This script has a modified version which can be found here:
For a sysadmin there are some time consuming tasks.
Enumerating large hierarchical (distribution) groups is certainly one of them, sometimes the nesting is 6 levels or more. This script is intended to make the above easier.
What the script does:
- connect to the Active Directory group object
- for all members of the group
- if the member is a group (nest) then create a subgroup object
- call the subroutine enumnestedgroup with the subgroup object as argument
- else if the member is a user , echo the mail and displayname of the user
- the subroutine enumnestedgroup uses recursion and basically repeats the above steps for all child-groups
At one occasion the above script did not come to an end. I was curious about the cause: the nested group was a member of itself (several levels deeper). After removing the membership the script ended normally.
The above script can easily be modified. For example: you can count the members that have more then one membership of the group. Also the user attributes of the output can easily be changed. For example: objMember.HomeDirectory gives the homeshare of the user. Please keep in mind that there are some minor object attribute naming differences between AD and ADSI. For example: objUser.AdsPath is the distinguishedName attribute of the user.
Follow the next steps to run the script (no admin rights needed):
- find the distinguished name of the nested group (adsiedit.msc)
- open your favorite text editor
- copy and paste the script into the editor
- change the distinguished name
- save the script (for example c:\temp\enumeratenestedgroup.vbs)
- open a command prompt
- go to “c:\temp”
- give “cscript enumeratenestedgroup.vbs” (without quotes) and enter
The script:
' Name : enumeratenestedgroup.vbs
' Description : script to enumerate the members of a nested group
' Author : dirk adamsky - deludi bv
' Version : 1.00
' Date : 11-01-2010
Set objGroup = GetObject("LDAP://CN=testgroup,OU=groups,DC=test,DC=org")
For Each objMember in objGroup.Members
If (LCase(objMember.Class) = "group") Then
Set objSubGroup = GetObject(objMember.AdsPath)
Call EnumNestedgroup(objSubGroup)
Set objSubGroup = Nothing
Else
Wscript.Echo objMember.Mail & " ; " & objMember.DisplayName
End If
Next
Set objGroup = Nothing
Sub EnumNestedGroup(objNestedGroup)
For Each objSubMember In objNestedGroup.Members
If (LCase(objSubMember.Class) = "group") Then
Set objSubNestedGroup = GetObject(objSubMember.AdsPath)
Call EnumNestedGroup(objSubNestedGroup)
Set objSubNestedGroup = Nothing
Else
Wscript.Echo objSubMember.Mail & " ; " & objSubMember.DisplayName
End If
Next
End Sub
Recent Comments