Problem with GROUP report - Domain Users ( more than 15 000 member

I have on Windows 2003 AD ( Native Domain and Forest 2003 ) problem with
report members ( for example all ba* users ) from group Domain Users.
There is more than 15 000 users in AD.

Dsget group -member or VBS ( memberof ) return empty results.

As temporary solution i'm checking all users account for primaryGroupID
atribut ( value 513 )

Is there any chance for direct report from Domain Users group ?

Marek Chladek

Meinolf
Tue Aug 12 03:55:25 PDT 2008

Hello Marek,

Do you use the DN name for the group or just the group name?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> I have on Windows 2003 AD ( Native Domain and Forest 2003 ) problem
> with report members ( for example all ba* users ) from group Domain
> Users. There is more than 15 000 users in AD.
>
> Dsget group -member or VBS ( memberof ) return empty results.
>
> As temporary solution i'm checking all users account for
> primaryGroupID atribut ( value 513 )
>
> Is there any chance for direct report from Domain Users group ?
>
> Marek Chladek
>

Wiseman82
Tue Aug 12 04:48:11 PDT 2008

You might find this script useful:

http://www.wisesoft.co.uk/scripts/vbscript_list_group_members.aspx

This one might also be of interest:

http://www.wisesoft.co.uk/scripts/vbscript_groups_and_members_report.aspx

Both scripts will include primary group members in the results. They should
work ok with large numbers of users.

Hope this helps,

David

"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb66a639d8caca91d30f3576@msnews.microsoft.com...
> Hello Marek,
>
> Do you use the DN name for the group or just the group name?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> I have on Windows 2003 AD ( Native Domain and Forest 2003 ) problem
>> with report members ( for example all ba* users ) from group Domain
>> Users. There is more than 15 000 users in AD.
>>
>> Dsget group -member or VBS ( memberof ) return empty results.
>>
>> As temporary solution i'm checking all users account for
>> primaryGroupID atribut ( value 513 )
>>
>> Is there any chance for direct report from Domain Users group ?
>>
>> Marek Chladek
>>
>
>

Richard
Tue Aug 12 05:04:40 PDT 2008

Marek Chladek wrote:

>I have on Windows 2003 AD ( Native Domain and Forest 2003 ) problem with
> report members ( for example all ba* users ) from group Domain Users.
> There is more than 15 000 users in AD.
>
> Dsget group -member or VBS ( memberof ) return empty results.
>
> As temporary solution i'm checking all users account for primaryGroupID
> atribut ( value 513 )
>
> Is there any chance for direct report from Domain Users group ?
>

The member attribute of groups and the memberOf attribute of users do not
reveal membership in the "primary" group. By default the primary group of
all users is "Domain Users" (the primary group of all computer objects is
"Domain Computers"). If this has not been modified, you can assume that
everyone is a member of "Domain Users". Otherwise, the only way to retrieve
all direct members of Domain Users is to search for all users where
primaryGroupID is 513. The group Domain Users has 513 assigned to the
operational attribute primaryGroupToken.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

MarekChladek
Tue Aug 12 23:52:00 PDT 2008

Hello Meinolf,

I use syntax dsget group "CN=Domain Users,CN=........." -members > xxx.txt
There is no problem with syntax, but with number of members and with group
type "Domain Users" because in LDIF the member atribut is empty.

Thank you

Marek

"Meinolf Weber" wrote:

> Hello Marek,
>
> Do you use the DN name for the group or just the group name?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
> > I have on Windows 2003 AD ( Native Domain and Forest 2003 ) problem
> > with report members ( for example all ba* users ) from group Domain
> > Users. There is more than 15 000 users in AD.
> >
> > Dsget group -member or VBS ( memberof ) return empty results.
> >
> > As temporary solution i'm checking all users account for
> > primaryGroupID atribut ( value 513 )
> >
> > Is there any chance for direct report from Domain Users group ?
> >
> > Marek Chladek
> >
>
>
>

MarekChladek
Wed Aug 13 00:01:02 PDT 2008

Thank you David - Scripts are able to export users :-)

"Wiseman82" wrote:

> You might find this script useful:
>
> http://www.wisesoft.co.uk/scripts/vbscript_list_group_members.aspx
>
> This one might also be of interest:
>
> http://www.wisesoft.co.uk/scripts/vbscript_groups_and_members_report.aspx
>
> Both scripts will include primary group members in the results. They should
> work ok with large numbers of users.
>
> Hope this helps,
>
> David
>
> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
> news:ff16fb66a639d8caca91d30f3576@msnews.microsoft.com...
> > Hello Marek,
> >
> > Do you use the DN name for the group or just the group name?
> >
> > Best regards
> >
> > Meinolf Weber
> > Disclaimer: This posting is provided "AS IS" with no warranties, and
> > confers no rights.
> > ** Please do NOT email, only reply to Newsgroups
> > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >
> >> I have on Windows 2003 AD ( Native Domain and Forest 2003 ) problem
> >> with report members ( for example all ba* users ) from group Domain
> >> Users. There is more than 15 000 users in AD.
> >>
> >> Dsget group -member or VBS ( memberof ) return empty results.
> >>
> >> As temporary solution i'm checking all users account for
> >> primaryGroupID atribut ( value 513 )
> >>
> >> Is there any chance for direct report from Domain Users group ?
> >>
> >> Marek Chladek
> >>
> >
> >
>

MarekChladek
Wed Aug 13 00:16:01 PDT 2008

Hello Richard,

thank you for confirmation my temporary solution.
One of my colleague during wrong LDIF import make computer accounts with
Domain Users membership.
So use primaryGroupID was only temporary solution.

Scripts from David are able to retrieve all direct members of Domain Users.

Thank you for your help

Marek

"Richard Mueller [MVP]" wrote:

> Marek Chladek wrote:
>
> >I have on Windows 2003 AD ( Native Domain and Forest 2003 ) problem with
> > report members ( for example all ba* users ) from group Domain Users.
> > There is more than 15 000 users in AD.
> >
> > Dsget group -member or VBS ( memberof ) return empty results.
> >
> > As temporary solution i'm checking all users account for primaryGroupID
> > atribut ( value 513 )
> >
> > Is there any chance for direct report from Domain Users group ?
> >
>
> The member attribute of groups and the memberOf attribute of users do not
> reveal membership in the "primary" group. By default the primary group of
> all users is "Domain Users" (the primary group of all computer objects is
> "Domain Computers"). If this has not been modified, you can assume that
> everyone is a member of "Domain Users". Otherwise, the only way to retrieve
> all direct members of Domain Users is to search for all users where
> primaryGroupID is 513. The group Domain Users has 513 assigned to the
> operational attribute primaryGroupToken.
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net
> --
>
>
>