locked
Script Request: Query AD Groups and Computers RRS feed

  • Question

  •  

    Hi,

    I've spent a while (couple of hours) looking but not found a script to do this for me, so hopefully someone can help me?

    Background:

    Server 2003 domain, XP desktops, no PowerShell

    Requirement:

    To have a VBScript that can query AD to find computers within a known set of groups and output the group (Colum 1) and Computer (Colum 2) into a .csv file.

    Ideally, I'd like to be able to a groups.txt file that script can call for the groups. All that will be in the text file is a list of groups (Group1, Group2, - Group30). The only other thing I think I need to mention is the group names have spaces and brackets in them. An example of the group name would be " XX XXX 1.12.12345 (xx)"

    Anyone got any ideas?

    Tuesday, April 17, 2012 11:28 PM

Answers

  • The LDAP syntax query to find all computer objects that are members of a specified group would be similar to:

    (&(objectCategory=computer)(memberOf=cn=Test group,ou=West,dc=MyDomain,dc=com))

    -----

    Notice that you must specify the full distinguished name of the group. A similar filter to retrieve all computers that are members of any two specified groups would be similar to:

    (&(objectCategory=computer)(|(memberOf=cn=Group 1,ou=West,dc=MyDomain,dc=com)(memberOf=Group 2,ou=East,dc=MyDomain,dc=com)))

    -----

    The "&" is the AND operator, the "|" (pipe symbol) is the OR operator. You would use these filters and ADO in a VBScript program to retrieve computers meeting your conditions. Documentation on how to use ADO, and the LDAP filter syntax, here:

    http://www.rlmueller.net/ADOSearchTips.htm

    The base of your query would be the entire domain, the scope would be "subtree" so that all OU's and containers are searched, and the comma delimited list of attribute values to retrieve might be:

    sAMAccountName,memberOf

    A few other notes based on your post: First, if by the "Name" of a group you mean the "Common Name" (the value of the cn attribute), remember that this does not uniquely identity the group in AD. Only the sAMAccountName (pre-Windows 2000 logon name) and the distinguished name uniquely identify the group (besides the objectSID and objectGUID). Since the memberOf attribute of any object (like computer objects) is a DN attribute, it is a collection of distinguished names. If you must start with the sAMAccountNames of the groups, then you will need more code (using the NameTranslate object) to convert these names into distinguished names for the query in VBScript.  Your task will be much simpler if your text file of groups has one group distinguished name per line.

    I don't think your specification for the output file works. What if a computer is a member of more than one of the groups? Will it be listed twice? If so, rather than one query for all computers that are member of any of the groups (the second filter I gave), you should use a separate query for each group (my first filter above). Then you only need to retrieve the computer names (distinguishedName, cn, or sAMAccountName). This later plan seems like it would work better.


    Richard Mueller - MVP Directory Services

    Wednesday, April 18, 2012 12:42 AM

All replies

  • Start here;

    http://gallery.technet.microsoft.com/scriptcenter

    Once you have your script together post back with any specific questions.

    We cannot write your script for you but will try to help you get your task done. 

    If your script is long then just post the bits that you need help with. This is also a good way to focus on the problem.  Many time it will lead you to seeing the answer.

    Good luck.


    ¯\_(ツ)_/¯

    Tuesday, April 17, 2012 11:32 PM
  • The LDAP syntax query to find all computer objects that are members of a specified group would be similar to:

    (&(objectCategory=computer)(memberOf=cn=Test group,ou=West,dc=MyDomain,dc=com))

    -----

    Notice that you must specify the full distinguished name of the group. A similar filter to retrieve all computers that are members of any two specified groups would be similar to:

    (&(objectCategory=computer)(|(memberOf=cn=Group 1,ou=West,dc=MyDomain,dc=com)(memberOf=Group 2,ou=East,dc=MyDomain,dc=com)))

    -----

    The "&" is the AND operator, the "|" (pipe symbol) is the OR operator. You would use these filters and ADO in a VBScript program to retrieve computers meeting your conditions. Documentation on how to use ADO, and the LDAP filter syntax, here:

    http://www.rlmueller.net/ADOSearchTips.htm

    The base of your query would be the entire domain, the scope would be "subtree" so that all OU's and containers are searched, and the comma delimited list of attribute values to retrieve might be:

    sAMAccountName,memberOf

    A few other notes based on your post: First, if by the "Name" of a group you mean the "Common Name" (the value of the cn attribute), remember that this does not uniquely identity the group in AD. Only the sAMAccountName (pre-Windows 2000 logon name) and the distinguished name uniquely identify the group (besides the objectSID and objectGUID). Since the memberOf attribute of any object (like computer objects) is a DN attribute, it is a collection of distinguished names. If you must start with the sAMAccountNames of the groups, then you will need more code (using the NameTranslate object) to convert these names into distinguished names for the query in VBScript.  Your task will be much simpler if your text file of groups has one group distinguished name per line.

    I don't think your specification for the output file works. What if a computer is a member of more than one of the groups? Will it be listed twice? If so, rather than one query for all computers that are member of any of the groups (the second filter I gave), you should use a separate query for each group (my first filter above). Then you only need to retrieve the computer names (distinguishedName, cn, or sAMAccountName). This later plan seems like it would work better.


    Richard Mueller - MVP Directory Services

    Wednesday, April 18, 2012 12:42 AM
  • Thanks for your help there guys.

    jrv, I did spend a bit of time going thought the script centre before posting. While it would have been nice for someone to have written it for me, I didn’t expect that. I was thinking more along the lines of someone posting a link to an existing script either here or on another site :)

    Richard, thanks for the pointers, I'm a complete n00b when it comes to scripting, but that's given me a starting point. In regard to your question "What if a computer is a member of more than one of the groups?" In this domain that shouldn't be an issue as the groups are resource groups and a computer should not be a member of more than one. However, point noted.

    I'll see how far I get and post it up here if I get stuck, and if I do get it working I'll make sure I'll post it too.

    Wednesday, April 18, 2012 1:26 AM
  • Mike - you have very specific requirements.  It is highly unlikely that anyone will have a script that will come anywhere close to what you are asking.  You r best be is to start a script and ask questions as you progress.

    The link to the repository is useful because there are many scripts that will be a good starting place.  Pick one and modify it to your needs.


    ¯\_(ツ)_/¯

    Wednesday, April 18, 2012 4:37 AM
  • Thank you both jrv and Richard for your assistance.

    The person who asked me for this script no longer requires it. While I'd like to get it working for my own benifit/expecriece I no longer have a driver for it so it'll sit on the back burner for now.

    Cheers,

    Mike

    Monday, April 23, 2012 2:48 AM