{"id":63503,"date":"2007-11-29T00:53:00","date_gmt":"2007-11-29T00:53:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2007\/11\/29\/hey-scripting-guy-how-can-i-determine-the-manager-for-all-the-groups-in-active-directory\/"},"modified":"2007-11-29T00:53:00","modified_gmt":"2007-11-29T00:53:00","slug":"hey-scripting-guy-how-can-i-determine-the-manager-for-all-the-groups-in-active-directory","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/hey-scripting-guy-how-can-i-determine-the-manager-for-all-the-groups-in-active-directory\/","title":{"rendered":"Hey, Scripting Guy! How Can I Determine the Manager for All the Groups in Active Directory?"},"content":{"rendered":"

\"Hey, <\/H2>\n

Hey, Scripting Guy! How can I return a list of all my Active Directory groups, along with the name of the user responsible for each group?

— PL<\/P>\"Spacer\"\"Hey,\"Script<\/A> \n

Hey, PL. You know, we realize that most of you are thinking, \u201cWow, this has been a busy month<\/B><\/A> for you Scripting Guys. You guys really deserve to take some time off.\u201d Well, as much as we\u2019d like to \u2013 what\u2019s that? No one<\/I> was thinking that we deserve to take some time off? No one at all? Mom? Dad? Anyone?<\/P>\n

Hmmm \u2026.<\/P>\n

Well, that\u2019s just as well, because the Scripting Guys can\u2019t afford to take any time off right now anyway. After all, the 2008 Winter Scripting Games<\/B><\/A> are just around the corner (February 15th<\/SUP> through March 3rd<\/SUP>), and we have a lot to do in order to get ready for Scripting Games III. (Like, say, come up with some events for people to participate in.) As you might expect, our plan is to make the 2008 Games even bigger \u2013 and even better \u2013 than the 2007 version. To that end, we\u2019ve added a whole new division to the Games; this year you can compete (as either a beginning scripter and\/or an advanced scripter) in Perl as well as VBScript and Windows PowerShell. (That\u2019s right: Perl.) On top of that, we\u2019ll also have some bonus events designed for those show-offs (you know who you are) who somehow manage to complete all the events in a single day. (Sad but true: even though we were the ones who designed the events in the first place even the Scripting Guys can\u2019t complete all the events in a single day.) And if you\u2019re a member of a user group, well, stay tuned; there\u2019s a good chance we\u2019ll have a special little \u201cGames within the Games\u201d for user groups. <\/P>\n

What\u2019s that? Prizes? Of course<\/I> there will be prizes. (Assuming we\u2019re able to come up with something, that is.) There will be prizes, and there will be Certificates of Excellence awarded to anyone who receives a score of 60 or better in any one division (e.g., Advanced Perl). Needless to say, it should be a great time for everyone.<\/P>\n

Well, except maybe for the two Scripting Guys, who have to test and score all those many entries. But for everyone else, it should be a great time.<\/P>\n

Make that it will<\/I> be a great time.<\/P>\n

Ah, good question: how are<\/I> you supposed to remember that the Scripting Games begin February 15th? Well, it\u2019s possible that we\u2019ll mention the fact once or twice before then. Alternatively, Microsoft Outlook users can run this script and set a reminder for Thursday, February 14, 2008:<\/P>

Const olAppointmentItem = 1\nSet objOutlook = CreateObject(“Outlook.Application”)\nSet objAppointment = objOutlook.CreateItem(olAppointmentItem)\nobjAppointment.Start = #2\/15\/2008 8:00 AM#\nobjAppointment.AllDayEvent = True\nobjAppointment.Subject = “2008 Winter Scripting Games”\nobjAppointment.Body = “The 2008 Winter Scripting Games begin at 8:00 AM Pacific Standard Time. ” & _\n    “Go to http:\/\/www.microsoft.com\/scriptcenter\/funzone\/games.mspx to begin play. The Games end ” & _\n        “on Monday, March 3, 2008.”\nobjAppointment.Location = “TechNet Script Center”\nobjAppointment.ReminderMinutesBeforeStart = 1440\nobjAppointment.ReminderSet = True<\/p>\n
objAppointment.Save\n<\/PRE>\n
And that\u2019s how you return a list of all your Active Directory groups, along with the name of the user responsible for each of those groups. Thank you, and we\u2019ll see you all tomorrow.<\/P>\n
Oops; sorry. We got a little ahead of ourselves there, didn\u2019t we? This<\/I> is how you return a list of all your Active Directory groups, along with the name of the user responsible for each of those groups:<\/P>
On Error Resume Next<\/p>\n
Const ADS_SCOPE_SUBTREE = 2<\/p>\n
Set objConnection = CreateObject(“ADODB.Connection”)\nSet objCommand =   CreateObject(“ADODB.Command”)\nobjConnection.Provider = “ADsDSOObject”\nobjConnection.Open “Active Directory Provider”\nSet objCommand.ActiveConnection = objConnection<\/p>\n
objCommand.Properties(“Page Size”) = 1000\nobjCommand.Properties(“Searchscope”) = ADS_SCOPE_SUBTREE <\/p>\n
objCommand.CommandText = _\n    “SELECT Name, managedBy FROM ‘LDAP:\/\/DC=fabrikam,DC=com’ WHERE objectCategory=’group'”<\/p>\n
Set objRecordSet = objCommand.Execute<\/p>\n
objRecordSet.MoveFirst<\/p>\n
Do Until objRecordSet.EOF\n    Wscript.Echo objRecordSet.Fields(“Name”).Value \n    Wscript.Echo objRecordSet.Fields(“managedBy”).Value\n    Wscript.Echo\n    objRecordSet.MoveNext\nLoop\n<\/PRE>\n
That\u2019s a little more like it.<\/P>\n
As you can see, this is an Active Directory search script. And because this is<\/I> an Active Directory search script, that can only mean one thing: we aren\u2019t going to discuss the script in much detail today. Why not? Well, for one thing, the Scripting Guys are kind of lazy (and deserving of some time off, even if no one else thinks so). More important, however, is the fact that a detailed discussion of Active Directory search scripts goes way beyond what we can do in a single Hey, Scripting Guy!<\/I> column. But don\u2019t despair; after all, we have a two-part Tales from the Script series<\/B><\/A> that tells you everything you need to know about searching Active Directory.<\/P>\n
And then some.<\/P>\n\n<\/THEAD>\n\n\n
\n
Note<\/B>. Hey, why the sad face? Oh, you say you\u2019re a Windows PowerShell user, and you think that no one cares whether or not you<\/I> can search Active Directory? Listen, cheer up: the Scripting Guys<\/I> care whether or not you can search Active Directory using Windows PowerShell. In fact, we\u2019ve written an entire article<\/B><\/A> that explains how to do so. And<\/I> we\u2019ve posted over 100 sample scripts<\/B><\/A> in the Script Center Script Repository.<\/P>\n
And you thought that no one cared. The Scripting Guys always<\/I> care!<\/P><\/TD><\/TR><\/TBODY><\/TABLE>\n
<\/DIV>\n
Instead of discussing Active Directory searching in detail, we\u2019ll take just a moment to look at two parts of our script: the SQL query used to retrieve group information, and the Do Until loop used to display that information. Our SQL query looks like this:<\/P>
objCommand.CommandText = _\n    “SELECT Name, managedBy FROM ‘LDAP:\/\/DC=fabrikam,DC=com’ WHERE objectCategory=’group'”\n<\/PRE>\n
As you can see, we\u2019re searching the entire fabrikam.com domain, asking the script to return the values for two attributes: Name<\/B> and managedBy <\/B>(the attribute that keeps track of the group owner). This query also includes a Where clause that restricts data to all those objects that have an objectCategory<\/B> equal to group<\/I>. What does all that add up to? That adds up to a SQL query that returns the name and owner of all the groups in fabrikam.com.<\/P>\n
Which is just exactly what we wanted our SQL query to return.<\/P>\n
When we execute this query we get back a recordset containing all the requested information. Once we have that information, we set up a Do Until loop that runs until the recordset\u2019s EOF<\/B> (end-of-file) property is True. Inside that loop, we use these two lines of code to echo back the group name and the group owner:<\/P>
Wscript.Echo objRecordSet.Fields(“Name”).Value \nWscript.Echo objRecordSet.Fields(“managedBy”).Value\n<\/PRE>\n
After that, we use the command Wscript.Echo<\/B> to insert a blank line in our output, then use the MoveNext<\/B> method to move to the next record in the recordset. (Don\u2019t forget to call the MoveNext method. If you do<\/I> forget, then your script will simply echo back the value of the first record in the recordset forever and ever.) When we\u2019re all done, we should have output similar to this:<\/P>
Finance Department Employees\nCN=Ken Myer,OU=Finance,DC=fabrikam,DC=com<\/p>\n
Finance Department Managers\nCN=Jonathan Haas,OU=Finance,DC=fabrikam,DC=com<\/p>\n
Human Resources Employees\nCN=Pilar Ackerman,OU=HR,DC=fabrikam,DC=com\n<\/PRE>\n
And that\u2019s<\/I> how you return a list of all your Active Directory groups, along with the name of the user responsible for each of those groups. Thank you, and we\u2019ll see you all tomorrow.<\/P>\n
Oh, right; good point. As you can see, our sample script worked just fine: it returned the name of each group as well as the owner of each group. The only problem is that the managedBy attribute stores group owners by their distinguished name; that means we get back names similar to this:<\/P>
CN=Ken Myer,OU=Finance,DC=fabrikam,DC=com\n<\/PRE>\n
That\u2019s OK, but in many cases we\u2019d rather have owner names displayed like this:<\/P>
Ken Myer\n<\/PRE>\n
And that\u2019s a problem. That\u2019s a display name, and the managedBy attribute doesn\u2019t store display names. <\/P>\n
So does that mean we\u2019re out of luck? Hey, the Scripting Guys have been out of luck for years. (After all, if we were even the least bit lucky we wouldn\u2019t even be<\/I> Scripting Guys in the first place.) Fortunately, though, we don\u2019t need luck to care of this problem; all we need to do is modify our Do Until loop so that it looks like this:<\/P>
Do Until objRecordSet.EOF\n    Wscript.Echo objRecordSet.Fields(“Name”).Value \n    strUserDN = objRecordSet.Fields(“managedBy”).Value\n    Set objUser = GetObject(“LDAP:\/\/” & strUserDN)\n    Wscript.Echo objUser.displayName\n    Wscript.Echo\n    objRecordSet.MoveNext\nLoop\n<\/PRE>\n
What\u2019s different with this loop? Well, to begin with, nothing: in the first line we echo back the value of the group\u2019s Name attribute, just like we did in our original script. In line 2, however, things begin to change. This time around we don\u2019t echo the value of the managedBy attribute; instead, we store that value in a variable named strUserDN:<\/P>
strUserDN = objRecordSet.Fields(“managedBy”).Value\n<\/PRE>\n
What\u2019s the point of that? No point, really; we\u2019re just killing a little time before lunch.<\/P>\n
No, hey, just kidding: there\u2019s always<\/I> a point to anything that the Scripting Guys do. (Whether or not there\u2019s a good<\/I> point to anything that the Scripting Guys do is another story.) We\u2019re grabbing the value of the owner\u2019s distinguished name because we can then pass that value to the GetObject<\/B> function and, in turn, bind directly to the owner\u2019s user account in Active Directory:<\/P>
Set objUser = GetObject(“LDAP:\/\/” & strUserDN)\n<\/PRE>\n
And what\u2019s the point of that<\/I>? Well, once we\u2019re connected to the user account we can echo back any of the attribute values for that account. If we bind to the group account we can only echo back the distinguished name of the group owner; that\u2019s because (via the managedBy attribute) that\u2019s the only name available to us. By binding to the owner\u2019s individual user account we can echo back any<\/I> attribute value for that account, including the displayName<\/B>:<\/P>
Wscript.Echo objUser.displayName\n<\/PRE>\n
And why do we want to echo back the value of the displayName attribute? Because then we get output that looks like this:<\/P>
Finance Department Employees\nKen Myer<\/p>\n
Finance Department Managers\nJonathan Haas<\/p>\n
Human Resources Employees\nPilar Ackerman\n<\/PRE>\n
Pretty slick, huh?<\/P>\n
And sure, you can easily modify the original script so that it returns the names of all the groups that are managed by a specified user. All you have to do is include the distinguished name of that user in your Where clause, like so:<\/P>
objCommand.CommandText = _\n    “SELECT Name FROM ‘LDAP:\/\/dc=fabrikam,dc=com’ WHERE objectCategory=group’ ” & _\n        “AND managedBy=’CN=Ken Myer,OU=Finance,dc=fabrikam,dc=com'”\n<\/PRE>\n
That query returns a list of groups managed by Ken Myer.<\/P>\n
That should do it, PL. Remember, the Winter Scripting Games are just a couple months of way (February 15, 2008 through March 3, 2008). Keep checking the Games home page<\/B><\/A> between now and then; among other things, we\u2019ll be posting weekly tips to help you prepare for the Games. And if you got a perfect score in last year\u2019s Games, be sure to send us information for our Profiles in Perfection<\/B><\/A> feature; just email a brief bio and a picture (or two) to scripter@microsoft.com (in English, if possible)<\/B><\/A>. <\/P>\n
Oh, and keep this in mind: Tiger Woods did not<\/I> enter the 2007 Scripting Games, and look what happened to him. Let that be a lesson to you all.<\/P>\n
What\u2019s that? He earned how<\/I> much money?!? Wow; that is<\/I> a lot of money, isn\u2019t it? Well, enter the Scripting Games anyway; money isn\u2019t everything<\/I> you know. <\/P>\n
Besides, we bet Tiger Woods doesn\u2019t have a Dr. Scripto Bobblehead doll<\/B><\/A>. And we wouldn\u2019t sell him one, either, not at any price. Great Scripting Games prizes like Dr. Scripto bobblehead dolls can\u2019t be bought; they have to be earned<\/I>.<\/P>\n\n<\/THEAD>\n\n\n
\n
Note to Tiger Woods<\/B>. Don\u2019t worry about those last few sentences; that was all legal mumbo-jumbo that the Scripting Editor makes us put in. Feel free to contact the Scripting Guy who writes this column at any time and make him an offer. He\u2019ll see what he can do for you.<\/P><\/TD><\/TR><\/TBODY><\/TABLE><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! How can I return a list of all my Active Directory groups, along with the name of the user responsible for each group?— PL Hey, PL. You know, we realize that most of you are thinking, \u201cWow, this has been a busy month for you Scripting Guys. You guys really deserve to […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[7,44,3,5],"class_list":["post-63503","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-active-directory","tag-groups","tag-scripting-guy","tag-vbscript"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! How can I return a list of all my Active Directory groups, along with the name of the user responsible for each group?— PL Hey, PL. You know, we realize that most of you are thinking, \u201cWow, this has been a busy month for you Scripting Guys. You guys really deserve to […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/63503","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=63503"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/63503\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=63503"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=63503"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=63503"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}