howto://document Active Directory-group memberships

 

Let’s talk some more about documenting Active Directory. I got a request the other day from someone wanting to know all the members of a list of AD groups. On the surface it may seem like a pretty straight-forward request, but there is no way to get that information out of the graphical tools. You cannot export the membership of a group, or even copy/paste it. The best you can do in ADUC is export a list of objects from a particular OU or query to a text file.

And that is a good place to start. This post will show you how to list out the group memberships of groups. Why would we want to do this? Doing this quarterly, and then comparing the results to the previous quarter’s results, is a good way to make sure group memberships still reflect the proper users. People change jobs, or move from one project to another. Sometimes we’re in such a hurry to grant them new access, that we forget to go back and revoke the access that is no longer required. Documenting and tracking group memberships, having a department head or data owner reviewing and confirming appropriate rights, and removing rights that are no longer required are good things to do, and will make auditors happy. Having this information on hand is a good way to keep on top of your AD and make sure group memberships are still appropriate.

 

The commands

We are going to have to use two commands together, dsquery and dsget. We’ll use dsquery to retrieve data from Active Directory, and we’ll pipe that data into dsget to list out certain pieces of information. Let’s start with a simple task…listing the members of a single group. Open a cmd-prompt and enter this command.

dsquery group –name "domain admins" | dsget group –members [enter]

This will query AD about the group Domain Admins, and pipe it through dsget to list out the members. Notice that we enclosed the group name in quotes. You will need to do that for any group that contains spaces in the name. Please also not that the data returned was the distinguished name of every user object that belongs to the group. Try the command again, this time using the administrators group. No spaces in the name, so no quotes required.

dsquery group –name administrators | dsget group –members [enter]

Here you should notice that the output shows your Domain Admins group as member of administrators. This won’t recursively list out nested groups, so if you have nested groups, add "-expand" after "-members," or in other words

dsquery group –name administrators | dsget group –members -expand [enter]

The list

Okay, so now that we know how to list the members of a single group, lets see what we need to do in order to do the same thing for several groups at once. We need to start with a list in the form of a text file. One group per line, and unless you are lucky enough to have a naming convention that prohibits spaces, you may as well quote enclose each group name. You could do this by hand, but why would you?

To dump a list of groups from ADUC, do this.

1. Launch ADUC
2. Browse down to the OU that contains the groups you are interested in.
3. Right-click the OU, and choose "Export List…"
4. This will create a tab separated value file with Name, Type, and Description. You’ll want to edit that to get rid of the Type and Description, and the header. Remember to quote enclose all the names with spaces. Did you know that PSPad has a column select mode? Makes this kind of edit dead simple.

You could also use the Queries function in AD to get a list of groups that contain a common naming element or other attribute. Or, you could just dump a list of all the groups in your domain. Open a cmd prompt and enter this.

dsquery group -limit 0 > groups.txt

The –limit # tells dsquery to return all the groups. The default is 100, so if you have more groups than that, set your limit, otherwise use 0 to set no limit. The great thing about doing it this way is that it just dumps the group names and encloses them in quotes for you. Win.

Putting them together

With that list in hand, cleaned up as required, you can now work a little cmd-line magick to dump a report. In the following command, we iterate through our file, put the name of a group at the top of a section, and then list all the members out beneath it. The following syntax assumes you are pasting it into a *.cmd file for repeated use. If you want to execute this at the cmd prompt directly, use a single % before each variable  instead of a double (cmd line use %I, batch file use %%I.)

for /f "tokens=* delims=;" %%I in (group.txt) do echo %%I >> groupmembers.txt && dsquery group -name %%I | dsget group –members –expand >>groupmembers.txt

That gives you data in a pretty form that should satisfy any auditor, or make it easy to divide up and send to managers/directors for review. Well I hope this little exercise with documenting AD groups will prove helpful to you. Speaking of groups, I’d like to close today’s post with one of my favourites. They even have ‘group’ in their name. If you’ve never experienced the Blue Man Group, go out of your way to do so; either live, or keep your eyes open on your local PBS station. They usually air a BMG special during fundraising time. Enjoy.

direct link for RSS and email subscribers…http://www.youtube.com/watch?v=C5-ClvcHtK4&feature=related

What kind of documentation do you keep on AD?

You might also enjoy:

1. howto://document Active Directory-infrastructure
2. Scripting AD group creation using dsadd
3. howto://bulk modify user home directory paths with dsmod
4. Getting started with Splunk…using Active Directory authentication

Tagged as: active directory, howto