ASPN ActiveState Programmer Network
ActiveState
/ Home / Perl / PHP / Python / Tcl / XSLT /
/ Safari / My ASPN /
Cookbooks | Documentation | Mailing Lists | Modules | News Feeds | Products | User Groups


Recent Messages
List Archives
About the List
List Leaders
Subscription Options

View Subscriptions
Help

View by Topic
ActiveState
.NET Framework
Open Source
Perl
PHP
Python
Tcl
Web Services
XML & XSLT

View by Category
Database
General
SOAP
System Administration
Tools
User Interfaces
Web Programming
XML Programming
MyASPN >> Mail Archive >> perl-win32-admin
perl-win32-admin
RE: Enumerating Universal Group members
by Steven Manross other posts by this author
Sep 19 2008 7:19PM messages near this date
view in the new Beta List Site
RE: Enumerating Universal Group members | Process information 
FYI  I dusted this one off and made some modifications which should do
what the poster wants...  Instead of the regex, you could just put in
the = 8 instead if you want universal groups only.  

P.S. This list is friendly to those who post in plain text.  I don't
care, but some do.

P.S.S. If you have circular references in your groups (Group A in Group
B and Group B in Group A), this could spin out of control re-checking
the nestedness of your groups.

HTH
Steven
#---------------------------------------------------------
 
use Win32::OLE qw (in);                # base functionality
use Win32::OLE::Variant;

query_ldap("<LDAP://OU=SOMEOU,dc=somedomain,dc=> ;(objectclass=Group);ads
path,cn,ADsPath;subtree",$objects);

print "recordcount = ".$objects-> {RecordCount}."\n";
while (!$objects-> {EOF}) {
  #print $objects-> Fields("adsPath")->{Value}."\n";
  $myObj = Win32::OLE-> GetObject($objects->Fields("adsPath")->{Value});
  print $myObj-> {SamAccountName}."\n";
  if ($myObj-> {groupType} =~ /(2|4|8)/) { #global=2 local=4 universal=8
    geT_members($myObj,2);
  }
  $objects-> MoveNext();
}
 
sub geT_members {
  my $group = $_[0];
  my $spacing = $_[1];
  foreach $member (in ($group-> {Members})) {
    for (1..$spacing) {
      print " ";
    }
    print "$member-> {Name}\n";
    if ($member-> {groupType} =~ /(2|4|8)/) { #global=2 local=4
universal=8
      for (1..$spacing) {
        print " ";
      }
      print "  --Nested Group found\n";
      #sleep 5;
      if (scalar($member-> {Members}) > 0) {
        geT_members($member,$spacing+2);
      }
    }
  }
}

sub query_ldap {
  my $ldap_query = $_[0];

  my $error_num;
  my $error_name;
  my $RS;
  my $Conn = Win32::OLE-> new("ADODB.Connection");
  if (Win32::OLE-> LastError() != 0) {
    print "Failed creating ADODB.Connection object
(".Win32::OLE-> LastError().")\n   -> $ldap_query\n";
    return 0;
  }
  $Conn-> {'Provider'} = "ADsDSOObject";
  if (Win32::OLE-> LastError() != 0) {
    print "Failed setting ADODB.Command Provider
(".Win32::OLE-> LastError().")\n   -> $ldap_query\n";
    return 0;
  }
  $Conn-> {Open} = "Perl Active Directory Query";

  my $Cmd = Win32::OLE-> new("ADODB.Command");
  if (Win32::OLE-> LastError() != 0) {
    print "Failed creating ADODB.Command object
(".Win32::OLE-> LastError().")\n   -> $ldap_query\n";
    return 0;
  }
  $Cmd-> {CommandText} = $ldap_query;
  $Cmd-> {Properties}->{"Page Size"} = 99;
  $Cmd-> {ActiveConnection} = $Conn;
  $RS = $Cmd-> Execute();
  if (Win32::OLE-> LastError() != 0) {
    print "Failed Executing ADODB Command object
(".Win32::OLE-> LastError().")\nExecuting ADODB Command ->
$ldap_query\n";
    return 0;
  } else {
    $_[1] = $RS;
    return 1;
  }
}

________________________________

	From: perl-win32-admin-bounces@[...].com
[mailto:perl-win32-admin-bounces@[...].com] On Behalf Of
bryan.mcclellan@[...].com
	Sent: Thursday, September 18, 2008 5:08 AM
	To: ConorLillis@ANGLOIRISHBANK.ie;
perl-win32-admin@[...].com
	Subject: RE: Enumerating Universal Group members
	
	
	Why not enumerate the member attribute.. If you do this you can
bind to each object and determine if it is a group and then loop through
it as well.
	 
	Bryan

________________________________

	From: perl-win32-admin-bounces@[...].com
[mailto:perl-win32-admin-bounces@[...].com] On Behalf Of
Conor Lillis
	Sent: Wednesday, September 17, 2008 6:48 AM
	To: perl-win32-admin@[...].com
	Subject: Enumerating Universal Group members
	
	
	Hi all, 
	as part of a security audit to see who has send permissions to
Exchange 2003 dist. lists, I am trying to enumerate universal groups.
	My methodology is as follows:-
	Enumerate values in ADSI attribute dLMemSubmitPerms
	For each element in this list, enumerate the members of the
nested group. This works for Universal security list members, but not
for nested universal distribution lists.
	 
	A snippet of my code is below:-
	 
	  my @dLMemSubmitPerms= $entry-> get_value('dLMemSubmitPerms');
	  foreach my $line(@dLMemSubmitPerms)
	  {
	   my ($group) = (split /,/,$line);
	    $group=~ s/CN=//ig;
	    print "\n\nACL on \"$name\"\t: \"$group\"\t\n";
	   if(Win32::NetAdmin::GroupGetMembers('$PDC', "$group",
\@array))
	   {
	    print "Enumerating group listing for \"$group\"\n";
	    foreach my $member(@array)
	    {
	     print "$member is in \"$group\"\n";
	    }
	   }
	
	I may be missing a important step, bnut having stared at it for
a while nothing is jumping out at me...
	 
	Also, if anyone has a smart mechanism to enumerate members of
nested groups within nested groups (we have maybe 5 degrees of nesting
on some lists) that would be much appreciated.
	 
	Regards,
	Conor Lillis
	---------------------------------------
	Senior Systems Administrator,
	Group Network Services,
	tel : +353-1-616-2540
	 
	Anglo Irish Bank
	www.angloirishbank.ie <http://www.angloirishbank.ie/>  
	---------------------------------------
	 

	 

	
**********************************************************************

	 Private, Confidential and Privileged. This e-mail and any files
and attachments transmitted with it are confidential and/or privileged.
They are intended solely for the use of the intended recipient. The
content of this e-mail and any file or attachment transmitted with it
may have been changed or altered without the consent of the author. If
you are not the intended recipient, please note that any review,
dissemination, disclosure, alteration, printing, circulation or
transmission of this e-mail and/or any file or attachment transmitted
with it, is prohibited and may be unlawful. If you have received this
e-mail or any file or attachment transmitted with it in error please
notify Anglo Irish Bank Corporation Plc, Stephen Court, 18/21 St
Stephen's Green, Dublin 2, Ireland, telephone no: +353-1-6162000. 

	Directors: S P FitzPatrick (Chairman), D Drumm (Chief
Executive), L Bradshaw, D O'Connor, A Heraty, M D Jacob, W A McAteer, G
McGann, D Quilligan, N Sullivan, P Whelan, N Harwerth ( U.S.) 

	 Registered Office: Stephen Court, 18/21 St Stephen's Green,
Dublin 2 Ireland

	 Registered in Ireland: No 22045

	Anglo Irish Bank Corporation plc is regulated by the Financial
Regulator. Anglo Irish Bank Corporation plc (trading as Anglo Irish Bank
Private Banking) is regulated by the Financial Regulator. Anglo Irish
Assurance Company Limited is regulated by the Financial Regulator. 

	
**********************************************************************


_______________________________________________
Perl-Win32-Admin mailing list
Perl-Win32-Admin@[...].com
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
Thread:
Conor Lillis
Bryan McClellan
Steven Manross

Privacy Policy | Email Opt-out | Feedback | Syndication
© ActiveState Software Inc. All rights reserved