RE: [ActiveDir] script logic question
Thanks Joe...that's surprisingly clear to me. Scary...I must be finally absorbing some wisdom. No more deer-in-the-headlights for me (well, maybe not as much) Thanks also to the other folks who commented on this issue, as always. Y'all are awesome Now on to the script editor. mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 28, 2004 3:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] script logic question I would Generate a list of all users in the list. Depending on how you do this it could be a map, a hash, a dictionary, blah blah woof woof. Whatever... It is an associative array that has for its key, the userid. This list should be generated by recursing up through any nesting as well assuming you allow this via nesting. This would be done with an LDAP call to the group for the member attribute and chase recursively as needed. Now that you have that I would then do a query against all users for the employeetype=s. i.e. (objectcategory=person)(samaccountname=*)(employeetype=s) Now that you have the S employees and the membership you can loop through the S employees and looking them up in the hash. If only S employees are supposed to be in the group then when you look people up in the hash, you mark the value as OK. If they aren't in that group, you flag them as missing. Then you loop through the hash and look at all of the values and any that don't have OK shouldn't be in the group and you flag them. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, October 26, 2004 1:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] script logic question I need to make sure all users where the value of attribute employeeType is S are members of a given group. Right now I only want to report on it, not actually change the group membership. Logically, what is the most efficient way to achieve this? 1. do I place the membership of the group into an array and then loop through all the users to see if they are in the array 2. do I loop through all the users and check each one's memberOf for the existence of the group? I think option 1 seems better than 2, but I'm willing to bet someone has a much better idea. Thanks! Mark List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] script logic question
That's going to be tough. That's not indexed nor in the GC by default which may make it a little tougher/slower. However, because you need to know that the users with that attribute equal to S are in fact properly in a particular group, I don't think you meet your criteria if you instead use the group as the authoritative source of information. You pretty much have to iterate each user and if they have that attribute set to S then check their group memberships and report if a member of the particular group. Otherwise, you could get a situation where a person should be a member of the group and somehow was missed. If the reverse is true, i.e. the user is a member and shouldn't be, you'd be looking at some other authoritative source for that information anyway. Because of that last bit, you could start with a list of those that are supposed to be in that group and then look each of them up to validate the attribute value and the group membership. Again, you run the risk of having the wrong people in the group though. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, October 26, 2004 1:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] script logic question I need to make sure all users where the value of attribute employeeType is S are members of a given group. Right now I only want to report on it, not actually change the group membership. Logically, what is the most efficient way to achieve this? 1. do I place the membership of the group into an array and then loop through all the users to see if they are in the array 2. do I loop through all the users and check each one's memberOf for the existence of the group? I think option 1 seems better than 2, but I'm willing to bet someone has a much better idea. Thanks! Mark List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] script logic question
I'll agree with Al that you want to make sure that your group membership cross checks. Regarding your point #1. If you have a large number of users involved, you will get better performance with a dictionary instead of an array. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, October 26, 2004 10:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] script logic question That's going to be tough. That's not indexed nor in the GC by default which may make it a little tougher/slower. However, because you need to know that the users with that attribute equal to S are in fact properly in a particular group, I don't think you meet your criteria if you instead use the group as the authoritative source of information. You pretty much have to iterate each user and if they have that attribute set to S then check their group memberships and report if a member of the particular group. Otherwise, you could get a situation where a person should be a member of the group and somehow was missed. If the reverse is true, i.e. the user is a member and shouldn't be, you'd be looking at some other authoritative source for that information anyway. Because of that last bit, you could start with a list of those that are supposed to be in that group and then look each of them up to validate the attribute value and the group membership. Again, you run the risk of having the wrong people in the group though. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, October 26, 2004 1:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] script logic question I need to make sure all users where the value of attribute employeeType is S are members of a given group. Right now I only want to report on it, not actually change the group membership. Logically, what is the most efficient way to achieve this? 1. do I place the membership of the group into an array and then loop through all the users to see if they are in the array 2. do I loop through all the users and check each one's memberOf for the existence of the group? I think option 1 seems better than 2, but I'm willing to bet someone has a much better idea. Thanks! Mark List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
