Archive: October, 2010

Documenting AD groups

1 comment October 29th, 2010

AD Group membership should be documented, but there are none good built-in MS tools that can do it for you (atleast that I’m aware of). You can use tools such as “dsget group” but you can’t pipe it to Excel and get it user/customer friendly 😐

Here is a script that will do the job for you. It requires that you have Excel installed.
If you don’t have Excel, it will work on a trial version that you’ll find here.

'------------------Save me as .vbs ----------------------------------------------
' The script searces for all AD groups (as you can specify) and writes
' the group name with the group manager and its members to an Excel spred sheet.
' One sheet per group.
' Privilages to run: "domain users"
' v.1.1
' rsoe(a)hotmail.com
' www.adfordummiez.com
'-------------------------------------------------------------------------------
On Error Resume Next
' -----CHANGE THIS CONSTANT SO IT REFLECTS YOUR DOMAIN NAME -------------
Const MyDomain = "dc=spurs,dc=local"
' If you don't want all built-in groups but only groups in a spesific OU:
' Const MyDomain = "ou=ChildOU,ou=ParentOU,dc=spurs,dc=local"
'------------------------------------------------------------------------
Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
' Open Excel for writing
Set objExcel = CreateObject("Excel.Application")
objExcel.Visible = True
objExcel.Workbooks.Add
' Find all groups
objCommand.CommandText = _
    "SELECT ADsPath, Name FROM 'LDAP://" & MyDomain & "' WHERE objectCategory='group'"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
    Set objGroup = GetObject(objRecordSet.Fields("ADsPath").Value)
 strGroupName = objRecordSet.Fields("Name").Value

 ' Find if the group has a manager
 strManagedBy = objGroup.Get("managedBy")
 If IsEmpty(strManagedBy) = FALSE Then
       strManager = strManagedBy  
    Else strManager = "-"
    End If
 ' Give the sheet the Group name. One sheet per group.
 objExcel.Sheets.Add.Name = strGroupName

 Err.Clear
 arrMemberOf = objGroup.GetEx("member")
 objExcel.Cells(1, 1).Value = "Members of " & strGroupName & ":"
 objExcel.Cells(2, 1).Value = "Managed by: " & strManager
 i = 3
 count = 0
    ' Check to see if the group contains users
 If Err.Number <> E_ADS_PROPERTY_NOT_FOUND then
    For Each strMemberOf in arrMemberOf
          Set objMember = GetObject("LDAP://" & strMemberOf)
       strMemberName = right(objMember.Name,len(objMember.Name)-3)
       objExcel.Cells(i, 1).Value = strMemberName
       set objMember = nothing
       i = i + 1
       count = count + 1
    Next
    objExcel.Cells(i, 1).Value = "Member count: " & count
    Else
       ' The group don't have any members
    objExcel.Cells(i, 1).Value = "Member count: " & count
 End If

 i = 0
 count = 0
 strManagedBy = ""
 objRecordSet.MoveNext
 Set objGroup = nothing
Loop
' EOF

The perfect excuse to buy an iPhone 4

No comments October 28th, 2010

Most of the phone calls the AD service desk receives are about user accounts that have been disabled or forgotten passwords.
This is a small task to handle if you have a task pad of ADUC in front of you.

It’s Saturday and you are watching a Tottenham game with a fellow Spurs fan at his place. You receive a call from your boss that has forgotten his AD password. He tells you reset his password *now*! 

Your friend doesn’t have an Internet connection, so you have to get down to the office to reset his bloody password. Arrrgg! 

I just bought an iPhone 4 and downloaded an app called “AD Helpdesk”. If you have one, you can watch the game and please your boss at the same time.

Setup a VPN connection on the phone to reach your internal network and start the App.

Search AD for his username and just reset his password from the app.

More about the app: http://adhelpdesk.com/