For most system administrators cleaning up Active Directory is not their favorite thing.
This script helps you by enumerating all empty groups, so you can remove them (manually).
Follow the next steps to run the script (no admin rights needed):
* open your favorite text editor
* copy and paste the script into the editor
* save the script (for example c:\temp\emptygroups.vbs)
* open a command prompt
* go to “c:\temp”
* give “cscript emptygroups.vbs” (without quotes) and enter
The script:
' Name : emptygroups.vbs
' Description : script to enumerate all empty groups
' Author : dirk adamsky - deludi bv
' Version : 1.00
' Date : 18-03-2010
' Level : intermediate
Set objCommand = CreateObject("ADODB.Command")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
objCommand.ActiveConnection = objConnection
Set objRootDSE = GetObject("LDAP://RootDSE")
strBase = "<LDAP://" & objRootDSE.Get("defaultNamingContext") & ">"
Set objRootDSE = Nothing
strFilter = "(&(objectCategory=group)(!member=*))"
strAttributes = "name"
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 30
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute
Do Until objRecordSet.EOF
Wscript.Echo objRecordSet.Fields("name").Value
objRecordSet.MoveNext
Loop
objRecordSet.Close
objConnection.Close
Set objRecordSet = Nothing
Set objConnection = Nothing
Set objCommand = Nothing
When you have problems/questions please post a reply, you can also rate the script.
Happy scripting.
Best regards,
Dirk Adamsky – Deludi BV
VN:F [1.9.3_1094]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.3_1094]
This script is a mutation of yesterday’s script.
It searches Active Directory for mail enabled groups with multiple smtp addresses.
By changing the treshold value (i) in line number 39 you can broaden or narrow your searches.
Follow the next steps to run the script (no admin rights needed):
* open your favorite text editor
* copy and paste the script into the editor
* save the script (for example c:\temp\showgroupswithmultiplesmtp.vbs)
* open a command prompt
* go to “c:\temp”
* give “cscript showgroupswithmultiplesmtp.vbs” (without quotes) and enter
The script:
' Name : showgroupswithmultiplesmtp.vbs
' Description : script to show all groups with multiple smtp addresses
' Author : dirk adamsky - deludi bv
' Version : 1.00
' Date : 23-02-2010
' Level : intermediate
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & strDNSDomain & ">"
strFilter = "(&(objectCategory=group)(mail=*))"
strAttributes = "distinguishedName"
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
Set adoRecordset = adoCommand.Execute
Do Until adoRecordset.EOF
On Error Resume Next
Set objGroup = GetObject ("LDAP://" & adoRecordset.Fields("distinguishedName").Value)
arrProxy = objGroup.GetEx("proxyAddresses")
i = 0
For Each strMailAddress in arrProxy
If Lcase(Left(strMailAddress,5))= "smtp:" Then
i = i + 1
End If
Next
If i >= 2 Then
strAllMailAddresses = ""
For Each strMailAddress in arrProxy
If Lcase(Left(strMailAddress,5))= "smtp:" Then
strAllMailAddresses = strAllMailAddresses & " ; " & strMailAddress
End If
Next
Wscript.Echo objGroup.DisplayName & strAllMailAddresses
End If
Set objGroup = Nothing
adoRecordset.MoveNext
Loop
adoRecordset.Close
adoConnection.Close
Set adoRecordset = Nothing
Set objRootDSE = Nothing
Set adoConnection = Nothing
Set adoCommand = Nothing
When you have problems/questions please post a reply.
I also added a rating system yesterday, thank you in advance for your reaction.
Happy scripting.
Best regards,
Dirk Adamsky – Deludi BV
VN:F [1.9.3_1094]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.3_1094]
A couple of weeks ago I posted the enumeratenestedgroup script.
Last friday (while working at another script) I thought: this can be done better/more efficient.
What I have done is a rewrite of the script, it now contains 50% less code.
This is mainly because the recursion is implemented better.
What the script does:
- fill a variable with the group distinguished name
- call the subroutine EnumNestedgroup
- the subroutine checks whether the member is a group or a user
- when the member is a user the displayname and smtp address a echoed on the screen
- when the member is a group the group distinguished name is echoed the the sub is called again
Follow the next steps to run the script (no admin rights needed):
- find the distinguished name of the nested group (adsiedit.msc)
- open your favorite text editor
- copy and paste the script into the editor
- change the distinguished name
- save the script (for example c:\temp\enumeratenestedgroup.vbs)
- open a command prompt
- go to “c:\temp”
- give “cscript enumeratenestedgroup.vbs” (without quotes) and enter
The script:
' Name : enumeratenestedgroup.vbs
' Description : script to enumerate the members of a nested group
' Author : dirk adamsky - deludi bv
' Version : 2.1 removed the "Call" statement from line 10 and 16 based on input from jvierra
' also removed parenthesis
' (http://www.scriptinganswers.com/forum2/forum_posts.asp?TID=2244&PID=21775#21775)
' Date : 24-02-2010
strTargetGroupDN = "LDAP://CN=testgroup,OU=groups,DC=test,DC=org"
EnumNestedgroup strTargetGroupDN
Sub EnumNestedgroup(strGroupDN)
Set objGroup = GetObject(strGroupDN)
For Each objMember in objGroup.Members
If (LCase(objMember.Class) = "group") Then
wscript.echo objMember.AdsPath
EnumNestedgroup objMember.AdsPath
Else
Wscript.Echo objMember.DisplayName & " ; " & objMember.Mail
End If
Next
Set objGroup = Nothing
End Sub
When you have problems/questions please post a reply.
Happy scripting.
Dirk Adamsky – Deludi BV
VN:F [1.9.3_1094]
Rating: 10.0/10 (1 vote cast)
VN:F [1.9.3_1094]
This script enumerates all active directory distribution groups with a manager.
It starts with an ado query for the distinguished name of all group objects with an smtp address (accomplished by checking the mail property in the ado filter).
For each group a group object is created, the displayname, mail attribute and managedBy attribute of the group are displayed.
Follow the next steps to make and run the script (no admin rights needed):
- open your favorite text editor (mine is notepad++)
- copy and paste the script into the editor (delete the line numbers)
- save the script (for example c:\temp\distributiongroupswithmanager.vbs)
- open a command prompt
- go to “c:\temp”
- give “cscript distributiongroupswithmanager.vbs” (without quotes) and enter
When you want to save the output in a textfile give:
“cscript distributiongroupswithmanager.vbs > distributiongroupswithmanager.txt” (without quotes) and enter
The script:
' Name : distributiongroupswithmanager.vbs
' Description : script to enumerate all distributiongroups with manager
' Author : dirk adamsky - deludi bv
' Version : 1.00
' Date : 01-02-2010
' Level : intermediate
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & strDNSDomain & ">"
strFilter = "(&(objectCategory=group)(mail=*))"
strAttributes = "distinguishedName"
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
Set objRecordset = adoCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
On Error Resume Next
Set objGroup = GetObject("LDAP://" & objRecordSet.Fields("distinguishedName").Value)
Wscript.Echo objGroup.DisplayName & " ; " & objGroup.Mail & " ; " & objGroup.managedBy
Set objGroup = Nothing
objRecordSet.MoveNext
Loop
Set objRecordset = Nothing
Set objRootDSE = Nothing
Set adoConnection = Nothing
Set adoCommand = Nothing
When you have questions or problems with the script please drop a comment.
VN:F [1.9.3_1094]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.3_1094]
Scripting sometimes seems tough to learn.
To help you I have made a couple of starter scripts.
This starter script is only 5 lines of code.
The script lists all members of a group.
Follow the next steps to make and run the script (no admin rights needed):
- open your favorite text editor (mine is notepad++)
- copy and paste the script into the editor (delete the line numbers)
- open adsiedit as a user (start=>run=>adsiedit.msc)
- browse to the group
- rightclick the group and choose properties
- select the distinguishedname attribute
- copy the value of the distinguishedname attribute
- change the value of the distinguishedname attribute in the script
- save the script (for example c:\temp\enumerategroup.vbs)
- open a command prompt
- go to “c:\temp”
- give “cscript enumerategroup.vbs” (without quotes) and enter
When you want to save the output in a textfile give:
“cscript enumerategroup.vbs > groupname.txt” (without quotes) and enter
The script:
' Name : enumerategroup.vbs
' Description : script to enumerate group members
' Author : dirk adamsky - deludi bv
' Version : 1.00
' Date : 29-01-2010
' Level : beginner
Set objGroup = GetObject("LDAP://CN=test,OU=test,DC=test,DC=org") ' create the group object
For Each Member in objGroup.Members ' for each member of the group
WScript.echo Member.cn & " ; " Member.displayName ' echo the common name and displayname
Next
Set objGroup = Nothing ' delete the group object and clear memory
When you have questions or problems with the script please drop a comment.
Happy scripting.
Best regards,
Dirk Adamsky – Deludi BV
VN:F [1.9.3_1094]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.3_1094]
This script copies the members of a nested group to another group.
Follow the next steps to run the script (admin rights needed):
- open your favorite text editor
- copy and paste the script into the editor
- change the distinguished name of the source group to your source group name
- change the distinguished name of the target group to your target group name
- save the script (for example c:\temp\copynestedgroupuserstogroup.vbs)
- open a command prompt with administrative rights
- go to “c:\temp”
- give “cscript copynestedgroupuserstogroup.vbs” (without quotes) and enter
- give “ok”
The script:
' Name : copynestedgroupuserstogroup.vbs
' Description : script to copy the members of a nested group to another group
' Author : dirk adamsky - deludi bv
' Version : 1.00
' Date : 28-01-2010
Set objSourceGroup = GetObject("LDAP://CN=sourcegroupname,OU=test,DC=test,DC=org")
For Each objMember in objSourceGroup.Members
If (LCase(objMember.Class) = "group") Then
Set objSubGroup = GetObject(objMember.AdsPath)
Call EnumNestedgroup(objSubGroup)
Set objSubGroup = Nothing
Else
On Error Resume Next
Set objTargetGroup = GetObject("LDAP://CN=targetgroupname,OU=test,DC=test,DC=org")
objTargetGroup.Add(objMember.ADsPath)
objTargetGroup.Setinfo
Set objTargetGroup = Nothing
End If
Next
Set objSourceGroup = Nothing
Sub EnumNestedGroup(objNestedGroup)
For Each objSubMember In objNestedGroup.Members
If (LCase(objSubMember.Class) = "group") Then
Set objSubNestedGroup = GetObject(objSubMember.AdsPath)
Call EnumNestedGroup(objSubNestedGroup)
Set objSubNestedGroup = Nothing
Else
On Error Resume Next
Set objTargetGroup = GetObject("LDAP://CN=targetgroupname,OU=test,DC=test,DC=org")
objTargetGroup.Add(objSubMember.ADsPath)
objTargetGroup.Setinfo
Set objTargetGroup = Nothing
End If
Next
End Sub
VN:F [1.9.3_1094]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.3_1094]
This script enumerates all group memberships of a user.
What the script does:
- ask for the smtp address of the user (inputbox)
- the function GetDN gets the distinguished name
- create the user object
- check is there are groups that the user is memberOf
- enumerate the group DN’s
Follow the next steps to run the script (no admin rights needed):
- find the smtp address of the user (outlook/aduc)
- open your favorite text editor
- copy and paste the script into the editor
- save the script (for example c:\temp\enumerategroupsfromuser.vbs)
- open a command prompt
- go to “c:\temp”
- give “cscript enumerategroupsfromuser.vbs” (without quotes) and enter
- in the input box fill in the smtp address of the user
- give “ok”
The script:
' Name : enumerategroupsfromuser.vbs
' Description : script to enumerate all groups a user is memberOf
' Author : dirk adamsky - deludi bv
' Version : 1.00
' Date : 21-01-2010
strChangeUser = InputBox("Fill in the smtp address of the user")
strUserDN = GetDN(strChangeUser)
Set objUser = GetObject("LDAP://" & strUserDN)
If Ubound(objUser.memberOf) <> "" Then
objGroups = objUser.GetEx("memberOf")
For Each objGroup in objGroups
Wscript.Echo objGroup
Next
End If
Set objUser = Nothing
Function GetDN(strMail)
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection
' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & strDNSDomain & ">"
' Filter on user objects.
strFilter = "(&(objectCategory=person)(objectClass=user)(mail=" & strMail & "))"
' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName"
' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
' Run the query.
Set adoRecordset = adoCommand.Execute
GetDN = adoRecordset.Fields("distinguishedName").Value
' Clean up.
adoRecordset.Close
adoConnection.Close
Set adoRecordset = Nothing
Set objRootDSE = Nothing
Set adoConnection = Nothing
Set adoCommand = Nothing
End Function
VN:F [1.9.3_1094]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.3_1094]
In large organisations users frequently change departments.
As a consequence the group memberships of the user have to change also.
Often this is achieved by using an example user.
When the example user has a lot of memberships this can be a time consuming task.
This script asks for the smtp address of the user that has to be changed,
then for the smtp address of the example user.
The function GetDN does a lookup in Active Directory for the distinguished name
of both users.
Then the old group memberships of the user are removed.
At last the group memberships of the example user are added.
Follow the next steps to run the script (admin rights needed):
- open your favorite text editor
- copy and paste the script into the editor
- save the script (for example c:\temp\changegroupmemberships.vbs)
- open a command prompt with administrative rights
- go to “c:\temp”
- give “cscript changegroupmemberships.vbs” (without quotes) and enter
- in the input box fill in the smtp address of the user that has to be changed
- in the next input box fill in the smtp address of the example user
- give “ok”
The script:
' Name : changegroupmemberships.vbs
' Description : script to change group memberships based on example user
' Author : dirk adamsky - deludi bv
' Version : 1.01
' Date : 16-01-2010
strChangeUser = InputBox("Fill in the SMTP address of the user that has to be changed")
strVoorbeeldUser = InputBox("Fill in the SMTP address of the example user")
strChangeUserDN = GetDN(strChangeUser)
strVoorbeeldUserDN = GetDN(strVoorbeeldUser)
Removegroups strChangeUserDN
Addgroups strChangeUserDN, strVoorbeeldUserDN
Function GetDN(strMail)
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection
' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & strDNSDomain & ">"
' Filter on user objects.
strFilter = "(&(objectCategory=person)(objectClass=user)(mail=" & strMail & "))"
' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName"
' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
' Run the query.
Set adoRecordset = adoCommand.Execute
GetDN = adoRecordset.Fields("distinguishedName").Value
' Clean up.
adoRecordset.Close
adoConnection.Close
Set adoRecordset = Nothing
Set objRootDSE = Nothing
Set adoConnection = Nothing
Set adoCommand = Nothing
End Function
Sub Removegroups(strUserDN)
Const ADS_PROPERTY_DELETE = 4
Set objUser = GetObject("LDAP://" & strUserDN)
If Ubound(objUser.memberOf) <> "" Then
arrMemberOf = objUser.GetEx("memberOf")
For Each Group in arrMemberOf
Set objGroup = GetObject("LDAP://" & Group)
objGroup.PutEx ADS_PROPERTY_DELETE, "member", Array(strUserDN)
objGroup.SetInfo
Set objGroup = Nothing
Next
End If
End Sub
Sub Addgroups(strChangeDN,strVBDN)
On Error Resume Next
Set objUser = GetObject("LDAP://" & strVBDN)
arrMemberOf = objUser.GetEx("memberOf")
For Each Group in arrMemberOf
Set objGroup = GetObject("LDAP://" & Group)
objGroup.Add("LDAP://" & strChangeDN)
objGroup.SetInfo
Set objGroup = Nothing
Next
End Sub
VN:F [1.9.3_1094]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.3_1094]
This script has a modified version which can be found here:
For a sysadmin there are some time consuming tasks.
Enumerating large hierarchical (distribution) groups is certainly one of them, sometimes the nesting is 6 levels or more. This script is intended to make the above easier.
What the script does:
- connect to the Active Directory group object
- for all members of the group
- if the member is a group (nest) then create a subgroup object
- call the subroutine enumnestedgroup with the subgroup object as argument
- else if the member is a user , echo the mail and displayname of the user
- the subroutine enumnestedgroup uses recursion and basically repeats the above steps for all child-groups
At one occasion the above script did not come to an end. I was curious about the cause: the nested group was a member of itself (several levels deeper). After removing the membership the script ended normally.
The above script can easily be modified. For example: you can count the members that have more then one membership of the group. Also the user attributes of the output can easily be changed. For example: objMember.HomeDirectory gives the homeshare of the user. Please keep in mind that there are some minor object attribute naming differences between AD and ADSI. For example: objUser.AdsPath is the distinguishedName attribute of the user.
Follow the next steps to run the script (no admin rights needed):
- find the distinguished name of the nested group (adsiedit.msc)
- open your favorite text editor
- copy and paste the script into the editor
- change the distinguished name
- save the script (for example c:\temp\enumeratenestedgroup.vbs)
- open a command prompt
- go to “c:\temp”
- give “cscript enumeratenestedgroup.vbs” (without quotes) and enter
The script:
' Name : enumeratenestedgroup.vbs
' Description : script to enumerate the members of a nested group
' Author : dirk adamsky - deludi bv
' Version : 1.00
' Date : 11-01-2010
Set objGroup = GetObject("LDAP://CN=testgroup,OU=groups,DC=test,DC=org")
For Each objMember in objGroup.Members
If (LCase(objMember.Class) = "group") Then
Set objSubGroup = GetObject(objMember.AdsPath)
Call EnumNestedgroup(objSubGroup)
Set objSubGroup = Nothing
Else
Wscript.Echo objMember.Mail & " ; " & objMember.DisplayName
End If
Next
Set objGroup = Nothing
Sub EnumNestedGroup(objNestedGroup)
For Each objSubMember In objNestedGroup.Members
If (LCase(objSubMember.Class) = "group") Then
Set objSubNestedGroup = GetObject(objSubMember.AdsPath)
Call EnumNestedGroup(objSubNestedGroup)
Set objSubNestedGroup = Nothing
Else
Wscript.Echo objSubMember.Mail & " ; " & objSubMember.DisplayName
End If
Next
End Sub
VN:F [1.9.3_1094]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.3_1094]
Recent Comments