Mr. Roboto

Command Performance

This month, more fun with group membership with Mr. Roboto's Group Reporter HTA.

As Clint Eastwood once said as Dirty Harry in the movie Magnum Force: "A man's got to know his limitations." I've realized the graphical tool I gave you last month for reviewing group membership on local computers or domains has its own limitations.

For one, you could only report on one group at a time or check one server at a time. What if you wanted to check all groups or a list of servers? What if you wanted a report on all domain groups? A query like this could take a while, so you would have had to schedule it for non-production hours. The original HTA couldn't meet those needs.

Take Command
With that in mind, I developed a command-line version of Mr. Roboto's Group Reporter HTA. The file is a Windows Script File designed to run from a command line using CSCRIPT. For syntax help and a brief usage guide, run:

Cscript groupreportercli.wsf /?

You can use this tool to enumerate all groups and their members on a specified domain, a list of computers or all groups within a given Active Directory container. If you specify a computer name or a list of computers, it will enumerate all the local groups. Use this syntax to query all local groups on a specific computer:

Cscript /s:myserver23

If you prefer, you can also run through a list of computer names:

Cscript /L:servers.txt

There isn't any provision to grab a list of servers from an organizational unit (OU), but you can easily export such a list to a text file and use it here. When you specify a container or OU, it will enumerate all groups within that container. By default, the search won't enumerate any nested containers or OUs, but you can specify or recurse to find all groups in any child containers. If you want to search your entire domain, use this type of syntax:

Cscript /dn:DC=MyDomain,dc=local /recurse

You'll also be able to enumerate certain types of groups. Valid options are Security, Distribution or *. The default is * for all groups. Use the /expand parameter to expand any nested group membership. The default setting is to not expand nested groups. Use this option with caution, especially in large domains:

Cscript /dn:dc=mydomain,dc=local /recurse /expand /t:security

Roboto on Demand

Download Mr. Roboto's Group Reporter HTA at: www.jdhitsolutions.com/scripts. Extract the script to any directory you want and open a command prompt.

What Windows admin task would you like Mr. Roboto to automate next? Send your suggestions to jhicks@redmondmag.com.

This command will search the mydomain.local domain for all security groups and expand any nested groups. Use the /E parameter if you want to save the results to a text file. There won't be anything displayed on the screen while the script runs, and it will overwrite any existing files with the same name. Needless to say, the account executing the script must have administrator rights for the computer, the OU or the domain being queried.

Local group membership doesn't support nested groups, nor is recursion so necessary. If you specify these parameters for a local computer, the HTA will ignore them. For that matter, there's no such thing as a local distribution group.

Remember to put any parameter values containing spaces in quotes -- and remember that these are all one-line commands (even though they may wrap here):

Cscript /s:allservers /e:servergroups.txt
Cscript /dn:OU=Employees,DC=MyDomain,DC=local /expand /recurse /e:"Employee Groups.txt"
Cscript /dn:"OU=Lists, DC=Company, DC=local" /recurse /t:distribution /e:"d:\reports\Company Distribution Lists.txt"

The output of this script is essentially the same as the Group Auditor HTA. For domain groups, you'll be able to determine not only members, but when the group was created and last modified, its type, manager, mail address and description, as well as the names of any groups to which it may belong. Now your help desk tech has a graphical tool to check group membership and a powerful command-line tool for organizational-level reporting.

About the Author

Jeffery Hicks is a Microsoft MVP in Windows PowerShell, Microsoft Certified Trainer and an IT veteran with over 20 years of experience, much of it spent as an IT consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He works today as an independent author, trainer and consultant. Jeff writes the popular Prof. PowerShell column for MPCMag.com and is a regular contributor to the Petri IT Knowledgebase and 4SysOps. If he isn't writing, then he's most likely recording training videos for companies like TrainSignal or hanging out in the forums at PowerShell.org. Jeff's latest books are Learn PowerShell 3 in a Month of Lunches, Learn PowerShell Toolmaking in a Month of Lunches and PowerShell in Depth: An Administrators Guide. You can keep up with Jeff at his blog http://jdhitsolutions.com/blog, on Twitter at twitter.com/jeffhicks and on Google Plus (http:/gplus.to/JeffHicks)

comments powered by Disqus

Reader Comments:

Sat, Aug 2, 2008 TJ Atlanta

command examples are wrong it says "cscript" param param
it should show
'cscript SCRIPT-NAME param param'
also, script gives "matching ';' not found:

grouplist.wsf(519, 14) Windows Script Host: Unterminated entity reference - matching ';' not found

Tue, Jan 8, 2008 DC Anonymous

This would be more useful if there was a way to choose which group you would like to pull the members of. There is not always a need to get ALL of them. Great tool otherwise!

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.