Enumerate Active Directory Group Members
Script will enumerate group members, based on an Active Directory group name.
WEBINAR:
You Can't Detect What You Can't See: Illuminating the Entire Kill Chain
On-Demand Webinar
Want to share a script? Click here to contribute!
Author:
Shane Boudreaux
Platform:
Windows
Type:
Win
Description:
Script will enumerate group members, based on an Active Directory Group name.
Scroll down to view the script.
Enumerate Active Directory Group Members
''==================================
'' Enumerate Active Directory Group Members
'' Author: Shane Boudreaux
'' Start Date: 5/22/07
'' Last Modified: 5/22/07
''==================================
''==================================
'' GLOBAL DECLARES & CONSTANTS
''==================================
On Error Resume Next
Const ForAppending = 8
Const DOMAIN = "LDAP://DC=YourDomain,DC=com"
Const GROUPHEADER = "GROUP:"
Const GROUPFOOTER = "====================="
Dim groupName
'' prompt user for FULL group name
groupName = inputbox("Enter Full Group Name")
'' check if output file exists; create if doesn''t exist
fileExists "c:members.txt"
'' find the group and output members to text file
findGroup groupName
wscript.echo "DONE!"
'' display results text file
openFile
''========================
Private Sub findGroup(grp)
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 5000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.CommandText = "SELECT ''distinguishedName'' FROM ''" & DOMAIN & "'' WHERE objectCategory=''group'' " & _
"AND Name=''" & grp & "*''"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
group = objRecordSet.Fields("distinguishedName").Value
getMembers group
objRecordSet.MoveNext
Loop
End Sub
''========================
''========================
Private Sub getMembers(grp)
Set objGroup = GetObject ("LDAP://" & grp)
objGroup.GetInfo
arrMemberOf = objGroup.GetEx("member")
text = GROUPHEADER & vbcrlf & vbtab & grp & vbcrlf & GROUPFOOTER & vbcrlf & "MEMBERS:" & vbcrlf & GROUPFOOTER & vbcrlf
For Each strMember in arrMemberOf
''Dim temp
''temp = pwdExpire(strMember)
''strMember = strMember & vbcrlf & temp
text = text & strMember & vbcrlf
Next
AppendToFile text
End Sub
''========================
''========================
Private Sub AppendToFile(text)
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile("C:members.txt", ForAppending)
If text <> "" Then
objFile.WriteLine text
Else
objFile.WriteLine "No Members OR Incorrect Input"
End If
objFile.Close
End Sub
''========================
''========================
Private Sub openFile()
Const WIN_STYLE = 4
Set objShell = WScript.CreateObject("WScript.Shell")
objShell.Run "notepad.exe c:members.txt", WIN_STYLE
End Sub
''========================
''================================
Private Sub fileExists(file)
'' NOTE: param file must be full path and file name!
Set objFSO = CreateObject("Scripting.FileSystemObject")
If objFSO.FileExists(file) Then
Exit Sub
Else '' Create File if DOESN''t Exist
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.CreateTextFile(file)
End If
End Sub
''================================
''===============================
Private Function pwdExpire(user)
Const SEC_IN_DAY = 86400
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
Dim retVal
Set objUserLDAP = GetObject("LDAP://" & user)
intCurrentValue = objUserLDAP.Get("userAccountControl")
If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then
retVal = vbTab & "Password does NOT expire."
Else
dtmValue = objUserLDAP.PasswordLastChanged
retVal = vbTab & "The password was last changed on " & _
DateValue(dtmValue) & " at " & TimeValue(dtmValue) & VbCrLf & _
vbTab & "The difference between when the password was last set" & _
"and today is " & int(now - dtmValue) & " days"
intTimeInterval = int(now - dtmValue)
Set objDomainNT = GetObject("WinNT://its")
intMaxPwdAge = objDomainNT.Get("MaxPasswordAge")
If intMaxPwdAge < 0 Then
retVal = retVal & vbcrlf & vbtab & vbtab & "The Maximum Password Age is set to 0 in the " & _
"domain. Therefore, the password does not expire."
Else
intMaxPwdAge = (intMaxPwdAge/SEC_IN_DAY)
retVal = retVal & vbcrlf & vbtab & vbtab & "The maximum password age is " & intMaxPwdAge & " days"
If intTimeInterval >= intMaxPwdAge Then
retVal = retVal & vbcrlf & vbtab & vbtab & "The password has expired."
Else
retVal = retVal & vbcrlf & vbtab & vbtab & "The password will expire on " & _
DateValue(dtmValue + intMaxPwdAge) & " (" & _
int((dtmValue + intMaxPwdAge) - now) & " days from today" & _
")."
End If
End If
End If
pwdExpire = retVal
End Function
''===============================
Disclaimer: We hope that the information in these pages is valuable to you. Your use of the information contained in these pages, however, is at your sole risk. All information on these pages is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by me. I shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.
0 Comments (click to add your comment)
Comment and Contribute
Top Stories
