The ADUC allows you to create queries and list all security groups. You can then export this list to a file. Once you have the file, you need to import that list into Excel (pretty easy), then run a _vbscript_ against with LDAP or ADSI scripting in it (or something like that) to enumerate group members. If they want nested members also, then you've got a lot more complex issue, but I would just state that it's not practical and let him work with the current list.
Hopefully the resulting gargantuan file will be enough to make anyone choke and stop making rediculous requests that they don't understand the futility of. Enumerating 10k groups simply so that you can toss the list out later that week because it's just going to get more and more out of date is worse than silly, it's a waste of company effort (and money). Make it too easy for him to generate that report and soon he'll be wanting to see what items they have access to in the environment, so you'll end up enumerating out all files and shares and rights assignments on computers.
We're medium size – and yes someone does want a current outdated list J -
Just trying to make it happen….
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves
Sent: Tuesday, July 25, 2006 2:02 PMSubject: Re: [ActiveDir] Enumerating Group type and Mebership...
You either have a small environment or someone wants a document that will be completely outdated 12 minutes after it's compiled.
Though just to be honest, I'd love to be able to click on a '+' on groups and show their members and continue to follow the '+' if there is nesting. That would be an awesome feature in the ADUC. Maybe I should submit that feature request to Quest and Microsoft.
On 7/25/06, Mike Hogenauer <[EMAIL PROTECTED]> wrote:
I need all Security Groups and Distribution groups – and their members
Thanks Laura!
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Laura A. Robinson
Sent: Tuesday, July 25, 2006 12:00 PMSubject: RE: [ActiveDir] Enumerating Group type and Mebership...
What is "everything [you] need", specifically?
Thanks,
Laura
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Mike Hogenauer
Sent: Tuesday, July 25, 2006 2:49 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Enumerating Group type and Mebership...All,
I'm trying to enumerate all groups in my AD environment. I need to get Group name group type and group members for each group…
I've tried some sample _vbscript_s from http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0419.mspx
Then I tried (below) but It still doesn't seem to pull back everything I need- Any help would be great! In a perfect world - J - I need a list of all security groups and distribution groups and their members
Thanks,
Mike
Enumerate Security Groups and Member in Domain
csvde -f c:\tmp\SecurityGroups.csv -p subtree -l cn,mail,member -r "(|(&(objectCategory=Group)(objectClass=Group)(|(groupType=-2147483644)(groupType=-2147483646)(groupType=-2147483640))))" -j c:\tmp
Enumerate Distribution Groups and Member in Domain
csvde -f c:\tmp\DistributionLists.csv -p subtree -l cn,mail,member -r "(|(&(objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2))))" -j c:\tmp
