Computer Accounts and Member Of info Ewout 6/8/2007 12:22:02 PM I'm looking for a way to make a list of all computer accounts in our Active Directory and all groups they are member of. I found the script in the repository to build a list with all computeraccounts, but i would like to add all groupnames a computeraccount is member of. E.g.: computer1, group1, group2, etc. computer2, group1, group2, group3, etc. Products used: W2K AD and WINXP SP2 computers The repository script code to build a list with all computer accounts is: Const ADS_SCOPE_SUBTREE = 2 Set objConnection = CreateObject("ADODB.Connection") Set objCommand = CreateObject("ADODB.Command") objConnection.Provider = "ADsDSOObject" objConnection.Open "Active Directory Provider" Set objCOmmand.ActiveConnection = objConnection objCommand.CommandText = _ "Select Name, Location from 'LDAP://DC=fabrikam,DC=com' " _ & "Where objectClass='computer'" objCommand.Properties("Page Size") = 1000 objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE Set objRecordSet = objCommand.Execute objRecordSet.MoveFirst Do Until objRecordSet.EOF Wscript.Echo "Computer Name: " & objRecordSet.Fields("Name").Value Wscript.Echo "Location: " & objRecordSet.Fields("Location").Value objRecordSet.MoveNext Loop

Re: Computer Accounts and Member Of info "Richard Mueller [MVP]" <rlmueller-nospam[ at ]ameritech.nospam.net> 6/8/2007 1:59:11 PM "Ewout" <Ewout[ at ]discussions.microsoft.com> wrote in message news:756B2CA2-FBD7-4258-9A8A-7657307423A4[ at ]microsoft.com... [Quoted Text] > I'm looking for a way to make a list of all computer accounts in our > Active > Directory and all groups they are member of. I found the script in the > repository to build a list with all computeraccounts, but i would like to > add > all groupnames a computeraccount is member of. E.g.: > > computer1, group1, group2, etc. > computer2, group1, group2, group3, etc. > > Products used: W2K AD and WINXP SP2 computers > > The repository script code to build a list with all computer accounts is: > > Const ADS_SCOPE_SUBTREE = 2 > > Set objConnection = CreateObject("ADODB.Connection") > Set objCommand = CreateObject("ADODB.Command") > objConnection.Provider = "ADsDSOObject" > objConnection.Open "Active Directory Provider" > > Set objCOmmand.ActiveConnection = objConnection > objCommand.CommandText = _ > "Select Name, Location from 'LDAP://DC=fabrikam,DC=com' " _ > & "Where objectClass='computer'" > objCommand.Properties("Page Size") = 1000 > objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE > Set objRecordSet = objCommand.Execute > objRecordSet.MoveFirst > > Do Until objRecordSet.EOF > Wscript.Echo "Computer Name: " & objRecordSet.Fields("Name").Value > Wscript.Echo "Location: " & objRecordSet.Fields("Location").Value > objRecordSet.MoveNext > Loop The attribute you want is memberOf. Add this to the list in the SELECT statement. ADO retrieves the value as a collection of Distinguished Names (DN's) so you must enumerate in a For Each loop. Since your output is comma delimited, and you retrieve the sAMAccountName's of the groups (the NT or NetBIOS names), you probably don't want the DN of the groups, so you must bind to each group object to retrieve the sAMAccountName. Also, you must account for memberOf being Null. For example: ==================== Const ADS_SCOPE_SUBTREE = 2 Set objConnection = CreateObject("ADODB.Connection") Set objCommand = CreateObject("ADODB.Command") objConnection.Provider = "ADsDSOObject" objConnection.Open "Active Directory Provider" Set objCOmmand.ActiveConnection = objConnection objCommand.CommandText = _ "Select Name, memberOf from 'LDAP://DC=fabrikam,DC=com' " _ & "Where objectClass='computer'" objCommand.Properties("Page Size") = 1000 objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE Set objRecordSet = objCommand.Execute objRecordSet.MoveFirst Do Until objRecordSet.EOF strLine = objRecordSet.Fields("Name").Value arrGroups = objRecordSet.Fields("memberOf").Value If Not IsNull(arrGroups) Then For Each strGroup In arrGroups Set objGroup = GetObject("LDAP://" & strGroup) strLine = strLine & "," & objGroup.sAMAccountName Next End If Wscript.Echo strLine objRecordSet.MoveNext Loop =========== Note the memberOf attribute never includes the "primary" group, which by default should be "Domain Computers" for computer objects. All computer objects should be a member of that group. -- Richard Mueller Microsoft MVP Scripting and ADSI Hilltop Lab - http://www.rlmueller.net --

Re: Computer Accounts and Member Of info Ewout 6/8/2007 2:17:02 PM Thx Richard for your quick response. It is exactly what i wanted. "Richard Mueller [MVP]" wrote: [Quoted Text] > > "Ewout" <Ewout[ at ]discussions.microsoft.com> wrote in message > news:756B2CA2-FBD7-4258-9A8A-7657307423A4[ at ]microsoft.com... > > I'm looking for a way to make a list of all computer accounts in our > > Active > > Directory and all groups they are member of. I found the script in the > > repository to build a list with all computeraccounts, but i would like to > > add > > all groupnames a computeraccount is member of. E.g.: > > > > computer1, group1, group2, etc. > > computer2, group1, group2, group3, etc. > > > > Products used: W2K AD and WINXP SP2 computers > > > > The repository script code to build a list with all computer accounts is: > > > > Const ADS_SCOPE_SUBTREE = 2 > > > > Set objConnection = CreateObject("ADODB.Connection") > > Set objCommand = CreateObject("ADODB.Command") > > objConnection.Provider = "ADsDSOObject" > > objConnection.Open "Active Directory Provider" > > > > Set objCOmmand.ActiveConnection = objConnection > > objCommand.CommandText = _ > > "Select Name, Location from 'LDAP://DC=fabrikam,DC=com' " _ > > & "Where objectClass='computer'" > > objCommand.Properties("Page Size") = 1000 > > objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE > > Set objRecordSet = objCommand.Execute > > objRecordSet.MoveFirst > > > > Do Until objRecordSet.EOF > > Wscript.Echo "Computer Name: " & objRecordSet.Fields("Name").Value > > Wscript.Echo "Location: " & objRecordSet.Fields("Location").Value > > objRecordSet.MoveNext > > Loop > > The attribute you want is memberOf. Add this to the list in the SELECT > statement. ADO retrieves the value as a collection of Distinguished Names > (DN's) so you must enumerate in a For Each loop. Since your output is comma > delimited, and you retrieve the sAMAccountName's of the groups (the NT or > NetBIOS names), you probably don't want the DN of the groups, so you must > bind to each group object to retrieve the sAMAccountName. Also, you must > account for memberOf being Null. For example: > ==================== > Const ADS_SCOPE_SUBTREE = 2 > > Set objConnection = CreateObject("ADODB.Connection") > Set objCommand = CreateObject("ADODB.Command") > objConnection.Provider = "ADsDSOObject" > objConnection.Open "Active Directory Provider" > > Set objCOmmand.ActiveConnection = objConnection > objCommand.CommandText = _ > "Select Name, memberOf from 'LDAP://DC=fabrikam,DC=com' " _ > & "Where objectClass='computer'" > objCommand.Properties("Page Size") = 1000 > objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE > Set objRecordSet = objCommand.Execute > objRecordSet.MoveFirst > > Do Until objRecordSet.EOF > strLine = objRecordSet.Fields("Name").Value > arrGroups = objRecordSet.Fields("memberOf").Value > If Not IsNull(arrGroups) Then > For Each strGroup In arrGroups > Set objGroup = GetObject("LDAP://" & strGroup) > strLine = strLine & "," & objGroup.sAMAccountName > Next > End If > Wscript.Echo strLine > objRecordSet.MoveNext > Loop > =========== > Note the memberOf attribute never includes the "primary" group, which by > default should be "Domain Computers" for computer objects. All computer > objects should be a member of that group. > > -- > Richard Mueller > Microsoft MVP Scripting and ADSI > Hilltop Lab - http://www.rlmueller.net > -- > > >