#152476 - 2005-11-29 08:28 PM
Find deleted users in Global Groups
|
jdogg
Getting the hang of it
Registered: 2003-09-11
Posts: 91
Loc: RTP, North Cakalaka, USA
|
My goal is to look in every global group in our domain and find users that are in groups that show up as SIDs (i.e. - they are deleted).
This is part of a cleanup project I am doing.
I would like to do this in KiXtart but other methods are acceptable, as well.
I have searched high and low on Google, Microsoft, KiX BB, VB, etc. I also tried to do export from Hyena but cannot come up with anything.
Hyena's webpage says that Hyena filters the unknown users out... is there a way in KiX to do this?
Ideally I would like a spreadsheet of all groups that have unknown users in them with the member list so that I could remove them all using the same script.
Thanks much guys!
|
|
Top
|
|
|
|
|
#152477 - 2005-11-29 09:35 PM
Re: Find deleted users in Global Groups
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
Checkout my Win32Admin.DLL on my web site. My GrpMaint.exe may also be of some assistance. It can enumerate all groups and then using an input file enumerate all members. I would think that unresolved account would show up as SIDs.
http://home.comcast.net/~habullock/kix_solutions.htm
GrpEnumMembers($Server, 'global'|'local', $GrpName)
Enumerates all the members of a "global" or "local" groups on $Server.
Returns either an array of accounts for Global groups or an interleaved array containing both accounts and account sid types for local groups.
Sid types (local groups) can be:
SidTypeUser
SidTypeGroup
SidTypeDomain
SidTypeAlias
SidTypeWellKnownGroup
SidTypeDeletedAccount
SidTypeInvalid
SidTypeUnknown
SidTypeComputer
Note: it has been some time sine I looked into this usage. SidType may only be available on local group for some Microsoft reason.
Edited by Howard Bullock (2005-11-29 09:40 PM)
|
|
Top
|
|
|
|
|
#152480 - 2005-11-30 06:18 AM
Re: Find deleted users in Global Groups
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
One could dump the group and only output the members that show as SIDs. Then feed those SIDs into LsaLookupSids method in Win32Admin3. That would confirm return the proper error code to let one know if the SID was not found or the domain could not be contacted.
|
|
Top
|
|
|
|
#152481 - 2005-11-30 03:24 PM
Re: Find deleted users in Global Groups
|
jdogg
Getting the hang of it
Registered: 2003-09-11
Posts: 91
Loc: RTP, North Cakalaka, USA
|
Thanks guys! I will experiment with your suggestions.
Best Regards,
-jdogg
|
|
Top
|
|
|
|
|
#152482 - 2005-11-30 10:22 PM
Re: Find deleted users in Global Groups
|
jdogg
Getting the hang of it
Registered: 2003-09-11
Posts: 91
Loc: RTP, North Cakalaka, USA
|
Hey guys...
I tried the methods you suggested.
However, I cannot seem to get JUST a list of groups and membership like I want.
Are you sure this will catch membership where the member is not recognized?
Also, for some reason, it repeats the member list four times for each group... I must have an extra loop somewhere but I can only understand this code enough to get it to run. ;(
To clarify my request, basically I want to find any groups in my domain that have unrecognized userid's in global groups.
We recently carved out a part of our company and this is the cleanup phase after the fact.
Thanks... and here is my code followed by part of the output file:
Code:
break ON
$= SetOption("WrapAtEol","On")
? "KiXtart version = " @KIX
; Win32Admin.DLL documentation and example KiXtart code
; All method set return data or true on success or nothing on failure.
; Also @error is set when an error occurs but does not seem to be reset on success.
; Therefore, checking the function result seems to be the best method of
; determining when an error occurs.
; @Error may not reflect the actual error of methods. Be sure to
; check @serror as it will reflect the correct text of the COM error.
$Win32Admin = createobject("Win32Admin")
if vartypename($Win32Admin) <> "Object"
? "@serror"
endif
; Method GrpEnum($Server, "global"|"local", optional $InclDesc)
; Enumerates all "global" or "local" groups on $Server.
;
; Returns either an array of dictionary objects
; Local group keys: (comment, name)
; Global group keys: (attributes, comment, group_id, name)
;
RedirectOutput("c:\scripts\globalgroups.log")
$Groups = $Win32Admin.GrpEnum("MOP002", "global")
if @error = 0
for each $Group in $Groups
$keys = $Group.keys
for each $key in $keys
$Value = $Group.get($key)
If $key = "name"
$grpname=$Value
?$grpname
EndIf
$Members = $Win32Admin.GrpEnumMembers(MOP002, "global","$grpname")
for each $Member in $Members
$toys = $Member.keys
for each $toy in $toys
$Value = $Member.get($toy)
If $toy = "name"
$memname=$Value
?" " + $memname
EndIf
next
next
next
next
else
? "Error: @error @serror"
endif
RedirectOutput("")
Code:
AA_DriveBF
MLBQS
MOJGS
MLCAR
MLOPI
TERM ESBUR
_BRKL ADMINISTRATION TEMPLATE
UKMYA
MLBQS
MOJGS
MLCAR
MLOPI
TERM ESBUR
_BRKL ADMINISTRATION TEMPLATE
UKMYA
MLBQS
MOJGS
MLCAR
MLOPI
TERM ESBUR
_BRKL ADMINISTRATION TEMPLATE
UKMYA
MLBQS
MOJGS
MLCAR
MLOPI
TERM ESBUR
_BRKL ADMINISTRATION TEMPLATE
UKMYA
|
|
Top
|
|
|
|
|
#152483 - 2005-11-30 11:53 PM
Re: Find deleted users in Global Groups
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
Code:
$Server = 'amdc004'
$Groups = $Win32Admin.GrpEnum($Server, "global")
if @error = 0
for each $Group in $Groups
$grpname = $Group.get('name')
?$grpname
$Members = $Win32Admin.GrpEnumMembers($Server, "global", $grpname)
for each $Member in $Members
$memname = $Member.get('name')
? " " + $memname
next
next
else
? "Error: @error @serror"
endif
I have many thousands of groups and I have yet to get through the list the first time. I have not found any invalid account in global groups. Could M$ automatically clean them? I have seen hold overs SID references in local group but never global groups. I do not think we scrub our global groups as we delete old accounts and still i only see current accounts.
|
|
Top
|
|
|
|
|
#152484 - 2005-12-01 01:10 AM
Re: Find deleted users in Global Groups
|
jdogg
Getting the hang of it
Registered: 2003-09-11
Posts: 91
Loc: RTP, North Cakalaka, USA
|
It's possible... in fact I think you are right.
Especially since, in your DLL, the SID attributes are only available for local groups right?
Maybe I am chasing my tail on this one...
NTDOC is the authority around here about that kind of thing, right?
|
|
Top
|
|
|
|
|
#152486 - 2005-12-01 02:56 AM
Re: Find deleted users in Global Groups
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
Doc, do you have any SIDs from deleted accounts in any global group now? DO you manually clean them up? I think that we have seen that they seem to disappear after a while...maybe the next time they are altered?
|
|
Top
|
|
|
|
|
#152488 - 2005-12-01 03:16 AM
Re: Find deleted users in Global Groups
|
jdogg
Getting the hang of it
Registered: 2003-09-11
Posts: 91
Loc: RTP, North Cakalaka, USA
|
Holy crap! Could it be? Could it possibly be that I asked something you guys don't know?? *crapping pants*
Hehe... and NTDOC I didn't mean to imply that you were an authority on tail-chasing... lol... I just consider you one of the authorities on MS scripting (especially with KiX).
I will go back to my team leader and suggest that this might not be possible. Maybe he will drop the whole issue. Either way it would be nice to know what happens in this scenario.
Thanks again guys (as always),
-jdogg
|
|
Top
|
|
|
|
|
#152489 - 2005-12-01 03:22 AM
Re: Find deleted users in Global Groups
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
Les, I doubt that you saw SIDs from other domains in your Global Groups as One can not put account from trusted domains into global groups.
|
|
Top
|
|
|
|
|
#152490 - 2005-12-01 03:24 AM
Re: Find deleted users in Global Groups
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
jdogg, what account did you delete? Accounts in the same domain as the global groups? Do you have trusted domains where these account could have been members of local groups?
|
|
Top
|
|
|
|
|
#152491 - 2005-12-01 04:39 AM
Re: Find deleted users in Global Groups
|
jdogg
Getting the hang of it
Registered: 2003-09-11
Posts: 91
Loc: RTP, North Cakalaka, USA
|
Howard,
We were carving out a division of our company to its own new company.
We used DMA to migrate their accounts.
After migrating, I am running a small project to clean up the systems of traces of their accounts/groups/etc.
I suppose my manager was thinking there could be deleted accounts in the source domain that now show up as SID's. After talking this through, though, it sounds hard to believe or not well thought out. I did spend about 2 full days working on this script though. I guess I can chalk it up to learning.
Hope this helps.
|
|
Top
|
|
|
|
Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart
|
1 registered
(Allen)
and 271 anonymous users online.
|
|
|
