RE: [ActiveDir] Group audit

[Wyatt, David]

Title: Message

Good point!  Thanks.

 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 23 May 2006 5:15
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Group audit

I would set the output up for csv output (see -csv) which will make things easier to parse out. Once parsed you should be able to drive the modifications pretty easily.

 

--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 

 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David
Sent: Friday, May 19, 2006 5:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Group audit

Thanks Joe.  I have now used your great adfind tool to find what I'm looking for.  Now have one more question on how to use the output.

 

This is a sample output:

 

dn:CN=Group1,OU=Groups,OU=Production,DC=help,DC=com

 

dn:CN=Group5,OU=Groups,OU=Production,DC=help,DC=com

>member: CN=Group10,OU=Groups,OU=Production,DC=help,DC=com

 

Now what I need to do is create a script from this that ignores the groups with no members i.e. line one, but adds the member(s) of a group to the group above i.e. add Group10 to Group5

 

Now you're probably wondering why I want to do this when the group is already a member but I want to run this is in a separate AD network where all groups are present but no membership infomation is present.

 

Is this possible?

 

thanks

David

 

 

 

 -----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 18 May 2006 23:38
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Group audit

Yeah, this is going to have to be a script or custom code.

 

You have the option of using ADSI and enumerating each of the groups and chasing the properties of each group or writing something that calls out to a tool that uses ASQ queries (assumes K3 AD) which would be a world of difference faster.

 

So the ADSI algorithm would be

 

Get group name

bind to group

loop through group members

    is member a group

        yes, then is it a global group

            yes, print it out

            no skip

        no skip

    no skip

next group

Go back to start

 

for using ADSI

 

 

 

get group name

ASQ query against group's member attribute asking for all global group members

print members

go back to start

 

 

For an example of an ASQ Query in action

 

I have a group called HP-OVE-GROUP

 

Z:\>adfind -b "CN=HP-OVE-GROUP,CN=Users,DC=joe,DC=com" member grouptype -samdc

 

AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006

 

Using server: 2k3dc02.joe.com:389
Directory: Windows Server 2003

 

dn:CN=HP-OVE-GROUP,CN=Users,DC=joe,DC=com
>member: CN=HP-OVE-User,CN=Users,DC=joe,DC=com
>member: CN=Domain Admins,CN=Users,DC=joe,DC=com
>groupType: -2147483646 [GLOBAL(2);SECURITY(2147483648)]

 

1 Objects returned

 

 

 

As you can see there is one obvious global group listed. There are only 2 members so this would be fairly quick in ADSI as well but nowhere near as quick as ASQ because there will only be one query and roundtrip to/from the DC...

 

So I do an ASQ query against the group

 

Z:\>adfind -b "CN=HP-OVE-GROUP,CN=Users,DC=joe,DC=com" -asq member -f grouptype=-2147483646 name grouptype -samdc

 

AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006

 

Using server: 2k3dc02.joe.com:389
Directory: Windows Server 2003

 

dn:CN=Domain Admins,CN=Users,DC=joe,DC=com
>name: Domain Admins
>groupType: -2147483646 [GLOBAL(2);SECURITY(2147483648)]

 

1 Objects returned

 

 

  joe

 

 

--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 

 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David
Sent: Thursday, May 18, 2006 8:57 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Group audit

Hi

 

I have a text file holding a list of approx 400 global groups such as:

 

Group1

Group2

Group3

Group4

etc

 

I need to query the membership to find out which of the above global groups have other global groups as members and then to list the group names, output example:

 

Group1

    Group10

Group2

    Group12

    Group14

Group3

Group4

 

 

Any ideas?

 

Regards

David

****************************************************************************
This message contains confidential information and is intended only
for the individual or entity named. If you are not the named addressee
you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed, arrive
late or incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of this
message which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
This message is provided for informational purposes and should not
be construed as an invitation or offer to buy or sell any securities or
related financial instruments.
GAM operates in many jurisdictions and is
regulated or licensed in those jurisdictions as required.
****************************************************************************