query

[Nick Britton]

I want to be able to query all computers in an OU and I want the results
to show what groups are listed under the security tab. If possible I
would like to narrow that down and only look for one group, lets call it
group a. Any ideas?

Thanks for your help.

Nick

 

[Marin Marinov]

I want to be able to query all computers in an OU and I want the results
to show what groups are listed under the security tab. If possible I
would like to narrow that down and only look for one group, lets call it
group a. Any ideas?

Thanks for your help.

Nick

Hi Nick,
Here are a couple of ideas. You can give a shot at Dsacls.exe and
dsquery.exe from Win2K3. The former will display the DACL of any object,
while the latter will return a list of computers (dsquery computer /?)
based on custom criteria.

Another usefull tool would be ADSI Scriptomatic from
www.microsoft.com/technet/scriptcenter. Also, check out this script that
will display the security descriptor of an object (URL wraps):
http://www.microsoft.com/technet/community/scriptcenter/user/scrug128.ms
px

This one enumerates computer accounts:
http://www.microsoft.com/technet/community/scriptcenter/compmgmt/scrcm12
..mspx

All these need modification to work for your specific case.

HTH
--
Cheers,
Marin Marinov
MCT, MCSE 2003/2000/NT4.0,
MCSE:Security 2003/2000, MCP+I
-
This posting is provided "AS IS" with no warranties, and confers no
rights.

 

[Joe Richards [MVP]]

Nothing out there doing this that I am aware of with possibly the exception of
activeroles from quest.

Other than that, you need to put the scripting hat on and unfortunately you
can't query Security Descriptors, you will have to chase through every computer
object in the OU, enumerate the SD (ACL) and then pull them out yourself.

joe