Find deleted users in Global Groups - KiXtart.org

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Basic Scripting » Find deleted users in Global Groups

Page 1 of 1

Topic Options

#152476 - 2005-11-29 08:28 PM Find deleted users in Global Groups
jdogg jdogg Getting the hang of it Registered: 2003-09-11 Posts: 91 Loc: RTP, North Cakalaka, USA	My goal is to look in every global group in our domain and find users that are in groups that show up as SIDs (i.e. - they are deleted). This is part of a cleanup project I am doing. I would like to do this in KiXtart but other methods are acceptable, as well. I have searched high and low on Google, Microsoft, KiX BB, VB, etc. I also tried to do export from Hyena but cannot come up with anything. Hyena's webpage says that Hyena filters the unknown users out... is there a way in KiX to do this? Ideally I would like a spreadsheet of all groups that have unknown users in them with the member list so that I could remove them all using the same script. Thanks much guys!
Top

#152477 - 2005-11-29 09:35 PM Re: Find deleted users in Global Groups
Howard Bullock Howard Bullock KiX Supporter Registered: 2000-09-15 Posts: 5809 Loc: Harrisburg, PA USA	Checkout my Win32Admin.DLL on my web site. My GrpMaint.exe may also be of some assistance. It can enumerate all groups and then using an input file enumerate all members. I would think that unresolved account would show up as SIDs. http://home.comcast.net/~habullock/kix_solutions.htm GrpEnumMembers($Server, 'global'\|'local', $GrpName) Enumerates all the members of a "global" or "local" groups on $Server. Returns either an array of accounts for Global groups or an interleaved array containing both accounts and account sid types for local groups. Sid types (local groups) can be: SidTypeUser SidTypeGroup SidTypeDomain SidTypeAlias SidTypeWellKnownGroup SidTypeDeletedAccount SidTypeInvalid SidTypeUnknown SidTypeComputer Note: it has been some time sine I looked into this usage. SidType may only be available on local group for some Microsoft reason. Edited by Howard Bullock (2005-11-29 09:40 PM) _________________________ Home page: http://www.kixhelp.com/hb/
Top

#152478 - 2005-11-29 10:27 PM Re: Find deleted users in Global Groups
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	I would expect that some names from cross-domain trusts could show up as unresolved SIDs but one needs to be really careful because there may be a transient reason why they don't resolve and should not be deleted. I prefer to have a human make the decision. _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#152479 - 2005-11-29 11:27 PM Re: Find deleted users in Global Groups
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11631 Loc: CA	I agree with Les. Have seen it many times where some cause is temporary and the account doesn't show up. Then when you check later on, it's back.
Top

#152480 - 2005-11-30 06:18 AM Re: Find deleted users in Global Groups
Howard Bullock Howard Bullock KiX Supporter Registered: 2000-09-15 Posts: 5809 Loc: Harrisburg, PA USA	One could dump the group and only output the members that show as SIDs. Then feed those SIDs into LsaLookupSids method in Win32Admin3. That would confirm return the proper error code to let one know if the SID was not found or the domain could not be contacted. _________________________ Home page: http://www.kixhelp.com/hb/
Top

#152481 - 2005-11-30 03:24 PM Re: Find deleted users in Global Groups
jdogg jdogg Getting the hang of it Registered: 2003-09-11 Posts: 91 Loc: RTP, North Cakalaka, USA	Thanks guys! I will experiment with your suggestions. Best Regards, -jdogg
Top

#152482 - 2005-11-30 10:22 PM

Re: Find deleted users in Global Groups

jdogg

Getting the hang of it

Registered: 2003-09-11
Posts: 91
Loc: RTP, North Cakalaka, USA

Hey guys...

I tried the methods you suggested.
However, I cannot seem to get JUST a list of groups and membership like I want.
Are you sure this will catch membership where the member is not recognized?
Also, for some reason, it repeats the member list four times for each group... I must have an extra loop somewhere but I can only understand this code enough to get it to run. ;(

To clarify my request, basically I want to find any groups in my domain that have unrecognized userid's in global groups.
We recently carved out a part of our company and this is the cleanup phase after the fact.

Thanks... and here is my code followed by part of the output file:

Code:


break ON
$= SetOption("WrapAtEol","On")

? "KiXtart version = " @KIX


; Win32Admin.DLL documentation and example KiXtart code

; All method set return data or true on success or nothing on failure.
; Also @error is set when an error occurs but does not seem to be reset on success.
; Therefore, checking the function result seems to be the best method of
; determining when an error occurs.
; @Error may not reflect the actual error of methods. Be sure to
; check @serror as it will reflect the correct text of the COM error.

$Win32Admin = createobject("Win32Admin")
if vartypename($Win32Admin) <> "Object"
  ? "@serror"
endif

; Method GrpEnum($Server, "global"|"local", optional $InclDesc)
;   Enumerates all "global" or "local" groups on $Server.
;
;   Returns either an array of dictionary objects
;   Local group keys: (comment, name)
;   Global group keys: (attributes, comment, group_id, name)
;
RedirectOutput("c:\scripts\globalgroups.log")
$Groups = $Win32Admin.GrpEnum("MOP002", "global")
if @error = 0
	for each $Group in $Groups
		$keys = $Group.keys
		for each $key in $keys
			$Value = $Group.get($key)
			If $key = "name"
				$grpname=$Value
				?$grpname
			EndIf
			$Members = $Win32Admin.GrpEnumMembers(MOP002, "global","$grpname")
			for each $Member in $Members
				$toys = $Member.keys
				for each $toy in $toys
					$Value = $Member.get($toy)
					If $toy = "name"
						$memname=$Value
						?"	" + $memname
					EndIf
				next
			next
		next
	next
else
	? "Error: @error  @serror"
endif
RedirectOutput("")

Code:


AA_DriveBF
	MLBQS
	MOJGS
	MLCAR
	MLOPI
	TERM ESBUR
	_BRKL ADMINISTRATION TEMPLATE
	UKMYA
	MLBQS
	MOJGS
	MLCAR
	MLOPI
	TERM ESBUR
	_BRKL ADMINISTRATION TEMPLATE
	UKMYA
	MLBQS
	MOJGS
	MLCAR
	MLOPI
	TERM ESBUR
	_BRKL ADMINISTRATION TEMPLATE
	UKMYA
	MLBQS
	MOJGS
	MLCAR
	MLOPI
	TERM ESBUR
	_BRKL ADMINISTRATION TEMPLATE
	UKMYA

Top

#152483 - 2005-11-30 11:53 PM Re: Find deleted users in Global Groups
Howard Bullock Howard Bullock KiX Supporter Registered: 2000-09-15 Posts: 5809 Loc: Harrisburg, PA USA	Code: $Server = 'amdc004' $Groups = $Win32Admin.GrpEnum($Server, "global") if @error = 0 for each $Group in $Groups $grpname = $Group.get('name') ?$grpname $Members = $Win32Admin.GrpEnumMembers($Server, "global", $grpname) for each $Member in $Members $memname = $Member.get('name') ? " " + $memname next next else ? "Error: @error @serror" endif I have many thousands of groups and I have yet to get through the list the first time. I have not found any invalid account in global groups. Could M$ automatically clean them? I have seen hold overs SID references in local group but never global groups. I do not think we scrub our global groups as we delete old accounts and still i only see current accounts. _________________________ Home page: http://www.kixhelp.com/hb/
Top

#152484 - 2005-12-01 01:10 AM Re: Find deleted users in Global Groups
jdogg jdogg Getting the hang of it Registered: 2003-09-11 Posts: 91 Loc: RTP, North Cakalaka, USA	It's possible... in fact I think you are right. Especially since, in your DLL, the SID attributes are only available for local groups right? Maybe I am chasing my tail on this one... NTDOC is the authority around here about that kind of thing, right?
Top

#152485 - 2005-12-01 02:31 AM Re: Find deleted users in Global Groups
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11631 Loc: CA	Hmmm... don't think my fiance would like to reference me as an authority on tail chasing. As for the SID stuff well there are a few members on the board that have similar knowledge as myself in that area. All accounts have a SID local or network. What internal methods M$ employs for cleanup of local vs network I'm not sure. Though I suppose unlike Howard, I have seen SID within Global Groups from accounts that no longer existed (if that is in fact what Howard is saying - that he has not seen them in Global Groups)
Top

#152486 - 2005-12-01 02:56 AM Re: Find deleted users in Global Groups
Howard Bullock Howard Bullock KiX Supporter Registered: 2000-09-15 Posts: 5809 Loc: Harrisburg, PA USA	Doc, do you have any SIDs from deleted accounts in any global group now? DO you manually clean them up? I think that we have seen that they seem to disappear after a while...maybe the next time they are altered? _________________________ Home page: http://www.kixhelp.com/hb/
Top

#152487 - 2005-12-01 03:13 AM Re: Find deleted users in Global Groups
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	I think they would only show up in the case where the deleted account is from another trusted domain. When we delete user and computer accounts in the same domain as the DGG, we never end up with unresolved SIDs. During our AD migration, I did find a few related to broken down trusts but I rewrote the procedure to delete the accounts before destroying the trusts. _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#152488 - 2005-12-01 03:16 AM Re: Find deleted users in Global Groups
jdogg jdogg Getting the hang of it Registered: 2003-09-11 Posts: 91 Loc: RTP, North Cakalaka, USA	Holy crap! Could it be? Could it possibly be that I asked something you guys don't know?? crapping pants Hehe... and NTDOC I didn't mean to imply that you were an authority on tail-chasing... lol... I just consider you one of the authorities on MS scripting (especially with KiX). I will go back to my team leader and suggest that this might not be possible. Maybe he will drop the whole issue. Either way it would be nice to know what happens in this scenario. Thanks again guys (as always), -jdogg
Top

#152489 - 2005-12-01 03:22 AM Re: Find deleted users in Global Groups
Howard Bullock Howard Bullock KiX Supporter Registered: 2000-09-15 Posts: 5809 Loc: Harrisburg, PA USA	Les, I doubt that you saw SIDs from other domains in your Global Groups as One can not put account from trusted domains into global groups. _________________________ Home page: http://www.kixhelp.com/hb/
Top

#152490 - 2005-12-01 03:24 AM Re: Find deleted users in Global Groups
Howard Bullock Howard Bullock KiX Supporter Registered: 2000-09-15 Posts: 5809 Loc: Harrisburg, PA USA	jdogg, what account did you delete? Accounts in the same domain as the global groups? Do you have trusted domains where these account could have been members of local groups? _________________________ Home page: http://www.kixhelp.com/hb/
Top

#152491 - 2005-12-01 04:39 AM Re: Find deleted users in Global Groups
jdogg jdogg Getting the hang of it Registered: 2003-09-11 Posts: 91 Loc: RTP, North Cakalaka, USA	Howard, We were carving out a division of our company to its own new company. We used DMA to migrate their accounts. After migrating, I am running a small project to clean up the systems of traces of their accounts/groups/etc. I suppose my manager was thinking there could be deleted accounts in the source domain that now show up as SID's. After talking this through, though, it sounds hard to believe or not well thought out. I did spend about 2 full days working on this script though. I guess I can chalk it up to learning. Hope this helps.
Top

Page 1 of 1

Previous Topic View All Topics

Index Next Topic

Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart

Hop to:

Shout Box

Search the board with:
superb Board Search
or try with google:

	Web kixtart.org