A little corner of the Empire on the web.

25 September, 2006

Active Directory Group Membership Queries

The problem with being known as the person who can pull a list of group members from AD into a text file in a few seconds, you become a "go-to guy" for other AD queries. Which wouldn’t be such a bad thing, except that there aren't pre-written scripts for them all! I received a request today to ask if I could pull out a list from AD of everyone who was a member of both a departmental group and a security group, here's how I did it.

List the Members of an AD Group

For anyone who doesn't know already, there are a couple of easy ways that I know of to print a list of the members of one active directory group to a text file:

The "Command Line One-Liner"

As always with something that looks simple you need to put in a little work first, this time it’s very easy. First download the very useful psExec utility from the Sysinternals website. This handy little tool lets you run commands on a remote machine as if you're logged directly onto it. Extract that and save it somewhere, preferably in your path.

Now all you need are a few bits of information that you should already know if you’re thinking of running this sort of query: the name of a domain controller on your network, and the username and password of an ID that has admin rights on that DC (unless your normal login account has these rights, in which case you really ought to do a security review ;-) ).

Then run the following command from a command prompt:

psexec \\domain_controller -u domain_slash_userid -p password net group "group name"

This will list all of the group members to the command prompt, to redirect this output to a text file, just add "> c:\temp\groupmembers.txt" to the end, eg:

psexec \\domain_controller -u domain_slash_userid -p password net group "group name" > c:\temp\groupmembers.txt

The VBScript (or Perl) Method

Go to the Active Directory Cookbook's Source Code page and download Script 7.2 "Viewing the direct members of a group" in VBScript format (or Perl if you have Perl installed and are more comfy reading that).

Save the script somewhere, open it up in Notepad and replace the <groupdn> bit with the path to your group. Now change to a command line and run either:
"cscript View_Group_members.vbs" (for the VBScript version) or
"perl View_Group_members.pl" (for the Perl version)

While it is possible to just double-click either file in Explorer to run them, you don’t want to do that; the VBScript version will pop up an alert box on screen for each group member (meaning if you have a group with 100 members, you’ll get 100 alerts on your screen one after the other, each one wanting you to click OK), whereas the Perl version will dump its output to the command line then close the window before you have time to read it. So drop to a command line to run them.

If you want to send the output to a text file then (as above) just append a right facing angle bracket and the name of a text file, eg: cscript View_Group_members.vbs > c:\temp\groupmembers.txt perl View_Group_members.pl > c:\temp\groupmembers.txt

Listing Everyone Who is Both a Member of Group A and Group B

(intersection of groups A and B)

Now listing everyone who is a member of both Group A and Group B is slightly more difficult, and I couldn't find a script online that pulls that out for you - so I wrote one myself. This is a Perl script as I've known Perl for years, and whilst I can read simple VBScript fairly well I wouldn't want to try writing it. So if you want to run it you’ll need to have a version of Perl installed, I can recommend ActiveState’s ActivePerl (see below for download instructions).

This is an adaptation of the above Perl script (http://rallenhome.com/books/adcookbook/src/07.02-view_group_membership.pls.txt for anyone who hasn't downloaded it yet) that pulls out the members of the two groups, hashes them, then prints the intersection to the command line.

The fine print at the bottom of the Cookbook's source code page seems to suggest that it’s ok to modify and distribute the code as long as the acknowledgement and citation are kept intact. So you can click to download my "Viewing the intersection of members of two groups".


Note 1: Downloading ActivePerl

(Note to self: see also Kbase 1027070447)