Mr. Roboto

Membership Has Its Privileges

It's getting harder and harder to track who belongs to what group. Mr. Roboto's Group Auditor can help make membership management easier.

Keeping track of group membership wasn't especially difficult in the old days. Groups were relatively simple. Windows NT didn't even allow for nested groups.

These days, we have a greater task with group management in Active Directory. Knowing who belongs to a particular group is extremely important, especially when it's a security-sensitive group like Domain Administrators or the local Administrators group on a critical server.

I've come up with a simple graphical tool that will help you get a handle on the reach of any group's membership. Like most of Mr. Roboto's tricks, the Group Auditor is an HTML Application (HTA). It uses ADSI to query local computer groups and AD groups, including nested groups.

After you launch the HTA, select either Local Computer or Active Directory from the drop-down list. If you select Local Computer, the selection field will be automatically populated with the local computer name. However, you can always enter the name of any computer for which you have administrative credentials.

Click the Get Groups button and the Group Auditor will query the computer and return a list of all local groups. Select a group and click Get Members. After a moment, you'll see a list of all members. The list uses the ADSI path of each member so you can easily differentiate between a local user account or group and a domain user account or group.

Group Therapy
Getting group information for an AD group is just as easy. Select Active Directory from the drop-down list. The distinguished name of your AD domain will be pre-populated in the list. Assuming you have adequate credentials, you can then edit this field to find groups in a specific organizational unit, container or another domain.

By default, the Group Auditor will only search for groups in the root of the specified AD container. However, you can check the Recurse box if you want to search for groups in all child containers as well. Use this feature with caution if you have a large number of groups or child containers to search. By default, it will return all selected groups, but you can opt to return only security-enabled groups or distribution groups.

The query will populate the selection drop-down of discovered groups. You'll have several options with AD groups. First, you can return a simple list of all immediate group members. If you use nested groups, you can also instruct the Group Auditor to expand group membership to cover any nested groups. This will give you a more accurate representation of who belongs to a group.

The last option is to force user expansion by the primary group. Here's where this may be important. If you select Domain Users, you probably won't get any members. When you choose the Force Expansion option, the Group Auditor searches for every user account whose primary group ID matches the primary group token of the selected group. Use this one with caution as well.

Roboto on Demand

Download Mr. Roboto's Group Auditor at: www.jdhitsolutions.com/scripts. Extract the .ZIP file to any directory you want and add a shortcut to the HTA to your desktop or start menu.

What Windows admin task would you like Mr. Roboto to automate next? Send your suggestions to jhicks@redmondmag.com.

Members Only
Unless you've modified a user's primary group, you shouldn't need to worry about this. If you check Domain Users and actually do see someone listed, you'll know that user account has been modified. If you check the account's primary group, however, you won't see the user listed when you query that group.

The group membership query will also return additional information about the group, such as the group description, its manager, its e-mail address, when it was created and when it was last modified. Once you've queried for a list of group members, you can print a report that will include the group name, details and membership. You can also query another group.

Now you have a tool to easily check group membership. If this is something you're trying to bring under control, I'd recommend you start with mission-critical and sensitive groups to ensure that they're appropriately populated. As those American Express ads say, "Membership has its privileges."

About the Author

Jeffery Hicks is a multi-year Microsoft MVP in Windows PowerShell, Microsoft Certified Professional and an IT veteran with almost 25 years of experience, much of it spent as an IT infrastructure consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He works today as an independent author, trainer and consultant. Jeff is a regular contributor to a variety on online sites, as well as frequent speaker at technology conferences and user groups. Keep up with Jeff and his projects at http://jdhitsolutions.com/blog.

comments powered by Disqus

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.