Mr. Roboto

Command Performance

This month, more fun with group membership with Mr. Roboto's Group Reporter HTA.

As Clint Eastwood once said as Dirty Harry in the movie Magnum Force: "A man's got to know his limitations." I've realized the graphical tool I gave you last month for reviewing group membership on local computers or domains has its own limitations.

For one, you could only report on one group at a time or check one server at a time. What if you wanted to check all groups or a list of servers? What if you wanted a report on all domain groups? A query like this could take a while, so you would have had to schedule it for non-production hours. The original HTA couldn't meet those needs.

Take Command
With that in mind, I developed a command-line version of Mr. Roboto's Group Reporter HTA. The file is a Windows Script File designed to run from a command line using CSCRIPT. For syntax help and a brief usage guide, run:

Cscript groupreportercli.wsf /?

You can use this tool to enumerate all groups and their members on a specified domain, a list of computers or all groups within a given Active Directory container. If you specify a computer name or a list of computers, it will enumerate all the local groups. Use this syntax to query all local groups on a specific computer:

Cscript /s:myserver23

If you prefer, you can also run through a list of computer names:

Cscript /L:servers.txt

There isn't any provision to grab a list of servers from an organizational unit (OU), but you can easily export such a list to a text file and use it here. When you specify a container or OU, it will enumerate all groups within that container. By default, the search won't enumerate any nested containers or OUs, but you can specify or recurse to find all groups in any child containers. If you want to search your entire domain, use this type of syntax:

Cscript /dn:DC=MyDomain,dc=local /recurse

You'll also be able to enumerate certain types of groups. Valid options are Security, Distribution or *. The default is * for all groups. Use the /expand parameter to expand any nested group membership. The default setting is to not expand nested groups. Use this option with caution, especially in large domains:

Cscript /dn:dc=mydomain,dc=local /recurse /expand /t:security

Roboto on Demand

Download Mr. Roboto's Group Reporter HTA at: Extract the script to any directory you want and open a command prompt.

What Windows admin task would you like Mr. Roboto to automate next? Send your suggestions to [email protected].

This command will search the mydomain.local domain for all security groups and expand any nested groups. Use the /E parameter if you want to save the results to a text file. There won't be anything displayed on the screen while the script runs, and it will overwrite any existing files with the same name. Needless to say, the account executing the script must have administrator rights for the computer, the OU or the domain being queried.

Local group membership doesn't support nested groups, nor is recursion so necessary. If you specify these parameters for a local computer, the HTA will ignore them. For that matter, there's no such thing as a local distribution group.

Remember to put any parameter values containing spaces in quotes -- and remember that these are all one-line commands (even though they may wrap here):

Cscript /s:allservers /e:servergroups.txt
Cscript /dn:OU=Employees,DC=MyDomain,DC=local /expand /recurse /e:"Employee Groups.txt"
Cscript /dn:"OU=Lists, DC=Company, DC=local" /recurse /t:distribution /e:"d:\reports\Company Distribution Lists.txt"

The output of this script is essentially the same as the Group Auditor HTA. For domain groups, you'll be able to determine not only members, but when the group was created and last modified, its type, manager, mail address and description, as well as the names of any groups to which it may belong. Now your help desk tech has a graphical tool to check group membership and a powerful command-line tool for organizational-level reporting.

About the Author

Jeffery Hicks is an IT veteran with over 25 years of experience, much of it spent as an IT infrastructure consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He is a multi-year recipient of the Microsoft MVP Award in Windows PowerShell. He works today as an independent author, trainer and consultant. Jeff has written for numerous online sites and print publications, is a contributing editor at, and a frequent speaker at technology conferences and user groups.


comments powered by Disqus