| Author | Messages | |
nidhinck
Posts:64
 | | 07/15/2010 4:33 PM |
| Hi,
I'm planning to do a group cleanup in my organization. I'm looking for a
single script which will satisfy my below requirements. The output of all
these requirements should be in a single Excel file.
Requirements
-----------------
1. Total no of Groups in my forest.
2. Creation date of group.
3. Owner of group.
4. Which are all the Empty groups in my forest.
5. No of members in single group.
--
Regards,
Nidhin.CK
Chennai
Phone No: +91 9884622467
| | | |
| kbatkbslpcom
Posts:194
| | 07/15/2010 5:29 PM |
| Not sure why you want to limit it to a single script...and a single
excel file.
But the DS* tools (dsquery, dsget) or ADFIND will do 90% of what you are
asking (ADFIND maybe the other 10%, too!)...heck, powershell would
probably work, too.
#3 will be interesting...what defines "owner" of a group (managedby
field? Full control to it?) (maybe need something like DACLS depending
upon the answer).
#4 and #5 are a sort in excel of the users data element (group "X"
users=0; group "y" users=57, sort by number of users)
and #5 - how would you want to see see nested groups - expanded or not?
Are you looking for the fish (i.e. "the" script) or are you looking for
a fishing pole/bait (i.e. how to create it)?
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of nidhin ck
Sent: Thursday, July 15, 2010 11:32 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Script for group information
Hi,
I'm planning to do a group cleanup in my organization. I'm
looking for a single script which will satisfy my below requirements.
The output of all these requirements should be in a single Excel file.
Requirements
-----------------
1. Total no of Groups in my forest.
2. Creation date of group.
3. Owner of group.
4. Which are all the Empty groups in my forest.
5. No of members in single group.
--
Regards,
Nidhin.CK
Chennai
Phone No: +91 9884622467
| | | |
| RickSheikh
Posts:373
| | 07/15/2010 5:39 PM |
| With PowerShell and Quest Cmdlets, (albeit not exactly fitting your
requirement in terms ofoutput) you may use following easy one-liners to find
and export the information you are looking for :
See inline.
Requirements
-----------------
1. Total no of Groups in my forest.
get-qadgroup -sl 0 | measure-object
2. Creation date of group.
get-qadgroup -sl 0 | select name,whencreated,managedby |
export-csv AllGroupswithDateandOwner.csv
3. Owner of group.
See above, I assume you meant owner as the person who account is
populated as the managing person
4. Which are all the Empty groups in my forest.
get-qadgroup -Empty $true -sizelimit 0 (use same above
method to export)
5. No of members in single group.
get-qadgroupMember -SizeLimit 0 'domain users' -ldap
"(&(!userAccountControl:1.2.840.113556.1.4.803:=2))" | Measure-Object
(finds enabled accounts only)
I think you get the idea.
Hope that helps.
On Thu, Jul 15, 2010 at 10:32 AM, nidhin ck <nidhinck@gmail.com> wrote:
> Hi,
>
> I'm planning to do a group cleanup in my organization. I'm looking for a
> single script which will satisfy my below requirements. The output of all
> these requirements should be in a single Excel file.
>
> Requirements
> -----------------
>
> 1. Total no of Groups in my forest.
> 2. Creation date of group.
> 3. Owner of group.
> 4. Which are all the Empty groups in my forest.
> 5. No of members in single group.
>
>
>
> --
> Regards,
>
> Nidhin.CK
> Chennai
> Phone No: +91 9884622467
>
>
>
| | | |
| md_ib10
Posts:12
| | 07/16/2010 5:18 PM |
|
Hi ,
Is there any script to add permission for all users in netlogon shares fro a particular OU?
All the user's have lost their permissions for netlogon shares. Any script to add the authenticated users to ACL.
Thx/ Ibrahim
_________________________________________________________________
The latest in fashion and style in MSN Lifestyle
http://lifestyle.in.msn.com/
| | | |
| RickSheikh
Posts:373
| | 07/16/2010 6:18 PM |
| The Netlogon share i.e c:\%systemroot%\SYSVOL\sysvol\yourdomain\scripts has
the NTFS permissions for "Authenticated Users" as Read&Execute.
Why reapply to the users only in a paticular OU ?
More importantly, what changed triggered that effect ?
I would run the dcdiag against the domain.
Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
If the replication is fine, then just modify the ACL on one DC as mentioned
above.
Not exactly relevant to your problem, but this confirms the type of
permissions required for the 'Authenticated Users'
http://support.microsoft.com/default.aspx?scid=kb;en-us;812538
On Fri, Jul 16, 2010 at 11:16 AM, mohammed ibrahim <md_ib10@hotmail.com>wrote:
>
> Hi ,
>
> Is there any script to add permission for all users in netlogon shares fro
> a particular OU?
>
> All the user's have lost their permissions for netlogon shares. Any script
> to add the authenticated users to ACL.
>
> Thx/ Ibrahim
>
> ------------------------------
> Build a bright career through MSN Education Sign up now.<http://education.in.msn.com/>
>
| | | |
| md_ib10
Posts:12
| | 07/16/2010 6:32 PM |
|
In one of the sites the users were not able to get mapped drives and no body is getting the logon.bat running... it seems to be the permissions has been removed(acl had been changed)
but there are lot of site folders we have under sysvol-scripts- inorder to Take ownership of each folder below scripts in the security. If there would be any script to apply this settings to all folders?
hope that you are clear on my issue? or let me know if you require any further info?
Ibrahim
Date: Fri, 16 Jul 2010 12:16:59 -0500
Subject: Re: [ActiveDir] Script for group information
From: ricksheikh@gmail.com
To: activedir@mail.activedir.org
The Netlogon share i.e c:\%systemroot%\SYSVOL\sysvol\yourdomain\scripts has the NTFS permissions for "Authenticated Users" as Read&Execute.
Why reapply to the users only in a paticular OU ?
More importantly, what changed triggered that effect ?
I would run the dcdiag against the domain.
Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
If the replication is fine, then just modify the ACL on one DC as mentioned above.
Not exactly relevant to your problem, but this confirms the type of permissions required for the 'Authenticated Users'
http://support.microsoft.com/default.aspx?scid=kb;en-us;812538
On Fri, Jul 16, 2010 at 11:16 AM, mohammed ibrahim <md_ib10@hotmail.com> wrote:
Hi ,
Is there any script to add permission for all users in netlogon shares fro a particular OU?
All the user's have lost their permissions for netlogon shares. Any script to add the authenticated users to ACL.
Thx/ Ibrahim
Build a bright career through MSN Education Sign up now.
_________________________________________________________________
The world on four wheels in MSN Autos
http://autos.in.msn.com/
| | | |
| barkills
Posts:201
| | 07/16/2010 7:23 PM |
| I keep wondering why you want a script as opposed to just making the change in the UI. I also wonder why inherited ACLs aren't an option.
The only reason I can come up with is that you've got a lot of file/folders with broken inheritance, and you want to retain that broken inheritance. So therefore, you need a script to programmatically set explicit ACEs on each file/folder with broken inheritance.
Assuming all those conclusions are true, there are a couple problems you'll need to solve. First, you can't set the target of an ACE to be the objects within an OU. And by themselves, AD groups have no dynamic membership feature that'd allow you to easily make all the objects within an OU be a member. So you'd need to have a solution that created and maintained a group with the right members. That might be FIM or a script that runs periodically. Second, you'll need to set all the ACEs. There are many tools that you can use to programmatically set ACEs on files/folder, including cacls (which I see has been decremented in favor of icacls) and others that I'm sure you'll hear about from others on this list.
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of mohammed ibrahim
Sent: Friday, July 16, 2010 10:30 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Script for group information
In one of the sites the users were not able to get mapped drives and no body is getting the logon.bat running... it seems to be the permissions has been removed(acl had been changed)
but there are lot of site folders we have under sysvol-scripts- inorder to Take ownership of each folder below scripts in the security. If there would be any script to apply this settings to all folders?
hope that you are clear on my issue? or let me know if you require any further info?
Ibrahim
________________________________
Date: Fri, 16 Jul 2010 12:16:59 -0500
Subject: Re: [ActiveDir] Script for group information
From: ricksheikh@gmail.com
To: activedir@mail.activedir.org
The Netlogon share i.e c:\%systemroot%\SYSVOL\sysvol\yourdomain\scripts has the NTFS permissions for "Authenticated Users" as Read&Execute.
Why reapply to the users only in a paticular OU ?
More importantly, what changed triggered that effect ?
I would run the dcdiag against the domain.
Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
If the replication is fine, then just modify the ACL on one DC as mentioned above.
Not exactly relevant to your problem, but this confirms the type of permissions required for the 'Authenticated Users'
http://support.microsoft.com/default.aspx?scid=kb;en-us;812538
On Fri, Jul 16, 2010 at 11:16 AM, mohammed ibrahim <md_ib10@hotmail.com<mailto:md_ib10@hotmail.com>> wrote:
Hi ,
Is there any script to add permission for all users in netlogon shares fro a particular OU?
All the user's have lost their permissions for netlogon shares. Any script to add the authenticated users to ACL.
Thx/ Ibrahim
________________________________
Build a bright career through MSN Education Sign up now.<http://education.in.msn.com/>
________________________________
The dark side of terrorists revealed in MSN Internal Security Get it now.<http://news.in.msn.com/internalsecurity/>
| | | |
|
|