check all users in an ou if they are either a member of a specific or

TheMSsForum.com: The Microsoft Software Forum

I need to figure out how to check all users in an OU if they are a
member of security group1 or a member of security group 2. If they
are not either a member of group 1 or group 2 than I need to list the
user. -- Thank you.
Top

Re: check all users in an ou if they are either a member of a specific or another group by Richard

Richard
Fri Feb 01 18:01:00 CST 2008

SuQ wrote:

>I need to figure out how to check all users in an OU if they are a
> member of security group1 or a member of security group 2. If they
> are not either a member of group 1 or group 2 than I need to list the
> user. -- Thank you.

If you are only concerned with direct group membership (you can ignore
membership due to group nesting), you can query for all users that are not a
member of either group. You need to specify the full Distinguished Names of
the groups. The filter would be similar to:

strFilter = "(&(objectCategory=person)(objectClass=user)" _
& "(!memberOf=cn=Group1,ou=West,dc=MyDomain,dc=com)" _
& "(!memberOf=cn=Group2,ou=West,dc=MyDomain,dc=com))"

The base of the query would be the OU. See this link for tips on using ADO
to search AD for things like this:

http://www.rlmueller.net/ADOSearchTips.htm

In this case the VBScript program would be similar to:
=============
Option Explicit

Dim adoCommand, adoConnection, strBase, strFilter, strAttributes

Dim strQuery, adoRecordset, strName, strDN



' Setup ADO objects.

Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection



' Search only the specified OU.

strBase = "<LDAP://ou=West,dc=MyDomain,dc=com>"


' Filter on user objects not members of Group1 or Group2.


strFilter = "(&(objectCategory=person)(objectClass=user)" _
& "(!memberOf=cn=Group1,ou=West,dc=MyDomain,dc=com)" _
& "(!memberOf=cn=Group2,ou=West,dc=MyDomain,dc=com))"


' Comma delimited list of attribute values to retrieve.
strAttributes = "sAMAccountName,distinguishedName"



' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False



' Run the query.
Set adoRecordset = adoCommand.Execute


' Enumerate the resulting recordset.
Do Until adoRecordset.EOF

' Retrieve values and display.
strName = adoRecordset.Fields("sAMAccountName").Value

strDN = adoRecordset.Fields("distinguishedName").value

Wscript.Echo & strName & ", " & strDN

' Move to the next record in the recordset.
adoRecordset.MoveNext
Loop



' Clean up.

adoRecordset.Close

adoConnection.Close


--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--


Top

Re: check all users in an ou if they are either a member of a by SuQ

SuQ
Tue Feb 05 09:38:46 CST 2008

On Feb 1, 7:01=A0pm, "Richard Mueller [MVP]" <rlmueller-
nos...@ameritech.nospam.net> wrote:
> SuQ wrote:
> >I need to figure out how to check all users in an OU if they are a
> > member of =A0security group1 or a member of security group 2. =A0If they=

> > are not either a member of group 1 or group 2 than I need to list the
> > user. -- Thank you.
>
> If you are only concerned with direct group membership (you can ignore
> membership due to group nesting), you can query for all users that are not=
a
> member of either group. You need to specify the full Distinguished Names o=
f
> the groups. The filter would be similar to:
>
> strFilter =3D "(&(objectCategory=3Dperson)(objectClass=3Duser)" _
> =A0 =A0 & "(!memberOf=3Dcn=3DGroup1,ou=3DWest,dc=3DMyDomain,dc=3Dcom)" _
> =A0 =A0 & "(!memberOf=3Dcn=3DGroup2,ou=3DWest,dc=3DMyDomain,dc=3Dcom))"
>
> The base of the query would be the OU. See this link for tips on using ADO=

> to search AD for things like this:
>
> http://www.rlmueller.net/ADOSearchTips.htm
>
> In this case the VBScript program would be similar to:
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> Option Explicit
>
> Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
>
> Dim strQuery, adoRecordset, strName, strDN
>
> ' Setup ADO objects.
>
> Set adoCommand =3D CreateObject("ADODB.Command")
> Set adoConnection =3D CreateObject("ADODB.Connection")
> adoConnection.Provider =3D "ADsDSOObject"
> adoConnection.Open "Active Directory Provider"
> adoCommand.ActiveConnection =3D adoConnection
>
> ' Search only the specified OU.
>
> strBase =3D "<LDAP://ou=3DWest,dc=3DMyDomain,dc=3Dcom>"
>
> ' Filter on user objects not members of Group1 or Group2.
>
> strFilter =3D "(&(objectCategory=3Dperson)(objectClass=3Duser)" _
> =A0 =A0 & "(!memberOf=3Dcn=3DGroup1,ou=3DWest,dc=3DMyDomain,dc=3Dcom)" _
> =A0 =A0 & "(!memberOf=3Dcn=3DGroup2,ou=3DWest,dc=3DMyDomain,dc=3Dcom))"
>
> ' Comma delimited list of attribute values to retrieve.
> strAttributes =3D "sAMAccountName,distinguishedName"
>
> ' Construct the LDAP syntax query.
> strQuery =3D strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
> adoCommand.CommandText =3D strQuery
> adoCommand.Properties("Page Size") =3D 100
> adoCommand.Properties("Timeout") =3D 30
> adoCommand.Properties("Cache Results") =3D False
>
> ' Run the query.
> Set adoRecordset =3D adoCommand.Execute
>
> ' Enumerate the resulting recordset.
> Do Until adoRecordset.EOF
>
> =A0 =A0 ' Retrieve values and display.
> =A0 =A0 strName =3D adoRecordset.Fields("sAMAccountName").Value
>
> =A0 =A0 strDN =3D adoRecordset.Fields("distinguishedName").value
>
> =A0 =A0 Wscript.Echo & strName & ", " & strDN
>
> =A0 =A0 ' Move to the next record in the recordset.
> =A0 =A0 adoRecordset.MoveNext
> Loop
>
> ' Clean up.
>
> adoRecordset.Close
>
> adoConnection.Close
>
> --
> Richard Mueller
> Microsoft MVP Scripting and ADSI
> Hilltop Lab -http://www.rlmueller.net
> --
Thank you for the above. I have looked at your site a lot in the last
year and it has helped me a lot in learning vbscript.

I modified the above and it runs. I'm not sure if I'm doing something
wrong in my ldap above but it looks like when I run it -- I get a list
of all the users in that OU. I believe if I ran it correctly, I would
possibly get a small list of users that are not a member of either
group. I have a subou that has only users in it. I also have a sub
ou that has just groups in it. My ldap looks sorta like this:
strBase =3D "<LDAP://ou=3Dusers,ou=3Dabc,dc=3DMyDomain,dc=3Dcom>"

filter part is ......
& "(!memberOf=3Dcn=3Dabc.Group1,ou-users,ou=3Dabc,dc=3DMyDomain,dc=3Dcom)" _=

> & "(!memberOf=3Dcn=3Dabc.Group2,ou=3Dusers,ou=3Dabc,dc=3DMyDomain,dc=
=3Dcom))"

Thank you.


Top

Re: check all users in an ou if they are either a member of a specific or another group by Richard

Richard
Tue Feb 05 11:37:45 CST 2008


"SuQ" <sue_s2u@yahoo.com> wrote in message
news:51a362f3-b16e-4260-9de2-ab9158feeb29@i29g2000prf.googlegroups.com...
On Feb 1, 7:01 pm, "Richard Mueller [MVP]" <rlmueller-
nos...@ameritech.nospam.net> wrote:
> SuQ wrote:
> >I need to figure out how to check all users in an OU if they are a
> > member of security group1 or a member of security group 2. If they
> > are not either a member of group 1 or group 2 than I need to list the
> > user. -- Thank you.
>
> If you are only concerned with direct group membership (you can ignore
> membership due to group nesting), you can query for all users that are not
> a
> member of either group. You need to specify the full Distinguished Names
> of
> the groups. The filter would be similar to:
>
> strFilter = "(&(objectCategory=person)(objectClass=user)" _
> & "(!memberOf=cn=Group1,ou=West,dc=MyDomain,dc=com)" _
> & "(!memberOf=cn=Group2,ou=West,dc=MyDomain,dc=com))"
>
> The base of the query would be the OU. See this link for tips on using ADO
> to search AD for things like this:
>
> http://www.rlmueller.net/ADOSearchTips.htm
>
> In this case the VBScript program would be similar to:
> =============
> Option Explicit
>
> Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
>
> Dim strQuery, adoRecordset, strName, strDN
>
> ' Setup ADO objects.
>
> Set adoCommand = CreateObject("ADODB.Command")
> Set adoConnection = CreateObject("ADODB.Connection")
> adoConnection.Provider = "ADsDSOObject"
> adoConnection.Open "Active Directory Provider"
> adoCommand.ActiveConnection = adoConnection
>
> ' Search only the specified OU.
>
> strBase = "<LDAP://ou=West,dc=MyDomain,dc=com>"
>
> ' Filter on user objects not members of Group1 or Group2.
>
> strFilter = "(&(objectCategory=person)(objectClass=user)" _
> & "(!memberOf=cn=Group1,ou=West,dc=MyDomain,dc=com)" _
> & "(!memberOf=cn=Group2,ou=West,dc=MyDomain,dc=com))"
>
> ' Comma delimited list of attribute values to retrieve.
> strAttributes = "sAMAccountName,distinguishedName"
>
> ' Construct the LDAP syntax query.
> strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
> adoCommand.CommandText = strQuery
> adoCommand.Properties("Page Size") = 100
> adoCommand.Properties("Timeout") = 30
> adoCommand.Properties("Cache Results") = False
>
> ' Run the query.
> Set adoRecordset = adoCommand.Execute
>
> ' Enumerate the resulting recordset.
> Do Until adoRecordset.EOF
>
> ' Retrieve values and display.
> strName = adoRecordset.Fields("sAMAccountName").Value
>
> strDN = adoRecordset.Fields("distinguishedName").value
>
> Wscript.Echo & strName & ", " & strDN
>
> ' Move to the next record in the recordset.
> adoRecordset.MoveNext
> Loop
>
> ' Clean up.
>
> adoRecordset.Close
>
> adoConnection.Close
>
> --
> Richard Mueller
> Microsoft MVP Scripting and ADSI
> Hilltop Lab -http://www.rlmueller.net
> --
Thank you for the above. I have looked at your site a lot in the last
year and it has helped me a lot in learning vbscript.

I modified the above and it runs. I'm not sure if I'm doing something
wrong in my ldap above but it looks like when I run it -- I get a list
of all the users in that OU. I believe if I ran it correctly, I would
possibly get a small list of users that are not a member of either
group. I have a subou that has only users in it. I also have a sub
ou that has just groups in it. My ldap looks sorta like this:
strBase = "<LDAP://ou=users,ou=abc,dc=MyDomain,dc=com>"

filter part is ......
& "(!memberOf=cn=abc.Group1,ou-users,ou=abc,dc=MyDomain,dc=com)" _
> & "(!memberOf=cn=abc.Group2,ou=users,ou=abc,dc=MyDomain,dc=com))"

Thank you.
-------------

Make sure you do not use "On Error Resume Next". Also, the two filter
clauses should be operated on by the AND operator, so you retrieve users
where both clauses are satisfied (the user is not a member of Group1 and
also not a member of Group2). The filter should be:

"(&(!memberOf=cn=abc.Group1,ou-users,ou=abc,dc=MyDomain,dc=com)" _
& "(!memberOf=cn=abc.Group2,ou=users,ou=abc,dc=MyDomain,dc=com))"

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--


Top

Re: check all users in an ou if they are either a member of a by SuQ

SuQ
Tue Feb 05 15:10:31 CST 2008

On Feb 5, 12:37=A0pm, "Richard Mueller [MVP]" <rlmueller-
nos...@ameritech.nospam.net> wrote:
> "SuQ" <sue_...@yahoo.com> wrote in message
>
> news:51a362f3-b16e-4260-9de2-ab9158feeb29@i29g2000prf.googlegroups.com...
> On Feb 1, 7:01 pm, "Richard Mueller [MVP]" <rlmueller-
>
>
>
> nos...@ameritech.nospam.net> wrote:
> > SuQ wrote:
> > >I need to figure out how to check all users in an OU if they are a
> > > member of security group1 or a member of security group 2. If they
> > > are not either a member of group 1 or group 2 than I need to list the
> > > user. -- Thank you.
>
> > If you are only concerned with direct group membership (you can ignore
> > membership due to group nesting), you can query for all users that are n=
ot
> > a
> > member of either group. You need to specify the full Distinguished Names=

> > of
> > the groups. The filter would be similar to:
>
> > strFilter =3D "(&(objectCategory=3Dperson)(objectClass=3Duser)" _
> > & "(!memberOf=3Dcn=3DGroup1,ou=3DWest,dc=3DMyDomain,dc=3Dcom)" _
> > & "(!memberOf=3Dcn=3DGroup2,ou=3DWest,dc=3DMyDomain,dc=3Dcom))"
>
> > The base of the query would be the OU. See this link for tips on using A=
DO
> > to search AD for things like this:
>
> >http://www.rlmueller.net/ADOSearchTips.htm
>
> > In this case the VBScript program would be similar to:
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> > Option Explicit
>
> > Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
>
> > Dim strQuery, adoRecordset, strName, strDN
>
> > ' Setup ADO objects.
>
> > Set adoCommand =3D CreateObject("ADODB.Command")
> > Set adoConnection =3D CreateObject("ADODB.Connection")
> > adoConnection.Provider =3D "ADsDSOObject"
> > adoConnection.Open "Active Directory Provider"
> > adoCommand.ActiveConnection =3D adoConnection
>
> > ' Search only the specified OU.
>
> > strBase =3D "<LDAP://ou=3DWest,dc=3DMyDomain,dc=3Dcom>"
>
> > ' Filter on user objects not members of Group1 or Group2.
>
> > strFilter =3D "(&(objectCategory=3Dperson)(objectClass=3Duser)" _
> > & "(!memberOf=3Dcn=3DGroup1,ou=3DWest,dc=3DMyDomain,dc=3Dcom)" _
> > & "(!memberOf=3Dcn=3DGroup2,ou=3DWest,dc=3DMyDomain,dc=3Dcom))"
>
> > ' Comma delimited list of attribute values to retrieve.
> > strAttributes =3D "sAMAccountName,distinguishedName"
>
> > ' Construct the LDAP syntax query.
> > strQuery =3D strBase & ";" & strFilter & ";" & strAttributes & ";subtree=
"
> > adoCommand.CommandText =3D strQuery
> > adoCommand.Properties("Page Size") =3D 100
> > adoCommand.Properties("Timeout") =3D 30
> > adoCommand.Properties("Cache Results") =3D False
>
> > ' Run the query.
> > Set adoRecordset =3D adoCommand.Execute
>
> > ' Enumerate the resulting recordset.
> > Do Until adoRecordset.EOF
>
> > ' Retrieve values and display.
> > strName =3D adoRecordset.Fields("sAMAccountName").Value
>
> > strDN =3D adoRecordset.Fields("distinguishedName").value
>
> > Wscript.Echo & strName & ", " & strDN
>
> > ' Move to the next record in the recordset.
> > adoRecordset.MoveNext
> > Loop
>
> > ' Clean up.
>
> > adoRecordset.Close
>
> > adoConnection.Close
>
> > --
> > Richard Mueller
> > Microsoft MVP Scripting and ADSI
> > Hilltop Lab -http://www.rlmueller.net
> > --
>
> Thank you for the above. =A0I have looked at your site a lot in the last
> year and it has helped me a lot in learning vbscript.
>
> I modified the above and it runs. =A0I'm not sure if I'm doing something
> wrong in my ldap above but it looks like when I run it -- I get a list
> of all the users in that OU. =A0I believe if I ran it correctly, I would
> possibly get a small list of users that are not a member of either
> group. =A0I have a subou that has only users in it. =A0I also have a sub
> ou that has just groups in it. My ldap looks sorta like this:
> strBase =3D "<LDAP://ou=3Dusers,ou=3Dabc,dc=3DMyDomain,dc=3Dcom>"
>
> filter part is ......
> & "(!memberOf=3Dcn=3Dabc.Group1,ou-users,ou=3Dabc,dc=3DMyDomain,dc=3Dcom)"=
_
>
> > =A0 =A0 & "(!memberOf=3Dcn=3Dabc.Group2,ou=3Dusers,ou=3Dabc,dc=3DMyDomai=
n,dc=3Dcom))"
>
> Thank you.
> -------------
>
> Make sure you do not use "On Error Resume Next". Also, the two filter
> clauses should be operated on by the AND operator, so you retrieve users
> where both clauses are satisfied (the user is not a member of Group1 and
> also not a member of Group2). The filter should be:
>
> "(&(!memberOf=3Dcn=3Dabc.Group1,ou-users,ou=3Dabc,dc=3DMyDomain,dc=3Dcom)"=
_
> =A0 =A0 & "(!memberOf=3Dcn=3Dabc.Group2,ou=3Dusers,ou=3Dabc,dc=3DMyDomain,=
dc=3Dcom))"
>
> --
> Richard Mueller
> Microsoft MVP Scripting and ADSI
> Hilltop Lab -http://www.rlmueller.net
> --- Hide quoted text -
>
> - Show quoted text -

The groups are not nested. I probably didn't explain it good at first.
The user should not be a member of group1 AND group2. They should
already be a member of group1 OR group2, but their is a possiblity
that they are not a member of either group. And if thats the case,
then I want to list it, so I can go back and add them to their right
group 1 or group 2.
Top