none
[SOLVED] Active Directory Saved Query - Group Member Listing

    Question

  • Hi all. Just signed up today and I was hoping to simplify a task I'm sure we may all benefit from.
    I thank you in advance for clicking on this post!
    I want to warn you that I'm no coding guru - I apologize for that.

    I'm hoping I some one could assist me in the creation of a saved query in AD (Server 2003 environment) that would report all users in a particular group. From time to time it would be nice to see what users are members of certain groups. Going to the group and getting the user ID is great - but then I have to get their full name (First and Last). A query that would report this information could be very useful.

    I thought it would look something like this:
    Code: ( text )
    1. (&(objectCategory=group)(objectCategory=user)(givenName=*)(sn=*)(cn=*)(userPrincipalName=*)(cn=GROUP_N AME_HERE))
    or
    Code: ( text )
    1. (&(objectCategory=person)(objectClass=user)(&(objectCategory=group)(name=GROUP_NAME_HERE))
    (and minor variants of the above)

    But obviously I'm wrong. Could someone shed some light on what I'm doing wrong and how I can properly construct AD queries?
    Sorry for any inconveniences this may have caused, especially if this is in the wrong forum.
    • Edited by JuliusPIV Thursday, May 12, 2011 2:48 PM
    Tuesday, July 10, 2007 12:08 PM

Answers

  • Save query will only give you the list of objects match your query. I don't think it will display the properties that match your query.

    Anyway, why not use a simple dsquery command on command prompt to list the member of a group.

    Following command will provide you first name and last name of member of a group:

     

    Code Snippet

    dsquery group domainroot -name groupname | dsget group -members | dsget user -fn -ln

     

    Tuesday, July 10, 2007 3:46 PM
  • Hi,

    the following filter returns the members of a specific group.
    You have to specify the groups distinguishedName.

    Code Snippet
    (&(objectClass=User)(memberOf=CN=myGroup,OU=MyContainer,DC=myOrg,DC=local))

     

    For example:

    Code Snippet
    ldifde -f groupMembers.txt -r "(&(objectClass=User)(memberOf=CN=myGroup,OU=MyContainer,DC=myOrg,DC=local))" -l "sAMAccountName,givenName,sn"

     

    /F
    • Marked as answer by JuliusPIV Wednesday, June 10, 2009 3:55 PM
    Tuesday, July 10, 2007 5:05 PM
  • although the other answer is complete, you can also use an attribute scoped query...

     

    for that download for example the following AD query tool ADFIND from joeware (also have a look at that guy's other powerful tools, which are free by the way)

     

    TO RETRIEVE THE DN OF THE GROUP

    adfind -default -f "(&(objectCategory=group)(name=<GROUPNAME>))" -dsq

    or

    adfind -default -f "(&(objectCategory=group)(name=<GROUPNAME>))" -dn

     

    TO RETRIEVE THE PROPERTIES (givenName=firstname, sn=surname sAMAccountName, pre-w2k logon name, description=description, cn=full name, displayName=displayname) OF THE MEMBERS OF THE GROUP

    adfind -b "<DN of group>" -asq member givenName sn sAMAccountName description cn displayName

     

    cheers,

    Jorge

     

    • Marked as answer by JuliusPIV Wednesday, June 10, 2009 3:55 PM
    Wednesday, July 11, 2007 12:03 PM

All replies

  • Save query will only give you the list of objects match your query. I don't think it will display the properties that match your query.

    Anyway, why not use a simple dsquery command on command prompt to list the member of a group.

    Following command will provide you first name and last name of member of a group:

     

    Code Snippet

    dsquery group domainroot -name groupname | dsget group -members | dsget user -fn -ln

     

    Tuesday, July 10, 2007 3:46 PM
  • Hi,

    the following filter returns the members of a specific group.
    You have to specify the groups distinguishedName.

    Code Snippet
    (&(objectClass=User)(memberOf=CN=myGroup,OU=MyContainer,DC=myOrg,DC=local))

     

    For example:

    Code Snippet
    ldifde -f groupMembers.txt -r "(&(objectClass=User)(memberOf=CN=myGroup,OU=MyContainer,DC=myOrg,DC=local))" -l "sAMAccountName,givenName,sn"

     

    /F
    • Marked as answer by JuliusPIV Wednesday, June 10, 2009 3:55 PM
    Tuesday, July 10, 2007 5:05 PM
  • although the other answer is complete, you can also use an attribute scoped query...

     

    for that download for example the following AD query tool ADFIND from joeware (also have a look at that guy's other powerful tools, which are free by the way)

     

    TO RETRIEVE THE DN OF THE GROUP

    adfind -default -f "(&(objectCategory=group)(name=<GROUPNAME>))" -dsq

    or

    adfind -default -f "(&(objectCategory=group)(name=<GROUPNAME>))" -dn

     

    TO RETRIEVE THE PROPERTIES (givenName=firstname, sn=surname sAMAccountName, pre-w2k logon name, description=description, cn=full name, displayName=displayname) OF THE MEMBERS OF THE GROUP

    adfind -b "<DN of group>" -asq member givenName sn sAMAccountName description cn displayName

     

    cheers,

    Jorge

     

    • Marked as answer by JuliusPIV Wednesday, June 10, 2009 3:55 PM
    Wednesday, July 11, 2007 12:03 PM
  • Thanks to everyone for taking the time to look at this.  The suggestion provided by acchong seems to have given me the information I was looking for.

    As for your suggestions Fredrik Lindström  & Jorge de Almeida Pinto : I will give them a shot!  Thank you again so much I greatly appreciate your input.
    Wednesday, July 11, 2007 7:48 PM
  • Save query will only give you the list of objects match your query. I don't think it will display the properties that match your query.

    Anyway, why not use a simple dsquery command on command prompt to list the member of a group.

    Following command will provide you first name and last name of member of a group:

     

     

    Code Snippet

    dsquery group domainroot -name groupname | dsget group -members | dsget user -fn -ln

     

     


    That also works for exactly the information I was wanting - thanks acchong
    Thursday, May 21, 2009 6:37 PM
  • In an effort to consolidate the great troubleshooting solutions offered in this thread, we have summarized the information contained here into a TechNet Wiki article at the following location:

     

    How to list Active Directory group members  

     

    Please feel free to provide feedback on the article at the Wiki site, or you can edit the article itself.

     

    Justin Hall [MSFT]

    Active Directory Documentation Team

    Monday, November 22, 2010 8:10 PM
  • Do you all think I should update the wiki to include how to find the members if nested groups come into play.  I blogged about it here:

    http://adisfun.blogspot.com/2009/06/find-group-members.html

    ,,,and even that won't get everything due to primary group membership.  Joe has a blog (read the comments too) about that  http://blog.joeware.net/2007/08/01/939/

     

    I'm guessing for 95% of people the wiki is find...so not sure how in-depth we want to go there.

     

    Thanks

    Mike


    http://adisfun.blogspot.com
    http://twitter.com/mekline
    Monday, November 22, 2010 8:18 PM
  • Hi,

    Perfect!

    It's worked for me.

    Many Thanks

    Tuesday, June 05, 2012 11:57 AM
  • Very useful acchong worked a treat for me. Many thanks
    Thursday, March 21, 2013 11:22 AM