This month, more fun with group membership with Mr. Roboto's Group Reporter HTA.
- By Jeffery Hicks
As Clint Eastwood once said as Dirty Harry in the movie Magnum Force
"A man's got to know his limitations." I've realized the graphical
tool I gave you last
for reviewing group membership on local computers or domains has its
For one, you could only report on one group at a time or check one server at
a time. What if you wanted to check all groups or a list of servers? What if
you wanted a report on all domain groups? A query like this could take a while,
so you would have had to schedule it for non-production hours. The original
HTA couldn't meet those needs.
With that in mind, I developed a command-line version of Mr. Roboto's Group
Reporter HTA. The file is a Windows Script File designed to run from a command
line using CSCRIPT. For syntax help and a brief usage guide, run:
Cscript groupreportercli.wsf /?
You can use this tool to enumerate all groups and their members on a specified
domain, a list of computers or all groups within a given Active Directory container.
If you specify a computer name or a list of computers, it will enumerate all
the local groups. Use this syntax to query all local groups on a specific computer:
If you prefer, you can also run through a list of computer names:
There isn't any provision to grab a list of servers from an organizational
unit (OU), but you can easily export such a list to a text file and use it here.
When you specify a container or OU, it will enumerate all groups within that
container. By default, the search won't enumerate any nested containers or OUs,
but you can specify or recurse to find all groups in any child containers. If
you want to search your entire domain, use this type of syntax:
Cscript /dn:DC=MyDomain,dc=local /recurse
You'll also be able to enumerate certain types of groups. Valid options are
Security, Distribution or *. The default is * for all groups. Use the /expand
parameter to expand any nested group membership. The default setting is to not
expand nested groups. Use this option with caution, especially in large domains:
Cscript /dn:dc=mydomain,dc=local /recurse /expand /t:security
Roboto's Group Reporter HTA at: www.jdhitsolutions.com/scripts.
Extract the script to any directory you want and open a command
What Windows admin task would you like Mr. Roboto to automate
next? Send your suggestions to firstname.lastname@example.org.
This command will search the mydomain.local domain for all security groups
and expand any nested groups. Use the /E parameter if you want to save the results
to a text file. There won't be anything displayed on the screen while the script
runs, and it will overwrite any existing files with the same name. Needless
to say, the account executing the script must have administrator rights for
the computer, the OU or the domain being queried.
Local group membership doesn't support nested groups, nor is recursion so necessary.
If you specify these parameters for a local computer, the HTA will ignore them.
For that matter, there's no such thing as a local distribution group.
Remember to put any parameter values containing spaces in quotes -- and remember
that these are all one-line commands (even though they may wrap here):
Cscript /s:allservers /e:servergroups.txt
Cscript /dn:OU=Employees,DC=MyDomain,DC=local /expand /recurse /e:"Employee
Cscript /dn:"OU=Lists, DC=Company, DC=local" /recurse /t:distribution
/e:"d:\reports\Company Distribution Lists.txt"
The output of this script is essentially the same as the Group Auditor HTA.
For domain groups, you'll be able to determine not only members, but when the
group was created and last modified, its type, manager, mail address and description,
as well as the names of any groups to which it may belong. Now your help desk
tech has a graphical tool to check group membership and a powerful command-line
tool for organizational-level reporting.
Jeffery Hicks is a multi-year Microsoft MVP in Windows PowerShell, Microsoft Certified Professional and an IT veteran with almost 25 years of experience, much of it spent as an IT infrastructure consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He works today as an independent author, trainer and consultant. Jeff is a regular contributor to a variety on online sites, as well as frequent speaker at technology conferences and user groups. Keep up with Jeff and his projects at http://jdhitsolutions.com/blog.