Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

how to list GROUPS with empty MEMBEROF

105 views
Skip to first unread message

stefano ilardi

unread,
Jun 17, 2003, 12:22:34 PM6/17/03
to
Hello
I am trying to produce a list of all groups which have an
empty "memberof" list when I look at them with active
directory users and computers. I tried to do a "custom"
query with the aduc program search function but aduc does
not list "memberof" as an attribute of "group" objects.
Can anyone tell me how or provide me a dsquery filter
which works? I do not care how to get the list, using the
command line dsquery would be fine
thx

Richard Mueller [MVP]

unread,
Jun 17, 2003, 1:37:59 PM6/17/03
to
stefano ilardi wrote:

Hi,

ADO can search AD for groups that have an empty "memberOf" collection. For
example, the following VBScript program is designed to be run at a command
prompt with the cscript host. The output can be redirected to a text file if
desired:

Option Explicit

Dim objRootDSE, strDNSDomain, objCommand, objConnection
Dim strBase, strFilter, strAttributes, strQuery, objRecordSet
Dim strNTName, arrstrGroups

' Determine DNS domain name.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Use ADO to search Active Directory.
Set objCommand = CreateObject("ADODB.Command")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
objCommand.ActiveConnection = objConnection
strBase = "<LDAP://" & strDNSDomain & ">"

strFilter = "(&(objectCategory=group)(!(memberOf=*)))"
strAttributes = "sAMAccountName"
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 30
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute

Do Until objRecordSet.EOF
strNTName = objRecordSet.Fields("sAMAccountName")
Wscript.Echo "Group not member of any groups: " & strNTName
objRecordSet.MoveNext
Loop

However, note that this outputs all groups which are themselves not members
of any groups. You might have meant to query for all groups that have no
members, which means the "member" collection is empty. If so, simply replace
"memberOf" in the code above with "member", and modify the Wscript.Echo
statement. The "member" and "memberOf" attributes can be handled the same
way. They are both multi-valued.

Finally, note that neither attribute reveals membership in the "primary"
group. If you are seeking empty groups, perhaps to delete them, be aware of
this limitation of the LDAP provider. In my domain, searching for groups
that have no entries in the "member" collection reveals the "Domain Users"
group as appearing to be empty. This is because all members of this group
have this group designated as their "primary" group, and thus are not
included in the "member" attribute. If your goal is to identify empty
groups, it might be best to use the WinNT provider, which does reveal
membership in "primary" groups. However, ADO cannot be used with WinNT.
Also, the WinNT provider does not reveal groups as members of groups, so
this will only work if you do not have "nested" groups. You will have to
enumerate all groups and check for memberships. For example:

Set objDomain = GetObject("WinNT://MyDomain")
objDomain.Filter = Array("group")
For Each objGroup In objDomain
blnEmpty = True
For Each objMember In objGroup.Members
blnEmpty = False
Exit For
Next
If blnEmpty = True Then
Wscript.Echo "Group with no members: " & objGroup.Name
End If
Next

The above is much slower, but will reveal truely empty groups as long as you
don't have nested groups. Groups will show up as empty even though they have
other groups as members.

If you need to find truely empty groups, and need to account for "nested"
groups and "primary" group membership, reply to this post and I'll try to
find a way. Also, clarify what you are trying to do, as I may have assumed
too much.

--
Richard
Microsoft MVP Scripting and ADSI
http://www.rlmueller.net
--


Bryan

unread,
Jun 17, 2003, 4:37:05 PM6/17/03
to
Sorry if this is a basic question, I'm new to ADSI

What is the filter string to get the members of a group.
Is there a site which has sample filter string?

Thanks,
Bryan


"stefano ilardi" <stefano...@roche.com> wrote in message
news:002701c334ec$a8cd0300$a401...@phx.gbl...

Joe Richards [MVP]

unread,
Jun 17, 2003, 11:57:16 PM6/17/03
to
adfind -b dc=domain,dc=com -f "&(objectcategory=group)(!memberof=*)" -dn

If you actually meant groups with no members in them it would be

adfind -b dc=domain,dc=com -f "&(objectcategory=group)(!member=*)" -dn

Oh yeah, adfind can be had at www.joeware.net on the free win32 tools page.


--
Joe Richards
www.joeware.net

--

"stefano ilardi" <stefano...@roche.com> wrote in message news:002701c334ec$a8cd0300$a401...@phx.gbl...

0 new messages