|
|
Hello all, i really hope soemoen can help,
I've got quite a complex need for a script, i'll do my best to explain it in
simple terms.
I need a script that can do the following.
1. Display a prompt for a user ID to be entered
2. Find all the groups that user is a member of
3. Query each group against a comparison table (SQL table, text file, excel
spreadsheet - which ever is easiest for the script)
4. Query the groups against a second comparrison table
5. Write all the groups to a file, one group per line, and if possible,
alphabetically, with the followign rules
a. If there is no match in either table, simply write the group name
b. If there is a match in the first table, prefix it with "Restricted
Group" and write groupname
c. If there is a match in table two, prefix it with "Exchange Group" and
write groupname
6. Open the text file for viewing.
Hopefully the results should look something like this.....
Group A
Group B
Group E
Group H
Restricted Group C
Restricted Group F
Exchange Group D
Exchange Group G
Context : The need for this, is that we get a lot of request from out
business askign us to mirror one user on another. The problem is a lot of
groups are owned by a specifc person (we have about 1500 groups like this)
and i need a way to filter out restricted groups
Can anyone help? is this possible?
Thanks
|
|
Hi,
Someone will probably post something more complicated than this, but this is
simple and work. It is a batch file that accepts the user DN as a parameter
and compares the groups it is member of to two files called resgroups.txt
and exchgroups.txt. Each of these files has the DN of each groups that
belongs in each category one per line.
It might need some modifications for spaces in groups names and user names.
If you don't have the DN of the user you could always pipe the output of a
dsquery command to it like this:
dsquery user -samid Administrator | findgroups.cmd
Here is the script:
-->8
[ at ]ECHO OFF
SET RESTRICTED=
SET EXCHANGE=
for /f "usebackq delims=" %%a in (`dsget user %1 -memberof`) do call
:findgroups %%a
goto end
:findgroups
for /f "delims=" %%b in (resgroups.txt) do IF [%%b] == [%1] SET
RESTRICTED=Restricted
for /f "delims=" %%c in (exchgroups.txt) do IF [%%c] == [%1] SET
EXCHANGE=Exchange
ECHO %RESTRICTED%,%EXCHANGE%,%1 >>output.txt
SET RESTRICTED=
SET EXCHANGE=
exit /b
:end
-->8
"Simon G" <SimonG[ at ]discussions.microsoft.com> wrote in message
news:C080BCAE-9B38-483E-8566-5F2D93C194B4[ at ]microsoft.com...
[Quoted Text] > Hello all, i really hope soemoen can help,
>
> I've got quite a complex need for a script, i'll do my best to explain it
> in
> simple terms.
>
> I need a script that can do the following.
>
> 1. Display a prompt for a user ID to be entered
> 2. Find all the groups that user is a member of
> 3. Query each group against a comparison table (SQL table, text file,
> excel
> spreadsheet - which ever is easiest for the script)
> 4. Query the groups against a second comparrison table
> 5. Write all the groups to a file, one group per line, and if possible,
> alphabetically, with the followign rules
> a. If there is no match in either table, simply write the group name
> b. If there is a match in the first table, prefix it with "Restricted
> Group" and write groupname
> c. If there is a match in table two, prefix it with "Exchange Group" and
> write groupname
> 6. Open the text file for viewing.
>
> Hopefully the results should look something like this.....
>
> Group A
> Group B
> Group E
> Group H
> Restricted Group C
> Restricted Group F
> Exchange Group D
> Exchange Group G
>
>
> Context : The need for this, is that we get a lot of request from out
> business askign us to mirror one user on another. The problem is a lot of
> groups are owned by a specifc person (we have about 1500 groups like this)
> and i need a way to filter out restricted groups
>
> Can anyone help? is this possible?
>
> Thanks
|
|
Hopefully Jeremy's batch solution will suffice for your purposes, but...
A few details occur to me:
- what should happen if some groups appear in both tables - should it be
flagged restricted exchange, or as an error of some type;
- if userA is a member of groupB, while groupC has groupB as a member, but
not userA, would you consider userA a member of groupC for the purposes of
this exercise?
And a few questions:
I assume that "mirroring" requests are to give some new person the same
access rights/group membership/permissions as another person, likely so they
have access to the resources required to do some specific job. Would this
involve taking away some permissions or only adding those the person does
not already have? If you do not take away rights, the net effect will
eventually be that most people will wind up with more permissions than they
need. for example, Bill from finance is to mirror Joan from HR - he now has
permissions to finance and HR information. Later Alice from staff relations
is to take over from Bill in order to perform the HR functions - she now
has permissions to finance, HR, and staff relations information.
Am I to understand that your group (IT support?) will action these mirroring
requests by assigning memberships associated with the person being mirrored,
but with the exception of the restricted groups (i.e. those owned by an
individual)? Would the request then be forwarded to those affected group
owners for their consideration?
If so and this is an oft-repeated scenario, here are a few suggested
approaches:
use the "managed by" attribute to assign the ownership; unrestricted
accounts could then have no ownership. Instead of comparing groups against
the restricted list, simply look at who the group is "managed by". If by
nobody, it is not a restricted group and the script can just add the person.
If there is a need to ask the individual group owners to consider adding the
person as well, then have your script send each affected group owner a list
of the groups that the person needs to be added to.
/Al
"Jeremy" <jeremy[ at ]discussions.microsoft.com> wrote in message
news:1D4C818C-C3B1-409F-B035-12A8155762A7[ at ]microsoft.com...
[Quoted Text] > Hi,
>
> Someone will probably post something more complicated than this, but this
> is simple and work. It is a batch file that accepts the user DN as a
> parameter and compares the groups it is member of to two files called
> resgroups.txt and exchgroups.txt. Each of these files has the DN of each
> groups that belongs in each category one per line.
>
> It might need some modifications for spaces in groups names and user
> names.
>
> If you don't have the DN of the user you could always pipe the output of a
> dsquery command to it like this:
>
> dsquery user -samid Administrator | findgroups.cmd
>
> Here is the script:
>
> -->8
> [ at ]ECHO OFF
> SET RESTRICTED=
> SET EXCHANGE=
> for /f "usebackq delims=" %%a in (`dsget user %1 -memberof`) do call
> :findgroups %%a
>
> goto end
>
> :findgroups
> for /f "delims=" %%b in (resgroups.txt) do IF [%%b] == [%1] SET
> RESTRICTED=Restricted
> for /f "delims=" %%c in (exchgroups.txt) do IF [%%c] == [%1] SET
> EXCHANGE=Exchange
> ECHO %RESTRICTED%,%EXCHANGE%,%1 >>output.txt
> SET RESTRICTED=
> SET EXCHANGE=
> exit /b
>
> :end
> -->8
> "Simon G" <SimonG[ at ]discussions.microsoft.com> wrote in message
> news:C080BCAE-9B38-483E-8566-5F2D93C194B4[ at ]microsoft.com...
>> Hello all, i really hope soemoen can help,
>>
>> I've got quite a complex need for a script, i'll do my best to explain it
>> in
>> simple terms.
>>
>> I need a script that can do the following.
>>
>> 1. Display a prompt for a user ID to be entered
>> 2. Find all the groups that user is a member of
>> 3. Query each group against a comparison table (SQL table, text file,
>> excel
>> spreadsheet - which ever is easiest for the script)
>> 4. Query the groups against a second comparrison table
>> 5. Write all the groups to a file, one group per line, and if possible,
>> alphabetically, with the followign rules
>> a. If there is no match in either table, simply write the group name
>> b. If there is a match in the first table, prefix it with "Restricted
>> Group" and write groupname
>> c. If there is a match in table two, prefix it with "Exchange Group" and
>> write groupname
>> 6. Open the text file for viewing.
>>
>> Hopefully the results should look something like this.....
>>
>> Group A
>> Group B
>> Group E
>> Group H
>> Restricted Group C
>> Restricted Group F
>> Exchange Group D
>> Exchange Group G
>>
>>
>> Context : The need for this, is that we get a lot of request from out
>> business askign us to mirror one user on another. The problem is a lot of
>> groups are owned by a specifc person (we have about 1500 groups like
>> this)
>> and i need a way to filter out restricted groups
>>
>> Can anyone help? is this possible?
>>
>> Thanks
>
|
|
The nested groups thing was the first "gotcha" I figured Simon would have
one he started working things out. But at least I had some fun writing the
script.
"Al Dunbar" <AlanDrub[ at ]hotmail.com.nospaam> wrote in message
news:eo1h0I%23lHHA.3928[ at ]TK2MSFTNGP02.phx.gbl...
[Quoted Text] > Hopefully Jeremy's batch solution will suffice for your purposes, but...
>
> A few details occur to me:
>
> - what should happen if some groups appear in both tables - should it be
> flagged restricted exchange, or as an error of some type;
> - if userA is a member of groupB, while groupC has groupB as a member, but
> not userA, would you consider userA a member of groupC for the purposes of
> this exercise?
>
> And a few questions:
>
> I assume that "mirroring" requests are to give some new person the same
> access rights/group membership/permissions as another person, likely so
> they have access to the resources required to do some specific job. Would
> this involve taking away some permissions or only adding those the person
> does not already have? If you do not take away rights, the net effect will
> eventually be that most people will wind up with more permissions than
> they need. for example, Bill from finance is to mirror Joan from HR - he
> now has permissions to finance and HR information. Later Alice from staff
> relations is to take over from Bill in order to perform the HR
> unctions - she now has permissions to finance, HR, and staff relations
> information.
>
> Am I to understand that your group (IT support?) will action these
> mirroring requests by assigning memberships associated with the person
> being mirrored, but with the exception of the restricted groups (i.e.
> those owned by an individual)? Would the request then be forwarded to
> those affected group owners for their consideration?
>
> If so and this is an oft-repeated scenario, here are a few suggested
> approaches:
>
> use the "managed by" attribute to assign the ownership; unrestricted
> accounts could then have no ownership. Instead of comparing groups against
> the restricted list, simply look at who the group is "managed by". If by
> nobody, it is not a restricted group and the script can just add the
> person. If there is a need to ask the individual group owners to consider
> adding the person as well, then have your script send each affected group
> owner a list of the groups that the person needs to be added to.
>
>
> /Al
>
> "Jeremy" <jeremy[ at ]discussions.microsoft.com> wrote in message
> news:1D4C818C-C3B1-409F-B035-12A8155762A7[ at ]microsoft.com...
>> Hi,
>>
>> Someone will probably post something more complicated than this, but this
>> is simple and work. It is a batch file that accepts the user DN as a
>> parameter and compares the groups it is member of to two files called
>> resgroups.txt and exchgroups.txt. Each of these files has the DN of each
>> groups that belongs in each category one per line.
>>
>> It might need some modifications for spaces in groups names and user
>> names.
>>
>> If you don't have the DN of the user you could always pipe the output of
>> a dsquery command to it like this:
>>
>> dsquery user -samid Administrator | findgroups.cmd
>>
>> Here is the script:
>>
>> -->8
>> [ at ]ECHO OFF
>> SET RESTRICTED=
>> SET EXCHANGE=
>> for /f "usebackq delims=" %%a in (`dsget user %1 -memberof`) do call
>> :findgroups %%a
>>
>> goto end
>>
>> :findgroups
>> for /f "delims=" %%b in (resgroups.txt) do IF [%%b] == [%1] SET
>> RESTRICTED=Restricted
>> for /f "delims=" %%c in (exchgroups.txt) do IF [%%c] == [%1] SET
>> EXCHANGE=Exchange
>> ECHO %RESTRICTED%,%EXCHANGE%,%1 >>output.txt
>> SET RESTRICTED=
>> SET EXCHANGE=
>> exit /b
>>
>> :end
>> -->8
>> "Simon G" <SimonG[ at ]discussions.microsoft.com> wrote in message
>> news:C080BCAE-9B38-483E-8566-5F2D93C194B4[ at ]microsoft.com...
>>> Hello all, i really hope soemoen can help,
>>>
>>> I've got quite a complex need for a script, i'll do my best to explain
>>> it in
>>> simple terms.
>>>
>>> I need a script that can do the following.
>>>
>>> 1. Display a prompt for a user ID to be entered
>>> 2. Find all the groups that user is a member of
>>> 3. Query each group against a comparison table (SQL table, text file,
>>> excel
>>> spreadsheet - which ever is easiest for the script)
>>> 4. Query the groups against a second comparrison table
>>> 5. Write all the groups to a file, one group per line, and if possible,
>>> alphabetically, with the followign rules
>>> a. If there is no match in either table, simply write the group name
>>> b. If there is a match in the first table, prefix it with "Restricted
>>> Group" and write groupname
>>> c. If there is a match in table two, prefix it with "Exchange Group" and
>>> write groupname
>>> 6. Open the text file for viewing.
>>>
>>> Hopefully the results should look something like this.....
>>>
>>> Group A
>>> Group B
>>> Group E
>>> Group H
>>> Restricted Group C
>>> Restricted Group F
>>> Exchange Group D
>>> Exchange Group G
>>>
>>>
>>> Context : The need for this, is that we get a lot of request from out
>>> business askign us to mirror one user on another. The problem is a lot
>>> of
>>> groups are owned by a specifc person (we have about 1500 groups like
>>> this)
>>> and i need a way to filter out restricted groups
>>>
>>> Can anyone help? is this possible?
>>>
>>> Thanks
>>
>
>
|
|
Jeremy
Thanks for you batch file, that does work nicely, it's not as user friendly
as i'd like (there will be some junior staff doing this sort of thing and
soem of them aren't the brightest sparks) but it's definately a big help
thanks again.
Al
In response to some of your questions.
We aren't yet nesting groups so this doesn't apply.....yet - and to be
honest the type of groups they are they are unlikely to be nested. We are
considering creating some template groups based on job roles, however these
restricted groups will be left out as the owner still wants control over them.
A group can't be restricted and exchange. The restricted groups are security
groups we apply to certain folders, the exchange groups are exchange
distribution lists, we would't use one for both, if we have a need, we create
two groups, one for the folder and one for the distribution list.
This is mainly for new starters to the group. We get a request to mirror a
current colleague, we can scan over the groups to check that the permissions
are correct from the existing user. Should a staff member move, we strip the
account and rebuild it based on the new area they are moving to.
I don't need the script to actually add or remove the groups from the user,
it's more about producing the text file for review, as there still may be
certain groups that are not relevant.
I'm intrigued by the manage by function. What abilities would someone have
over the group they manage? do they have the ability to add users themself?
if so that would be no good. also can you have multiple managers (as this is
the case with the groups)
|
|
If I am reading this right, Al is simply suggesting the use of the "Managed
by" attribute on each group as the flag that identifies it as restricted in
some way.
So if you wrote a script that loops through all the groups and sets the
"found" flags depending on whether or not the "Managed By" attribute is set
to "Restricted" or "Exchange" or some other actual AD object. You could do
the same thing with the description field or some other field.
If you wanted something more graphical then an HTA application that uses
vbscripting to talk to the directory. This would make it nicer. That
vbscript only took me 5 minutes to write and test. A vbscript would take
about 30 minutes and an HTA much longer (since I haven't taught myself HTA
yet). I usually not in the business of writing scripts for people on these
forums, but I wanted to show you could do this task with a batch script
rather than something more complicated.
You could incorporate the querying of a particular group attribute to
determine if it were special in some way rather than looping through two
different text files. This would make it cleaner. You could also add a
header row to the output file, then open it in Excel.
"Simon G" <SimonG[ at ]discussions.microsoft.com> wrote in message
news:81C0C7CC-75F7-4288-B67E-A6330D9E4407[ at ]microsoft.com...
[Quoted Text] > Jeremy
>
> Thanks for you batch file, that does work nicely, it's not as user
> friendly
> as i'd like (there will be some junior staff doing this sort of thing and
> soem of them aren't the brightest sparks) but it's definately a big help
> thanks again.
>
> Al
>
> In response to some of your questions.
>
> We aren't yet nesting groups so this doesn't apply.....yet - and to be
> honest the type of groups they are they are unlikely to be nested. We are
> considering creating some template groups based on job roles, however
> these
> restricted groups will be left out as the owner still wants control over
> them.
>
> A group can't be restricted and exchange. The restricted groups are
> security
> groups we apply to certain folders, the exchange groups are exchange
> distribution lists, we would't use one for both, if we have a need, we
> create
> two groups, one for the folder and one for the distribution list.
>
> This is mainly for new starters to the group. We get a request to mirror a
> current colleague, we can scan over the groups to check that the
> permissions
> are correct from the existing user. Should a staff member move, we strip
> the
> account and rebuild it based on the new area they are moving to.
>
> I don't need the script to actually add or remove the groups from the
> user,
> it's more about producing the text file for review, as there still may be
> certain groups that are not relevant.
>
> I'm intrigued by the manage by function. What abilities would someone have
> over the group they manage? do they have the ability to add users
> themself?
> if so that would be no good. also can you have multiple managers (as this
> is
> the case with the groups)
|
|
Yes, that was my idea. As an aside, though, designating a person as a
"manager" of a group might give that person permission to modify the group,
and I agree with Simon that that is not an ideal situation. I had thought of
the description field too, but that is a pretty heavy limitation to put on
that field. We often use it to give the path to the resource that the group
has some sort of permission on...
See some further comments in-line below...
"Jeremy" <jeremy[ at ]discussions.microsoft.com> wrote in message
news:F56F5103-8D7F-4A44-A7DB-C5F0D8448E17[ at ]microsoft.com...
[Quoted Text] > If I am reading this right, Al is simply suggesting the use of the
> "Managed by" attribute on each group as the flag that identifies it as
> restricted in some way.
>
> So if you wrote a script that loops through all the groups and sets the
> "found" flags depending on whether or not the "Managed By" attribute is
> set to "Restricted" or "Exchange" or some other actual AD object. You
> could do the same thing with the description field or some other field.
>
> If you wanted something more graphical then an HTA application that uses
> vbscripting to talk to the directory. This would make it nicer. That
> vbscript only took me 5 minutes to write and test. A vbscript would take
> about 30 minutes and an HTA much longer (since I haven't taught myself HTA
> yet). I usually not in the business of writing scripts for people on
> these forums, but I wanted to show you could do this task with a batch
> script rather than something more complicated.
>
> You could incorporate the querying of a particular group attribute to
> determine if it were special in some way rather than looping through two
> different text files. This would make it cleaner. You could also add a
> header row to the output file, then open it in Excel.
>
> "Simon G" <SimonG[ at ]discussions.microsoft.com> wrote in message
> news:81C0C7CC-75F7-4288-B67E-A6330D9E4407[ at ]microsoft.com...
>> Jeremy
>>
>> Thanks for you batch file, that does work nicely, it's not as user
>> friendly
>> as i'd like (there will be some junior staff doing this sort of thing and
>> soem of them aren't the brightest sparks) but it's definately a big help
>> thanks again.
LOL. Let's hope they are dim enough to not be able to find your comments
here...
>> Al
>>
>> In response to some of your questions.
>>
>> We aren't yet nesting groups so this doesn't apply.....yet - and to be
>> honest the type of groups they are they are unlikely to be nested. We are
>> considering creating some template groups based on job roles, however
>> these
>> restricted groups will be left out as the owner still wants control over
>> them.
Although you have a tangly knot to loosen up, it appears that you have
already given some thought as to the functions that your groups are
performing, which should help you avoid even stickier problems.
Our approach is that we have a one-to-one relationship between each
permitted resource and its permit type (read, change) and the "resource
permissions" groups. Once a folder is created it is permitted once and once
only, allowing us to manage access to the resource through group memberships
alone. Since no two folders are permitted to the same group, we never have
the issue that we cannot take away one person's access to one resource
because that would interfere with his necessary access to another.
We also have job functional/departmental groups used simply to classify
users. Ideally, we then populate the resource permissions groups with groups
containing individuals and/or other groups as makes sense, yielding a kind
of generic configuration. Then we spend most of our group management time
dealing with the exceptional cases.
We have a concept similar to your restricted groups, except that we
generally consider each resource to have either an owner/manager who advises
us who to add or remove, or a kind of rule-based thing: if you are in
finance you are added to the finance group without having to ask the finance
manager.
>> A group can't be restricted and exchange. The restricted groups are
>> security
>> groups we apply to certain folders, the exchange groups are exchange
>> distribution lists, we would't use one for both, if we have a need, we
>> create
>> two groups, one for the folder and one for the distribution list.
Same here (although it sometimes seems like an unfortunate duplication of
effort). You had used the term "exchange" before, but had not specifically
stated this meant a distribution list. But rather than maintain a list of
distribution lists to compare, you could just determine whether a group is a
distribution list or a security group based on its characteristics.
>>
>> This is mainly for new starters to the group. We get a request to mirror
>> a
>> current colleague, we can scan over the groups to check that the
>> permissions
>> are correct from the existing user. Should a staff member move, we strip
>> the
>> account and rebuild it based on the new area they are moving to.
Sounds good.
>> I don't need the script to actually add or remove the groups from the
>> user,
>> it's more about producing the text file for review, as there still may be
>> certain groups that are not relevant.
Fair enough. And that possibility was why I did not jump in and write the
code for you... ;-)
>> I'm intrigued by the manage by function. What abilities would someone
>> have
>> over the group they manage? do they have the ability to add users
>> themself?
>> if so that would be no good. also can you have multiple managers (as this
>> is
>> the case with the groups)
I answered part of this above but did not mention that it is not possible to
have multiple managers or to assign managership to a group.
/Al
|
|
Jeremy, Al,
Thanks for you help and advice on this.
I'm going to use Jeremy's batch file for the mean time, for the longer term
i plan no creating an OU specifically fro these groups to put them in making
it much easier to identify them, problem i have at present is that some
applications use an LDAP query which relies on the groups being where they
are, bugger.
going forward we are also planning to prefix all our groups RG to help them
be more easily defined, and to be honest, i jsut want to get rid of this
whole "needs to be authorised by the business manager" thing as it's just not
functional, in reality, they want to be the owners of these groups but do
nothing to review them, so there's not much point in them owning them in the
frist place!
Thanks again, i may pop up with the same question somewhere in the future
but hopefully things will be a little more streamlined.
|
|
"Simon G" <SimonG[ at ]discussions.microsoft.com> wrote in message
news:7A479852-1E8C-40EA-A8CB-4BC962AECF62[ at ]microsoft.com...
[Quoted Text] > Jeremy, Al,
>
> Thanks for you help and advice on this.
You're welcome, and thanks for appreciating our comments.
> I'm going to use Jeremy's batch file for the mean time, for the longer
> term
> i plan no creating an OU specifically fro these groups to put them in
> making
> it much easier to identify them, problem i have at present is that some
> applications use an LDAP query which relies on the groups being where they
> are, bugger.
>
> going forward we are also planning to prefix all our groups RG to help
> them
> be more easily defined, and to be honest, i jsut want to get rid of this
> whole "needs to be authorised by the business manager" thing as it's just
> not
> functional, in reality, they want to be the owners of these groups but do
> nothing to review them, so there's not much point in them owning them in
> the
> frist place!
I hear you there, man!
> Thanks again, i may pop up with the same question somewhere in the future
> but hopefully things will be a little more streamlined.
I have no doubt we will hear of some of the improvements you have made in
how things work there.
/Al
|
|
|