Funny, I was working on the exact same thing this week here. Luckily in our case I found that we have no legacy members, But this is what I did to get the output. Not beautiful, but this will work.
Export the groups as DN into a text file, I use the Quest AD CMDLets, but what ever tool you want to use will be fine: get-qadgroup -sizelimit 0|select dn|out-file c:\temp\GroupList1.txt For some reason the Quest output added trailing spaces which I cleaned up in Excel "=TRIM(A1) " for /f %i in (c:\temp\GroupList1.txt) do repadmin /showobjmeta mydc1 %i >> c:\temp\Legacy_Groups.txt You will then have to parse this file to get the groups that have legacy members, but it will all be in the output file. If I had more time,I'd wrap this in a PowerShell script, and dump the output from each group into an array and search for "Legacy", then just list the name of the group if it contains the string. Hope this helps Christopher Bodnar Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 [email protected] The Guardian Life Insurance Company of America www.guardianlife.com From: Webster <[email protected]> To: "<[email protected]>" <[email protected]> Date: 06/18/2013 07:22 PM Subject: [NTSysADM] Finding AD groups with legacy members Sent by: [email protected] Current project had a consulting group come in and do an AD Assessment. One of their findings was that they have many groups with almost 5,000 members. Most of the groups were created and users added pre 2003 DFL/FFL . Their conclusion was the legacy members need to be removed and readded to the groups to enable LVR for each group member. Whether you or I agree with this conclusion, I have been tasked with finding which of their almost 24,000 groups have Legacy members. I know I can do this: C:\>repadmin /showobjmeta shc-dc "cn=administrators,cn=builtin,dc=shc,dc=org" 17 entries. <snip> 21 entries. Type Attribute LEGACY member LEGACY member LEGACY member LEGACY member LEGACY member LEGACY member LEGACY member LEGACY member LEGACY member LEGACY member LEGACY member LEGACY member PRESENT member PRESENT member PRESENT member PRESENT member PRESENT member PRESENT member PRESENT member PRESENT member PRESENT member C:\> I could run that command 24,000 times but it would be nice to automate that. BUT, all the DCs are 2003 so I don't have access to using the Microsoft PowerShell AD stuff. My GoogleFU is failing me and I have not found a script that finds AD Security groups with Legacy members. Any hints, clues, tips or help from the peanut gallery? Once I know all the groups with Legacy members, then my next task is the removing of the Legacy members and adding them back in so LVR is enabled (I did find a script for that). Once that is done, I can begin the process of moving them to Server 2012 DCs and all those benefits. Thanks Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you.
<<image/jpeg>>
