none
List all AD users with memberof RRS feed

  • Question

  • Hi I have got this script and it works fine, but I cant add the memberof groups for each user. 

    On Error Resume Next
    Const ADS_SCOPE_SUBTREE = 2
     
    Const ADS_UF_ACCOUNTDISABLE = &H0002
    Const ADS_UF_PASSWD_NOTREQD = &H0020
    Const ADS_UF_PASSWD_CANT_CHANGE = &H0040
    Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000
    Const ADS_UF_SMARTCARD_REQUIRED = &H40000
     
     
    'Set RootDSE
    Set objRootDSE = GetObject("LDAP://rootDSE")
    strDomain = objRootDSE.Get("defaultNamingContext")
    strADPath = "LDAP://" & strDomain
    'wscript.Echo strADPath
    Set objDomain = GetObject(strADPath)
    'wscript.echo "objDomain: " & objDomain.distinguishedName
     
     
    Set objConnection = CreateObject("ADODB.Connection")
    Set objCommand =   CreateObject("ADODB.Command")
    objConnection.Provider = "ADsDSOObject"
    objConnection.Open "SAURON"
    Set objCommand.ActiveConnection = objConnection
     
    objCommand.Properties("Page Size") = 1000
    objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
     
    objCommand.CommandText = _
        "SELECT Name, description, sAMAccountName, st, postalCode, co, l, profilePath, homeDrive, distinguishedName,userAccountControl FROM '"& strADPath &"' WHERE objectCategory='user'"  
    Set objRecordSet = objCommand.Execute
     
    objRecordSet.MoveFirst
    Set objFSO = CreateObject("scripting.filesystemobject")
    Set logStream = objFSO.opentextfile("C:users\dom.adm.pa\desktop\domainusers.csv", 8, True)
    logStream.writeline("Name,Description,sAMAccountName,st,postalCode,co,l,Account Disabled,Password Required,User Changable Password,Password Expires,Login Count,Last Login,Last Password Change,Created,Modified")
    Do Until objRecordSet.EOF
     
            strDN = objRecordset.Fields("distinguishedName").Value
            Set objUser = GetObject ("LDAP://" & strDN)
             
            If objRecordset.Fields("userAccountControl").Value AND ADS_UF_ACCOUNTDISABLE Then
                    Text = "Yes"
            Else
                    Text = "No"
            End If
            If objRecordset.Fields("userAccountControl").Value AND ADS_UF_PASSWD_NOTREQD Then
                    Text = Text & ",No"
            Else
                    Text = Text & ",Yes"
            End If
             
            If objRecordset.Fields("userAccountControl").Value AND ADS_PASSWORD_CANT_CHANGE Then
                    Text = Text & ",No"
            Else
                    Text = Text & ",Yes"
            End If   
            If objRecordset.Fields("userAccountControl").Value AND ADS_UF_DONT_EXPIRE_PASSWD Then
                    Text = Text & ",No"
            Else
                    Text = Text & ",Yes"
            End If
           
    
    
           
            logStream.writeline(objRecordset.Fields("Name").Value & ","_
                    & objRecordset.Fields("description").Value & ","_
    		& objRecordset.Fields("sAMAccountName").Value & ","_
     		& objRecordset.Fields("st").Value & ","_
    		& objRecordset.Fields("postalCode").Value & ","_
    		& objRecordset.Fields("co").Value & ","_
    		& objRecordset.Fields("l").Value & ","_	
                    & objUser.logonCount & ","_
                    & objUser.LastLogin & ","_
                    & objUser.PasswordLastChanged & ","_
                    & objUser.whenCreated & ","_
                    & objUser.whenChanged & ","_   
    		)         
                   
    		
    Loop
    logStream.Close


    Friday, February 28, 2014 9:44 AM

Answers

  • Are you looking for members:

    1) in a specific group, or
    2) list all users and all their direct groups, or
    3) get a complete list of all groups a user is a memberof, to include nested?

    I would recommend using Powershell.  It's made for this type of thing.  Some of the Cmdlets you can check are:

    List all users with all groups:

    Get-ADUser -filter * -properties memberof | select samaccountname,memberof

    List all members of a group:
    Get-ADGroupmember <groupname> -recursive 

    Get all groups a member is nested in:
    Get-ADAccountAuthorizationGroup <username> | ft name


    - Chris Ream -

    **Remember, if you find a post that is helpful, or is the answer, please mark it appropriately.**


    Friday, February 28, 2014 10:03 AM

All replies

  • Are you looking for members:

    1) in a specific group, or
    2) list all users and all their direct groups, or
    3) get a complete list of all groups a user is a memberof, to include nested?

    I would recommend using Powershell.  It's made for this type of thing.  Some of the Cmdlets you can check are:

    List all users with all groups:

    Get-ADUser -filter * -properties memberof | select samaccountname,memberof

    List all members of a group:
    Get-ADGroupmember <groupname> -recursive 

    Get all groups a member is nested in:
    Get-ADAccountAuthorizationGroup <username> | ft name


    - Chris Ream -

    **Remember, if you find a post that is helpful, or is the answer, please mark it appropriately.**


    Friday, February 28, 2014 10:03 AM
  • That is correct.  The "memberof" is  an array of DNs and is not retrievable via ADO.  You need to use GetObject with aDSPath to get the user.


    ¯\_(ツ)_/¯

    Friday, February 28, 2014 6:49 PM
  • Her is an example of how to use VBScript to return the 'memberOf" list and ALL other user fields.  We just use ADO to search for al user objects then retrieve the actual object.

    If you are not a tech or have no scripting experience then, by all means, use PowerShell.


    ¯\_(ツ)_/¯

    Friday, February 28, 2014 7:11 PM
  • I recommended a PS solution because a lot of people download a VBScript, post it to the forums for modification, then want someone else to change it so they can run it.

    Powershell is a 'non-scripting admin' friendly tool that people generally understand better.


    - Chris Ream -

    **Remember, if you find a post that is helpful, or is the answer, please mark it appropriately.**

    Saturday, March 1, 2014 3:09 AM