| Author | Messages | |
enyomail
Posts:3
 | | 04/27/2008 12:52 PM |
| Hello,
Does anyone know of a way to find and delete empty AD security groups?
Thanks
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| ZJORZ
Posts:100
| | 04/27/2008 1:32 PM |
| First retrieve, evaluate and delete if needed afterwards
Adfind -default -f (&(sAMAccountType=268435456)(!(member=*))) -dn
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Consultant
MVP Identity & Access - Directory Services
Oxford Computer Group Benelux | O: +31 (0)6 26.26.62.80 | :: +31 (0)33 454.69.50 | : +31 (0)33 454.66.66 | : Hardwareweg 4, 3821BM Amersfoort, The Netherlands
www.oxfordcomputergroup.com | Expertise in Identity & Access Management
________________________________________________________________
MVP Profile → https://mvp.support.microsoft.com/profile/jorge1
MVP Home Site → https://mvp.support.microsoft.com/
MVP Overview → https://mvp.support.microsoft.com/mvpexecsum
BLOG → http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Enyo
Sent: Sunday, April 27, 2008 18:49
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Find Empty Security Groups
Hello,
Does anyone know of a way to find and delete empty AD security groups?
Thanks
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
.+-��0������j�q.+-��0�����ˊ�E��Kj�!i�b��b����ןj�m | | | |
| listmail
Posts:428
| | 04/27/2008 4:03 PM |
| You need to query for any groups that have no values in the member
attribute... Something like
adfind -b dc=domain,dc=com -f "&(objectcategory=group)(!(member=*))" -dn
If you just a single domain that could more generically be done with
adfind -default -f "&(objectcategory=group)(!(member=*))" -dn
Now if you want to pipe that output to another program (say AdMod or dsrm or
something) you can use
adfind -default -f "&(objectcategory=group)(!(member=*))" -dsq
Which outputs quoted DN's that are suitable for piping.
Now something you need to consider... The groups could be used as primary
groups. If that is the case, the above query won't find if a user is using
that group... The membership is stored on the user's primaryGroupID
attribute instead. Specifically the RID of the group. So if you are looking
at any global groups, then you need to do this second check for every global
group returned in the query above. To get the RID of a given group without
string parsing, you just need to ask for the primaryGroupToken attribute of
the group.
So for example... To get the primary group token for Domain Admins using the
single domain shortcut mentioned bove (specifically -default)....
adfind -default -f name="domain admins" primarygrouptoken
That will return the value 512 (513 is Domain Users). Then you use that in
query to find members...
adfind -default -f primarygroupid=512 -dn
That will return the DN's of any objects that have that group as their
primary group.
You can ascertain group scope by looking at the grouptype attribute... That
attribute is a bit flag attribute
(http://msdn2.microsoft.com/en-us/library/ms675935(VS.85).aspx) so you don't
really want to check for absolute values, you want to do bitwise
comparisons.
So if you wanted a single command to say move empty non-global type groups
to a container to hold temporarily (for later deletion - I don't think I
would pipe a list like this directly to deletion...). It would look
something like
adfind -bit -default -f
"&(objectcategory=group)(!(member=*))(!(grouptype=2))" -dsq | admod -unsafe
-move ou=groups_to_be_deleted,dc=domain,dc=com
The -unsafe means move as many as are found. You could instead use -upto xx
where xx is the number you feel safe moving or you could use -safety xx
where xx would be the number you want the whole command to bail out for if
the number of groups exceeds that number.
As for the global groups, no other way than to use multiple LDAP queries
which means you won't be using a single command line unless it is some
script made to fit on a single line.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Enyo
Sent: Sunday, April 27, 2008 12:49 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Find Empty Security Groups
Hello,
Does anyone know of a way to find and delete empty AD security groups?
Thanks
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| RobertBobel
Posts:7
| | 04/29/2008 8:32 AM |
| PowerShell AD CMDLETS 1.1 (public beta) supports the following command...
Get-QADGroup -sl 0 -GroupType Security -Empty $true | Remove-QADObject -Confirm
Sl = sizelimit - by default we only return 1k items and by setting this to zero the limit is removed.
Bob
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Enyo
Sent: Sunday, April 27, 2008 12:49 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Find Empty Security Groups
Hello,
Does anyone know of a way to find and delete empty AD security groups?
Thanks
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| listmail
Posts:428
| | 04/29/2008 8:57 AM |
| Hey Bob, does this take primary group membership into account or is it just
checking the member attribute?
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Robert Bobel
Sent: Tuesday, April 29, 2008 8:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Find Empty Security Groups
PowerShell AD CMDLETS 1.1 (public beta) supports the following command...
Get-QADGroup -sl 0 -GroupType Security -Empty $true | Remove-QADObject
-Confirm
Sl = sizelimit - by default we only return 1k items and by setting this to
zero the limit is removed.
Bob
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Enyo
Sent: Sunday, April 27, 2008 12:49 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Find Empty Security Groups
Hello,
Does anyone know of a way to find and delete empty AD security groups?
Thanks
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| dmitrig
Posts:59
| | 04/29/2008 11:28 AM |
| A side note: a search for (!(member=*)) is inefficient. So, if you have lots and lots of [non-empty] groups, it may start timing out. The sad thing is that there's no workaround...
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Sunday, April 27, 2008 2:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Find Empty Security Groups
You need to query for any groups that have no values in the member
attribute... Something like
adfind -b dc=domain,dc=com -f "&(objectcategory=group)(!(member=*))" -dn
If you just a single domain that could more generically be done with
adfind -default -f "&(objectcategory=group)(!(member=*))" -dn
Now if you want to pipe that output to another program (say AdMod or dsrm or
something) you can use
adfind -default -f "&(objectcategory=group)(!(member=*))" -dsq
Which outputs quoted DN's that are suitable for piping.
Now something you need to consider... The groups could be used as primary
groups. If that is the case, the above query won't find if a user is using
that group... The membership is stored on the user's primaryGroupID
attribute instead. Specifically the RID of the group. So if you are looking
at any global groups, then you need to do this second check for every global
group returned in the query above. To get the RID of a given group without
string parsing, you just need to ask for the primaryGroupToken attribute of
the group.
So for example... To get the primary group token for Domain Admins using the
single domain shortcut mentioned bove (specifically -default)....
adfind -default -f name="domain admins" primarygrouptoken
That will return the value 512 (513 is Domain Users). Then you use that in
query to find members...
adfind -default -f primarygroupid=512 -dn
That will return the DN's of any objects that have that group as their
primary group.
You can ascertain group scope by looking at the grouptype attribute... That
attribute is a bit flag attribute
(http://msdn2.microsoft.com/en-us/library/ms675935(VS.85).aspx) so you don't
really want to check for absolute values, you want to do bitwise
comparisons.
So if you wanted a single command to say move empty non-global type groups
to a container to hold temporarily (for later deletion - I don't think I
would pipe a list like this directly to deletion...). It would look
something like
adfind -bit -default -f
"&(objectcategory=group)(!(member=*))(!(grouptype=2))" -dsq | admod -unsafe
-move ou=groups_to_be_deleted,dc=domain,dc=com
The -unsafe means move as many as are found. You could instead use -upto xx
where xx is the number you feel safe moving or you could use -safety xx
where xx would be the number you want the whole command to bail out for if
the number of groups exceeds that number.
As for the global groups, no other way than to use multiple LDAP queries
which means you won't be using a single command line unless it is some
script made to fit on a single line.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Enyo
Sent: Sunday, April 27, 2008 12:49 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Find Empty Security Groups
Hello,
Does anyone know of a way to find and delete empty AD security groups?
Thanks
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| RobertBobel
Posts:7
| | 04/30/2008 8:08 AM |
| Yes, we do consider it.
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Tuesday, April 29, 2008 8:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Find Empty Security Groups
Hey Bob, does this take primary group membership into account or is it just
checking the member attribute?
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Robert Bobel
Sent: Tuesday, April 29, 2008 8:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Find Empty Security Groups
PowerShell AD CMDLETS 1.1 (public beta) supports the following command...
Get-QADGroup -sl 0 -GroupType Security -Empty $true | Remove-QADObject
-Confirm
Sl = sizelimit - by default we only return 1k items and by setting this to
zero the limit is removed.
Bob
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Enyo
Sent: Sunday, April 27, 2008 12:49 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Find Empty Security Groups
Hello,
Does anyone know of a way to find and delete empty AD security groups?
Thanks
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| listmail
Posts:428
| | 04/30/2008 9:19 AM |
| Oh now see, this is the kind of thing that could get me to run PowerShell
for something.
I am now immensely curious as to what you are doing in the background in
that cmdlet... Questions such as are you using legacy API stuff, ADSI NT
provider stuff (i.e. legacy API stuff), or are you pulling the member
attribute and primary group token for every object and then following up
with queries for the primaryGroupIDs on all of the user objects for every
global group... Etc. How efficient is this in the backend is what I wonder.
I may have to download the stuff and get a network trace.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Robert Bobel
Sent: Wednesday, April 30, 2008 8:05 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Find Empty Security Groups
Yes, we do consider it.
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Tuesday, April 29, 2008 8:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Find Empty Security Groups
Hey Bob, does this take primary group membership into account or is it just
checking the member attribute?
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Robert Bobel
Sent: Tuesday, April 29, 2008 8:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Find Empty Security Groups
PowerShell AD CMDLETS 1.1 (public beta) supports the following command...
Get-QADGroup -sl 0 -GroupType Security -Empty $true | Remove-QADObject
-Confirm
Sl = sizelimit - by default we only return 1k items and by setting this to
zero the limit is removed.
Bob
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Enyo
Sent: Sunday, April 27, 2008 12:49 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Find Empty Security Groups
Hello,
Does anyone know of a way to find and delete empty AD security groups?
Thanks
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
|
|