This script, run on your Active Directory controller, will give you an html display of all users in Active Directory based on group. This is a very handy script for me as I use it to run a weekly internal audit report for our operations management. I’m not sure of the exact source of this code. I know I didn’t write it from scratch, but I believe I piecemealed it together over time about a year or so ago. If I find the original author or if you are the original author please let me know and I’ll make sure to give full credit.
Copy and paste this into a file named: DocumentGroup.vbs. Double click it, and a pop up will let you know when it’s done. Look for the output file and you are good to go.
Posting this in hopes to keep it forever and to share with others!
' As seen on http://crimm.me ' DocumentGroups.vbs ' VBScript program to document all groups in Active Directory. ' Outputs group name, type of group, all members, and types of member. ' Lists all groups that are members, but does not list the nested group ' membership. ' ' ---------------------------------------------------------------------- ' ' This script can be double clicked or ran at a command prompt, using the ' Cscript host. The output can be redirected to a text file. ' For example: ' cscript //nologo DocumentGroups.vbs > groups.txt Option Explicit Dim adoConnection, adoCommand, objRootDSE, strDNSDomain, strQuery Dim adoRecordset, strDN, objGroup ' Use ADO to search Active Directory. Set adoConnection = CreateObject("ADODB.Connection") Set adoCommand = CreateObject("ADODB.Command") adoConnection.Provider = "ADsDSOObject" adoConnection.Open "Active Directory Provider" Set adoCommand.ActiveConnection = adoConnection ' Determine the DNS domain from the RootDSE object. Set objRootDSE = GetObject("LDAP://RootDSE") strDNSDomain = objRootDSE.Get("defaultNamingContext") ' Search for all groups, return the Distinguished Name of each. strQuery = "<LDAP://" & strDNSDomain _ & ">;(objectClass=group);distinguishedName;subtree" adoCommand.CommandText = strQuery adoCommand.Properties("Page Size") = 100 adoCommand.Properties("Timeout") = 30 adoCommand.Properties("Cache Results") = False Set adoRecordset = adoCommand.Execute If (adoRecordset.EOF = True) Then Wscript.Echo "No groups found" adoRecordset.Close adoConnection.Close Set objRootDSE = Nothing Set adoConnection = Nothing Set adoCommand = Nothing Set adoRecordset = Nothing Wscript.Quit End If ' Enumerate all groups, bind to each, and document group members. Do Until adoRecordset.EOF strDN = adoRecordset.Fields("distinguishedName").Value ' Escape any forward slash characters with backslash. strDN = Replace(strDN, "/", "\/") Set objGroup = GetObject("LDAP://" & strDN) Wscript.Echo objGroup.sAMAccountName _ & " (" & GetType(objGroup.groupType) & ")" Call GetMembers(objGroup) adoRecordset.MoveNext Loop adoRecordset.Close ' Clean up. adoConnection.Close Set objRootDSE = Nothing Set objGroup = Nothing Set adoConnection = Nothing Set adoCommand = Nothing Set adoRecordset = Nothing Function GetType(ByVal intType) ' Function to determine group type from the GroupType attribute. If ((intType And &h01) <> 0) Then GetType = "Built-in" ElseIf ((intType And &h02) <> 0) Then GetType = "Global" ElseIf ((intType And &h04) <> 0) Then GetType = "Local" ElseIf ((intType And &h08) <> 0) Then GetType = "Universal" End If If ((intType And &h80000000) <> 0) Then GetType = GetType & "/Security" Else GetType = GetType & "/Distribution" End If End Function Sub GetMembers(ByVal objADObject) ' Subroutine to document group membership. ' Members can be users or groups. Dim objMember, strType For Each objMember In objADObject.Members If (UCase(Left(objMember.objectCategory, 8)) = "CN=GROUP") Then strType = "Group" Else strType = "User" End If Wscript.Echo " Member: " & objMember.sAMAccountName _ & " (" & strType & ")" Next Set objMember = Nothing End Sub
