Hi,
ADO can search AD for groups that have an empty "memberOf" collection. For
example, the following VBScript program is designed to be run at a command
prompt with the cscript host. The output can be redirected to a text file if
desired:
Option Explicit
Dim objRootDSE, strDNSDomain, objCommand, objConnection
Dim strBase, strFilter, strAttributes, strQuery, objRecordSet
Dim strNTName, arrstrGroups
' Determine DNS domain name.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
' Use ADO to search Active Directory.
Set objCommand = CreateObject("ADODB.Command")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
objCommand.ActiveConnection = objConnection
strBase = "<LDAP://" & strDNSDomain & ">"
strFilter = "(&(objectCategory=group)(!(memberOf=*)))"
strAttributes = "sAMAccountName"
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 30
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute
Do Until objRecordSet.EOF
strNTName = objRecordSet.Fields("sAMAccountName")
Wscript.Echo "Group not member of any groups: " & strNTName
objRecordSet.MoveNext
Loop
However, note that this outputs all groups which are themselves not members
of any groups. You might have meant to query for all groups that have no
members, which means the "member" collection is empty. If so, simply replace
"memberOf" in the code above with "member", and modify the Wscript.Echo
statement. The "member" and "memberOf" attributes can be handled the same
way. They are both multi-valued.
Finally, note that neither attribute reveals membership in the "primary"
group. If you are seeking empty groups, perhaps to delete them, be aware of
this limitation of the LDAP provider. In my domain, searching for groups
that have no entries in the "member" collection reveals the "Domain Users"
group as appearing to be empty. This is because all members of this group
have this group designated as their "primary" group, and thus are not
included in the "member" attribute. If your goal is to identify empty
groups, it might be best to use the WinNT provider, which does reveal
membership in "primary" groups. However, ADO cannot be used with WinNT.
Also, the WinNT provider does not reveal groups as members of groups, so
this will only work if you do not have "nested" groups. You will have to
enumerate all groups and check for memberships. For example:
Set objDomain = GetObject("WinNT://MyDomain")
objDomain.Filter = Array("group")
For Each objGroup In objDomain
blnEmpty = True
For Each objMember In objGroup.Members
blnEmpty = False
Exit For
Next
If blnEmpty = True Then
Wscript.Echo "Group with no members: " & objGroup.Name
End If
Next
The above is much slower, but will reveal truely empty groups as long as you
don't have nested groups. Groups will show up as empty even though they have
other groups as members.
If you need to find truely empty groups, and need to account for "nested"
groups and "primary" group membership, reply to this post and I'll try to
find a way. Also, clarify what you are trying to do, as I may have assumed
too much.
--
Richard
Microsoft MVP Scripting and ADSI
http://www.rlmueller.net
--
What is the filter string to get the members of a group.
Is there a site which has sample filter string?
Thanks,
Bryan
"stefano ilardi" <stefano...@roche.com> wrote in message
news:002701c334ec$a8cd0300$a401...@phx.gbl...
If you actually meant groups with no members in them it would be
adfind -b dc=domain,dc=com -f "&(objectcategory=group)(!member=*)" -dn
Oh yeah, adfind can be had at www.joeware.net on the free win32 tools page.
--
Joe Richards
www.joeware.net
--
"stefano ilardi" <stefano...@roche.com> wrote in message news:002701c334ec$a8cd0300$a401...@phx.gbl...