Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » finding objects *not* in a group
finding objects *not* in a group [message #157674] Sat, 11 July 2009 08:42 Go to next message
alfrodull  is currently offline alfrodull  United States
Messages: 3
Registered: July 2009
Junior Member
HI,

I'm trying to find the best way to get a list of all computer objects
in an ou and its sub-ous that are not a member of a group.

Our structure is something like:
OU=Computers,DC=Contoso,DC=com
OU=Marketing,OU=Computers,DC=Contoso,DC=com
OU=Sales,OU=Computers,DC=Contoso,DC=com
OU=EastCoast,OU=Sales,OU=Computers,DC=Contoso,DC=com
OU=WestCoast,OU=Sales,OU=Computers,DC=Contoso,DC=com
OU=California,OU=WestCoast,OU=Sales,OU=Computers,DC=Contoso, DC=com
OU=Central,OU=Sales,OU=Computers,DC=Contoso,DC=com
OU=Accounting,OU=Computers,DC=Contoso,DC=com

We have a group OU=CompGroup,OU=Groups,DC=Contoso,DC=com that is
supposed to hold all computer objects in the Computers ou.
Unfortunately we are not in a position to have a script automatically
add them to the group when they are joined to the domain.

I could use dsquery and dsget to have a listing of all members of
CompGroup and then compare that to a listing of all computer objects
under Computers. I could use any of the isMember.vbs scripts floating
around and iterate through the computers that way.

But is there a better/faster way to find the objects that aren't a
member of the group?
Re: finding objects *not* in a group [message #157675 is a reply to message #157674] Sat, 11 July 2009 08:58 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello alfrodull@gmail.com,

From another posting answered by Richard Mueller:
------------------------------------------------------------ -------------------------------
Computer objects have a memberOf attribute, same as users. A query to return
all computer objects that are not members of a specified group could be:

(&(objectCategory=computer)(!memberOf=cn=TestGroup,ou=Sa les,dc=MyDomain,dc=com))


You must use the complete Distinguished Name of the group. No wildcards
allowed. The "!" symbol is the NOT operator.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
------------------------------------------------------------ -------------------------------

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> HI,
>
> I'm trying to find the best way to get a list of all computer objects
> in an ou and its sub-ous that are not a member of a group.
>
> Our structure is something like:
> OU=Computers,DC=Contoso,DC=com
> OU=Marketing,OU=Computers,DC=Contoso,DC=com
> OU=Sales,OU=Computers,DC=Contoso,DC=com
> OU=EastCoast,OU=Sales,OU=Computers,DC=Contoso,DC=com
> OU=WestCoast,OU=Sales,OU=Computers,DC=Contoso,DC=com
> OU=California,OU=WestCoast,OU=Sales,OU=Computers,DC=Contoso, DC=com
> OU=Central,OU=Sales,OU=Computers,DC=Contoso,DC=com
> OU=Accounting,OU=Computers,DC=Contoso,DC=com
> We have a group OU=CompGroup,OU=Groups,DC=Contoso,DC=com that is
> supposed to hold all computer objects in the Computers ou.
> Unfortunately we are not in a position to have a script automatically
> add them to the group when they are joined to the domain.
>
> I could use dsquery and dsget to have a listing of all members of
> CompGroup and then compare that to a listing of all computer objects
> under Computers. I could use any of the isMember.vbs scripts floating
> around and iterate through the computers that way.
>
> But is there a better/faster way to find the objects that aren't a
> member of the group?
>
Re: finding objects *not* in a group [message #157677 is a reply to message #157675] Sat, 11 July 2009 10:38 Go to previous messageGo to next message
Marcin  is currently offline Marcin  United States
Messages: 273
Registered: July 2009
Senior Member
Assuming that you are referring to direct members of the group (which is not
designated as the primary group) , you can take advantage of the memberOf
attribute (as Meinolf has suggested). The search can be conducted using
adfind utility (joeware.net), using the following syntax:

adfind -b "DN path of the top level OU" -f
"&(objectCategory=computer)(!memberOf=DN of the group)" -nodn cn

Btw. do you actually have an OU named Computers directly under
DC=Contoso,DC=com?

hth
Marcin

"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb662986e8cbd04f29312c72@msnews.microsoft.com...
> Hello alfrodull@gmail.com,
>
> From another posting answered by Richard Mueller:
> ------------------------------------------------------------ -------------------------------
> Computer objects have a memberOf attribute, same as users. A query to
> return all computer objects that are not members of a specified group
> could be:
>
> (&(objectCategory=computer)(!memberOf=cn=TestGroup,ou=Sa les,dc=MyDomain,dc=com))
>
>
> You must use the complete Distinguished Name of the group. No wildcards
> allowed. The "!" symbol is the NOT operator.
>
> --
> Richard Mueller
> Microsoft MVP Scripting and ADSI
> Hilltop Lab - http://www.rlmueller.net
> ------------------------------------------------------------ -------------------------------
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> HI,
>>
>> I'm trying to find the best way to get a list of all computer objects
>> in an ou and its sub-ous that are not a member of a group.
>>
>> Our structure is something like:
>> OU=Computers,DC=Contoso,DC=com
>> OU=Marketing,OU=Computers,DC=Contoso,DC=com
>> OU=Sales,OU=Computers,DC=Contoso,DC=com
>> OU=EastCoast,OU=Sales,OU=Computers,DC=Contoso,DC=com
>> OU=WestCoast,OU=Sales,OU=Computers,DC=Contoso,DC=com
>> OU=California,OU=WestCoast,OU=Sales,OU=Computers,DC=Contoso, DC=com
>> OU=Central,OU=Sales,OU=Computers,DC=Contoso,DC=com
>> OU=Accounting,OU=Computers,DC=Contoso,DC=com
>> We have a group OU=CompGroup,OU=Groups,DC=Contoso,DC=com that is
>> supposed to hold all computer objects in the Computers ou.
>> Unfortunately we are not in a position to have a script automatically
>> add them to the group when they are joined to the domain.
>>
>> I could use dsquery and dsget to have a listing of all members of
>> CompGroup and then compare that to a listing of all computer objects
>> under Computers. I could use any of the isMember.vbs scripts floating
>> around and iterate through the computers that way.
>>
>> But is there a better/faster way to find the objects that aren't a
>> member of the group?
>>
>
>
Re: finding objects *not* in a group [message #157678 is a reply to message #157674] Sat, 11 July 2009 11:50 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
<alfrodull@gmail.com> wrote in message
news:24550307-e339-4ddc-803d-1eb30acf9660@o7g2000yqb.googlegroups.com...
> HI,
>
> I'm trying to find the best way to get a list of all computer objects
> in an ou and its sub-ous that are not a member of a group.
>
> Our structure is something like:
> OU=Computers,DC=Contoso,DC=com
> OU=Marketing,OU=Computers,DC=Contoso,DC=com
> OU=Sales,OU=Computers,DC=Contoso,DC=com
> OU=EastCoast,OU=Sales,OU=Computers,DC=Contoso,DC=com
> OU=WestCoast,OU=Sales,OU=Computers,DC=Contoso,DC=com
> OU=California,OU=WestCoast,OU=Sales,OU=Computers,DC=Contoso, DC=com
> OU=Central,OU=Sales,OU=Computers,DC=Contoso,DC=com
> OU=Accounting,OU=Computers,DC=Contoso,DC=com
>
> We have a group OU=CompGroup,OU=Groups,DC=Contoso,DC=com that is
> supposed to hold all computer objects in the Computers ou.
> Unfortunately we are not in a position to have a script automatically
> add them to the group when they are joined to the domain.
>
> I could use dsquery and dsget to have a listing of all members of
> CompGroup and then compare that to a listing of all computer objects
> under Computers. I could use any of the isMember.vbs scripts floating
> around and iterate through the computers that way.
>
> But is there a better/faster way to find the objects that aren't a
> member of the group?


Did you actually try to create an OU called Computers under the contoso.com
domain, or is it the default CN? It appears that the Computer Container is
shown as a parent OU in your post, however the default Computer container is
a container and not an OU, and you cannot create OUs under it. So I'm a
little confused on your structure, unless this is just a pseudo design plan?
This is because the following is not something you can create under the
default Computers Container:
> OU=Central,OU=Sales,OU=Computers,DC=Contoso,DC=com

Also, is this actually a group that you were referring to, and not an OU, as
shown?
> OU=CompGroup,OU=Groups,DC=Contoso,DC=com

I know you are looking how to find if an object is part of a group or not,
but I would like to comment on your OU structure, which is a little
confusing as shown, because of the Computers Container is being shown as an
OU, which is not possible in AD.

To get a better view, or to provide a suggestion, how about organizing it
based on Location, then Function? Such as in the following. Below
Contoso.com, there is a parent OU called East Coast, and then child OUs to
house objects based on objects/function, such as a department or object
type. I wasn't sure how California fits in your orgnization, since it would
fall under West Coast, but you can create a California, Washington, Seattle,
etc, under it (either city or state), and break it down that way. Remember,
OUs are for organizing objects either based on company, location, function
and/or GPO design.

contoso.com
......East Coast OU
...............Accounting
...............Computers
...............Laptops
...............Marketing
...............Sales
...............Users
......Central US OU
...............Accounting
...............Computers
...............Laptops
...............Marketing
...............Sales
...............Users
......West Coast OU
...............California
...............................Computers
...............................Sales
...............Accounting
...............Computers
...............Laptops
...............Marketing
...............Sales
...............Users



I hope that helps with your OU design.

Ace
Re: finding objects *not* in a group [message #157679 is a reply to message #157675] Sat, 11 July 2009 16:31 Go to previous messageGo to next message
alfrodull  is currently offline alfrodull  United States
Messages: 3
Registered: July 2009
Junior Member
Thanks, I had forgotten about the adsi interface. I knew you could use
memberOf with the dsget from the command line. This is what I was
looking for. It's basically one command I can run from my
workstation. I knew you could do it by getting list of computers and
then using a "for computer in computers" loop to check membership, but
the sql based query should be faster.

On Jul 11, 7:58 am, Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de>
wrote:
> Hello alfrod...@gmail.com,
>
> From another posting answered by Richard Mueller:
> ------------------------------------------------------------ -------------------------------
> Computer objects have a memberOf attribute, same as users. A query to return
> all computer objects that are not members of a specified group could be:
>
> (&(objectCategory=computer)(!memberOf=cn=TestGroup,ou=Sa les,dc=MyDomain,dc=com))
>
> You must use the complete Distinguished Name of the group. No wildcards
> allowed. The "!" symbol is the NOT operator.
>
> --
Re: finding objects *not* in a group [message #157680 is a reply to message #157677] Sat, 11 July 2009 16:35 Go to previous message
alfrodull  is currently offline alfrodull  United States
Messages: 3
Registered: July 2009
Junior Member
That looks like a cool little program. I can see it being very useful
and easier for the people in my department who hate writing scripts or
working with the ds* tools.

And no, that was not the real ou structure for our company. I just
needed a quick and dirty example to make sure people knew I was
talking about mulitple nested ous. Somewhere, there is a small Mom &
Pop company called Contoso just waiting to find a lawyer brave enough
to sue Microsoft. :)

Thanks!

On Jul 11, 9:38 am, "Marcin" <mar...@community.nospam> wrote:
> Assuming that you are referring to direct members of the group (which is not
> designated as the primary group) , you can take advantage of the memberOf
> attribute (as Meinolf has suggested). The search can be conducted using
> adfind utility (joeware.net), using the following syntax:
>
> adfind -b "DN path of the top level OU" -f
> "&(objectCategory=computer)(!memberOf=DN of the group)" -nodn cn
>
> Btw. do you actually have an OU named Computers directly under
> DC=Contoso,DC=com?
>
> hth
> Marcin
Previous Topic:www.dudes-mall.com Ed hardy,(tshirt$13,swim strunk$25,jean$30,handbag$34,cap$13,sunglass$12,shoes$25
Next Topic:"You cannot log on because the logon method you are using is not allowed on this computer"
Goto Forum:
  


Current Time: Sat Oct 21 19:06:06 EDT 2017

Total time taken to generate the page: 0.03342 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software