none
Extracting a member group from AD

    Question

  • Hi, I am having problem extracting member group from the AD. I have tried this command but it came out with zero results.

    My server configuration was

    LIVERPOOL123.XYZ.ABC.com

    Under them will be

    Users (OU)
    --> Internet Users (Security Group)

    I would like extract out the Internet Users therefore my command line would be this

    csvde -t 3268 -s LIVERPOOL123.XYZ.ABC.com -d "dc=XYZ,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=user)(memberof=CN=Internet Users,OU=Users,DC=XYZ,DC=ABC,DC=com))" -l canonicalName,mail -f c:\internet_group.csv

    Unfortunately this is the error message appears.

    Connecting to "LIVERPOOL123.XYZ.ABC.com"
    Logging in as current user using SSPI
    Exporting directory to file c:\internet_group.csv
    Searching for entries...
    Writing out entries
    No Entries found


    There is no entries found, I am hoping any guru will assist me.

    Thanks.
    Tuesday, February 23, 2010 9:50 AM

Answers

  • The default builtin AD container is "cn=Users". The group must have been created in that container. It is also possible to create an Organizational Unit called "ou=Users", but that might be confusing. The default location in AD when you create objects is "cn=Users". Most organizations take advantage of the hierarchical nature of AD to organize their objects in OU's.

    In ADUC the icon for containers is slightly different from Organizational Units. The container icon looks like a folder. The OU icon looks like a folder with an open book inside. I recommend using a tool like ADSI Edit to view objects in AD and their attributes. Look at the distinguishedName attribute of your group. Unfortunately, this is not exposed in ADUC.

    Richard Mueller
    MVP ADSI
    Tuesday, February 23, 2010 3:20 PM
    Moderator

All replies

  • My colleague found this script somewhere.. it works well.  No need to edit for your domain as it will prompt you.

    Dim objGroup, objUser, objFSO, objFile, strDomain, strGroup, Domain, Group

    'Change DomainName to the name of the domain the group is in
    strDomain = Inputbox ("Enter the Domain name", "Data needed", "Default domain name")

    'Change GroupName to the name of the group whose members you want to export
    strGroup = InputBox ("Enter the Group name", "Data needed", "Default group name")

    Set objFSO = CreateObject("Scripting.FileSystemObject")
    'On the next line change the name and path of the file that export data will be written to.
    Set objFile = objFSO.CreateTextFile("C:\" & strGroup & " - Members.txt")

    Set objGroup = GetObject("WinNT://" & strDomain & "/" & strGroup & ",group")

    For Each objUser In objGroup.Members
        objFile.WriteLine objUser.Name
    Next

    objFile.Close
    Set objFile = Nothing
    Set objFSO = Nothing
    Set objUser = Nothing
    Set objGroup = Nothing
    Wscript.Echo "Done"
    Wscript.Echo "Please check the c: for your output file"

    Tuesday, February 23, 2010 10:33 AM
  • First, I don't believe it is necessary to specify a server. Next, the base of your search is not in the same namespace. Also, I don't think you need to specify a port. I would try:

    csvde -d "dc=XYZ,dc=ABC,dc=com" -r "(&(objectCategory=person)(objectClass=user)(memberOf=cn=Internet Users,ou=Users,dc=XYZ,dc=ABC,dc=com))" -l canonicalName,mail -f c:\internet_group.csv

    Finally, is your group really in "ou=Users", or should this be "cn=Users"? Make sure you have the correct DN for the group.

    If you want all members, not just user members, you can skip the first two clauses of your filter and use just:

    -r "(memberOf=cn=Internet Users,ou=Users,dc=XYZ,dc=ABC,dc=com)"

    Richard Mueller


    MVP ADSI
    Tuesday, February 23, 2010 2:06 PM
    Moderator
  • Well, I have found an answer, it was strange and need your comment about it.

    My original script would be 

    csvde -t 3268 -s LIVERPOOL123.XYZ.ABC.com -d "dc=XYZ,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=user)(memberof=CN=Internet Users,OU=Users,DC=XYZ,DC=ABC,DC=com))" -l canonicalName,mail -f c:\internet_group.csv

    and guess what, I changed the (memberof=CN=Internet Users,CN=Users, DC ..... )

    *CN=Users 

    With the change on CN=Users instead of OU=Users, it works flawlessly, can anyone explain this phenomena ?
    Tuesday, February 23, 2010 2:54 PM
  • The default builtin AD container is "cn=Users". The group must have been created in that container. It is also possible to create an Organizational Unit called "ou=Users", but that might be confusing. The default location in AD when you create objects is "cn=Users". Most organizations take advantage of the hierarchical nature of AD to organize their objects in OU's.

    In ADUC the icon for containers is slightly different from Organizational Units. The container icon looks like a folder. The OU icon looks like a folder with an open book inside. I recommend using a tool like ADSI Edit to view objects in AD and their attributes. Look at the distinguishedName attribute of your group. Unfortunately, this is not exposed in ADUC.

    Richard Mueller
    MVP ADSI
    Tuesday, February 23, 2010 3:20 PM
    Moderator
  • Richard

    One of the nicest things I found with ADUC in Server 2008 is all those goodies are there :)

    Once you go to "Advanced View" and choose "Properties" the Attribute Editor now reveals All.

    I don't think I've used ADSIEdit since Server 2008.

    I think I tried it with Server 2003 the other day and found this feature missing.  I wonder if it's a feature of the Domain or the RSAT?

    Sean
    The Energized Tech
    Powershell. It's so Easy and it's FREE! Dive in and use it now, It'll take no time. :) http://www.energizedtech.com http://www.itprotoronto.ca
    Tuesday, February 23, 2010 3:33 PM
    Moderator