I vaguely remembered that I had something like this in a script I wrote to enumerate the members of a group both directly and indirectly. It uses the functionality of the Remote Server Administration Tools. There's also a hotfix to correct the output. I dug out the script and revised it to provide what he required.
In its simplest form, the command to run is:
dsget user <fulldn> -memberof -expand
For example:
dsget user "CN=testuser,OU=Staff,DC=company,DC=com"
-memberof -expand
This will provide a list of group memberships in fulldn format. To simplify it to SAM group names you can pipe the output to another dsget command for the groups:
dsget user <fulldn> -memberof -expand | dsget group -samid
You can also simplify the input if you pipe in the dsquery command for the user:
dsquery user -samid <samid> | dsget user -memberof -expand | dsget group -samid
For example:
dsquery user -samid testuser | dsget user -memberof -expand | dsget group -samid
Edit: You can use the same technique to list the members of a group:
dsquery group -samid <Groupname> | dsget group -members | dsget user -samid -fn -ln
Also, be wary of pasting one of these command strings in Outlook, as it has the tendency to automatically change hyphens to the longer "dash", which is an invalid character if you copy it out of Outlook and paste it to the command prompt.
No comments:
Post a Comment