUser In objGroup.Members
  Wscript.Echo "-- Member: "  objUser.Name
 Next
Next


Fire it with something like cscript dump.vbs  dump.txt


Just my 2 cents
Mathieu CHATEAU
http://lordoftheping.blogspot.com


Tuesday, July 25, 2006, 8:49:11 PM, you wrote:







All,

Im trying to enumerate all groups in my AD environment. I need to get Group name group type and group members for each group

Ive tried some sample _vbscript_s fromhttp://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0419.mspx

Then I tried (below) but It still doesnt seem to pull back everything I need- Any help would be great! In a perfect world -J- I need a list of all security groups and distribution groups and their members
Thanks,
Mike

Enumerate Security Groups and Member in Domain

csvde -f c:\tmp\SecurityGroups.csv -p subtree -l cn,mail,member -r "(|((objectCategory=Group)(objectClass=Group)(|(groupType=-2147483644)(groupType=-2147483646)(groupType=-2147483640" -j c:\tmp


Enumerate Distribution Groups and Member in Domain

csvde -f c:\tmp\DistributionLists.csv -p subtree -l cn,mail,member -r "(|((objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2" -j c:\tmp










--
Best regards,
Mathieu  mailto:[EMAIL PROTECTED]



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Single Space in LDAP query dropped: Why?

[badhusha]

Return Receipt
   
Your  Re: [ActiveDir] Single Space in LDAP query dropped: Why? 
document   
:  
   
was   Sheik D. Badhusha/UNIOSIL
received   
by:
   
at:   19/08/2006 10:05:22 AM PDT   
   





List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE : Re: RE : RE: [ActiveDir] backup and restore AD.

[Yann]

Hello Brett,The pb was that one disk inmy raid5 was corrupted. So i changed the disk and i checked thatmy raid 5 was OK via dell open manager.But when restarting theDC,itshows a windows popup stated an error in lssass.exe and thati have to boot in dsrm mode. When i clicked ok , my DC reboots again and that scenario never ends up untill i boot in dsrm mode !!  Whenlogging in dsrm mode, there was only the ntds.dit and the Edb*.log only, no edb.chk !!  So i restored system state but when the restore finished, there was no stilledb.chk created in dsrm mode: a sematic checker shows a jet error stated that no transaction logs was found.  So i had 2 options:  1) restorentds.dit, edb.chk, Edb*.log,Res1.log and Res2.log from my last full backup. This backup was done 5 days ago.  2) and i last forcea demotion via ntdsutil
 and delete all dns registrations,frs subscriptions, ad objects that points to this DC.So i choose 1) and that works fine  I was lucky!!Brett, is there any MS documentations stated that this type of "dirty" restoration is unsupported ? I have not found any clue in ms technet.  And in my situation, what would you have done ?  Would the 2)be the best and supported solution than 1) ?Thanks for advice.Yann  Brett Shirley [EMAIL PROTECTED] a écrit:  BTW, if you have snapshot based backup you _can_ backup and just restoreonly the AD data (dit, log, and chk), and it will work w/o USN rollbackcorrectly. We used to run quick tests like that
 all the time, but ONLYvalidated that the DS / AD didn't break. That doesn't make it supported. BTW, it is in fact _not supported_.There are an unknown # of components (AD itself, SAM, LSA, Kerberos, NTLM,AuthZ, etc ... just about anything DS or security related) that may have adependency on some random part of AD and some random part of Registry datastaying in sync ... we don't know what breaks when you restore one w/o theother ... this is why it is unsupported ... and almost completely untested... but why let that dissuade you, you're a pioneer right. ;)The most obvious case of this, would be if you restored a DIT from onedomain, to the DIT folder for a DC in another domain, replacing it's DIT. Would that work, almost guaranteed there would be security issues. That's of course the extreme case, and one easy to avoid, we don't knowthe inbetween cases.Cheers,-BrettSh [msft]On Fri, 18 Aug
 2006, Yann wrote: Hello Jorge,  Thanks for clarification. I will check next week if i have no issues with usn rollback :( .   Yann  "Almeida Pinto, Jorge de" <[EMAIL PROTECTED]>a écrit : when a DC is restored from the system state (amongst others): * the restored RID pool is thrown away (invalidated) and a new RID pool is requested at the RID master * the invocation ID of the AD DB is changed (which prevent USN rollbacks)  so in your case it works because the backup is not that old. The AD DB is tightly coupled with the registry and there is a reason for that! The reason as why you MUST restore the system state as MS says. The way you are doing that is, how shall I say it gentlyNOT SUPPORTED! ;-) And I guess you will be hitting on USN Rollback. See my blog and search for BACKUP and you will find an article with some more info
  jorge   - From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Tuesday, August 08, 2006 22:47 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] backup and restore AD.Hello,  I had question about D backup  restore. It is possible to backup AD in 2 ways: 1) backup only the system state. 2) backup system state  file system containing the AD working directory (ntds.dit, edb.chk, Edb*.log,Res1.log and Res2.log).  MS states that u have to restore your AD by restoring the system state. But ,what about just restoring the AD working directory without system state ? I tested it and that works fine.  So my question is: = In what circumstances do i have to choose a restore from system state or a restore
 from AD working directory.  Thanks for clarification,  Yann   - Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.   This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.- Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos
 connaissances, vos opinions et vos expériences. Cliquez ici. List info : http://www.activedir.org/List.aspxList FAQ : 

RE: [ActiveDir] FMSO roles split, patch question.

[Rocky Habeeb]

Oh ...
So virtual is where my test 
environment should be ...
And that will adequately equate 
to a "real" production environment?
["Hmm ..." he wonders, 
"Could it be true?"]
_


  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Deji 
  AkomolafeSent: 17 August, 2006 4:45 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles 
  split, patch question.
  
  That argument went out the window when 
  the following happened:
  
  Dell started selling desktops with 
  jillion gigabyte drive space for under $1000
  Microsoft started giving away Virtual 
  Server with very liberal Windows Server 2003 licenses.
  
  Us poor admins no longer needed bazillion 
  dollars to create "test environments".
  
  Sorry, try another one 
  :)
  
  
  Sincerely,  
  _ 
   (, / | 
  /) 
  /) /)  /---| 
  (/_ __ ___// _ // _ ) 
  / |_/(__(_) // 
  (_(_)(/_(_(_/(__(/_(_/ 
  /) 
   
  (/ Microsoft MVP - Directory 
  Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you 
  were worried about Yesterday? 
  -anon
  
  
  From: Gordon PegueSent: Thu 
  8/17/2006 1:31 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles 
  split, patch question.
  
  What about us poor admins, who for a variety of reasons 
  outside their control, don't have a "test" environment?
  I'm just a little guy, supporting a small business that 
  doesn't have kilobucks to spare for non-production 
  equipment.
  
  I sweat bullets every time MS issues updates and I spend 
  a lot of time researching each and every one of them before I 
  apply...
  
  ThanksGordon PegueSystem AdministratorChavez 
  Grieves Consulting EngineersAlbuquerque, 
  NMwww.cg-engrs.com 
  
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Deji 
AkomolafeSent: Thursday, August 17, 2006 11:53 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles 
split, patch question.


I completely disagree 
with you. I understand the thinking behind the move-roles-before-patch 
stance. I just don't buy into it. Test patch and be sure it doesn't kill 
things. Test your config changes and be sure it doesn't break things. Test, 
test and test more before you move into production.

Then deploy to production. IF, in spite 
of all your tests, "something" goes wrong with one DC holding a specific 
role (or - perish the thought - ALL your roles), it's no big deal. As long 
as you have other DCs available to assume the roles, the target DCwill not 
care how they got the roles (graceful transfer or inelegant 
seizure).

It's good to have a script that moves 
roles as you desire, but this does not fall into the realm of "best 
practice" in the scheme of things. Your energy should be invested in 
instituting a comprehensive patch/change management and testing operations 
practice rather than figuring out where to move roles to in case a patch 
eats your DC.



Sincerely,  
_ 
 (, / | 
/) 
/) /)  /---| 
(/_ __ ___// _ // _ ) 
/ |_/(__(_) // 
(_(_)(/_(_(_/(__(/_(_/ 
/) 
 
(/ Microsoft MVP - Directory 
Serviceswww.akomolafe.com- we know 
IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about 
Yesterday? -anon


From: joeSent: Thu 8/17/2006 9:31 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: 
[ActiveDir] FMSO roles split, patch question.
I completely concur with Jorge on his process. 

It takes a lot less hassle and a lot less feeling of concern to move a FSMO
prior to an update of a machine than to have to seize the role later
regardless of the reason of it going down. Especially when you have a script
that applies the NTSUTIL commands to move the roles. A move of all roles in
a properly scripted environment is a procedure that takes all of about 10-15
seconds. A seize on the other hand isn't something you should just quickly
think about doing, you need to work out the consequences and make a
determination in most cases whether or not you will ever bring that DC back
up as it stands now. It is, IMO, a no-brainer if you have multiple DCs as it
is isn't any real workload or concern to do it.

When I am doing production ops I *always* move roles prior to making machine
specific updates. I never assume a server is going to come back up after I
say restart or in fact even go down properly without hanging. 

Now I understand the SBS thoughts behind it though... In the SBS world if
you lost the DC, you have far greater issues than you lost a FSMO role for
the moment. In the world outside of SBS, most people look at DCs as
expendable. You set up 10 of them in front of you and 5 fell down you would
be like, crap, I will have to fix those at some point. You set up 

RE: [ActiveDir] FMSO roles split, patch question.

[joe]

It isn't the best test environment but it is infinitely 
better than no test environment. If you have a QA environment that matches 
production then I am perfectly fine with an entirely virtual test environment. 



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky 
HabeebSent: Saturday, August 19, 2006 10:36 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles 
split, patch question.

Oh ...
So virtual is where my test 
environment should be ...
And that will adequately equate 
to a "real" production environment?
["Hmm ..." he wonders, 
"Could it be true?"]
_


  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Deji 
  AkomolafeSent: 17 August, 2006 4:45 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles 
  split, patch question.
  
  That argument went out the window when 
  the following happened:
  
  Dell started selling desktops with 
  jillion gigabyte drive space for under $1000
  Microsoft started giving away Virtual 
  Server with very liberal Windows Server 2003 licenses.
  
  Us poor admins no longer needed bazillion 
  dollars to create "test environments".
  
  Sorry, try another one 
  :)
  
  
  Sincerely,  
  _ 
   (, / | 
  /) 
  /) /)  /---| 
  (/_ __ ___// _ // _ ) 
  / |_/(__(_) // 
  (_(_)(/_(_(_/(__(/_(_/ 
  /) 
   
  (/ Microsoft MVP - Directory 
  Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you 
  were worried about Yesterday? 
  -anon
  
  
  From: Gordon PegueSent: Thu 
  8/17/2006 1:31 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles 
  split, patch question.
  
  What about us poor admins, who for a variety of reasons 
  outside their control, don't have a "test" environment?
  I'm just a little guy, supporting a small business that 
  doesn't have kilobucks to spare for non-production 
  equipment.
  
  I sweat bullets every time MS issues updates and I spend 
  a lot of time researching each and every one of them before I 
  apply...
  
  ThanksGordon PegueSystem AdministratorChavez 
  Grieves Consulting EngineersAlbuquerque, 
  NMwww.cg-engrs.com 
  
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Deji 
AkomolafeSent: Thursday, August 17, 2006 11:53 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles 
split, patch question.


I completely disagree 
with you. I understand the thinking behind the move-roles-before-patch 
stance. I just don't buy into it. Test patch and be sure it doesn't kill 
things. Test your config changes and be sure it doesn't break things. Test, 
test and test more before you move into production.

Then deploy to production. IF, in spite 
of all your tests, "something" goes wrong with one DC holding a specific 
role (or - perish the thought - ALL your roles), it's no big deal. As long 
as you have other DCs available to assume the roles, the target DCwill not 
care how they got the roles (graceful transfer or inelegant 
seizure).

It's good to have a script that moves 
roles as you desire, but this does not fall into the realm of "best 
practice" in the scheme of things. Your energy should be invested in 
instituting a comprehensive patch/change management and testing operations 
practice rather than figuring out where to move roles to in case a patch 
eats your DC.



Sincerely,  
_ 
 (, / | 
/) 
/) /)  /---| 
(/_ __ ___// _ // _ ) 
/ |_/(__(_) // 
(_(_)(/_(_(_/(__(/_(_/ 
/) 
 
(/ Microsoft MVP - Directory 
Serviceswww.akomolafe.com- we know 
IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about 
Yesterday? -anon


From: joeSent: Thu 8/17/2006 9:31 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: 
[ActiveDir] FMSO roles split, patch question.
I completely concur with Jorge on his process. 

It takes a lot less hassle and a lot less feeling of concern to move a FSMO
prior to an update of a machine than to have to seize the role later
regardless of the reason of it going down. Especially when you have a script
that applies the NTSUTIL commands to move the roles. A move of all roles in
a properly scripted environment is a procedure that takes all of about 10-15
seconds. A seize on the other hand isn't something you should just quickly
think about doing, you need to work out the consequences and make a
determination in most cases whether or not you will ever bring that DC back
up as it stands now. It is, IMO, a no-brainer if you have multiple DCs as it
is isn't any real workload or concern to do it.

When I am doing production ops I *always* move roles prior to 

Re: [ActiveDir] FMSO roles split, patch question.

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

Perfect World=  clone all servers, workstations, users (especially the 
stupid ones that break things all the time anyway)
Install patches on the identical cloned network, when cloned users break 
things beat them so they never do the stupid act again.  (okay so maybe 
this is just a network admin's view of a perfect cloning experiment --- 
it might be better to beat the real users come to think of it...)


Best = set up a test network with real hardware that replicates the 
types/kinds of equipment you have


Better = test up test network with mixtures of real/virtual

Good = test network is virtual, recreate apps, etc.

Better than nothing option 1= users that are canaries.. they get 
patches first... they die so that others will live


Better than nothing option 2= break the mirror, patch the main, ensure 
all is well remirror (I'm personally not a fan of this...but...)


Bottom line even in testing ...you won't find everything.  True story: I 
patched for a chm help file patch back in 2005, all looked fine, and I 
deployed the patch.  Two weeks later someone pinged me that they 
couldn't get into the Tax software help file it was suddenly blank.  
When I right mouse clicked on the suddenly blank page I realized it was 
a chm file and went oh...hang on there was a patch... Contacted 
the vendor and sure 'nuff, they already knew about it and had a 
workaround.  So just plan on the fact that somethings just won't be 
noticeable until it's in a live network and deal with it.


joe wrote:
It isn't the best test environment but it is infinitely better than no 
test environment. If you have a QA environment that matches production 
then I am perfectly fine with an entirely virtual test environment.
 
--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 
 
 



*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Rocky Habeeb

*Sent:* Saturday, August 19, 2006 10:36 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] FMSO roles split, patch question.

Oh ...
So virtual is where my test environment should be ...
And that will adequately equate to a real production environment?
[Hmm ... he wonders, Could it be true?]
_
 


-Original Message-
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of *Deji
Akomolafe
*Sent:* 17 August, 2006 4:45 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] FMSO roles split, patch question.

That argument went out the window when the following happened:
 
Dell started selling desktops with jillion gigabyte drive space

for under $1000
Microsoft started giving away Virtual Server with very liberal
Windows Server 2003 licenses.
 
Us poor admins no longer needed bazillion dollars to create test

environments.
 
Sorry, try another one :)


Sincerely,
   _   
  (, /  |  /)   /) /)  
/---| (/_  __   ___// _   //  _

 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /) 
   (/  
Microsoft MVP - Directory Services

www.akomolafe.com
x-excid://3277/uri:http://www.akomolafe.com - we know IT
*-5.75, -3.23*
Do you now realize that Today is the Tomorrow you were worried
about Yesterday? -anon


*From:* Gordon Pegue
*Sent:* Thu 8/17/2006 1:31 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] FMSO roles split, patch question.

What about us poor admins, who for a variety of reasons outside
their control, don't have a test environment?
I'm just a little guy, supporting a small business that doesn't
have kilobucks to spare for non-production equipment.
 
I sweat bullets every time MS issues updates and I spend a lot of

time researching each and every one of them before I apply...
 


Thanks
Gordon Pegue
System Administrator
Chavez Grieves Consulting Engineers
Albuquerque, NM
www.cg-engrs.com
 

 



*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of
*Deji Akomolafe
*Sent:* Thursday, August 17, 2006 11:53 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] FMSO roles split, patch question.

I completely disagree with you. I understand the thinking
behind the move-roles-before-patch stance. I just don't buy
into it. Test patch and be sure it doesn't kill things. Test
your config changes and be sure it doesn't break things. Test,
test and test more before you move into production.