DSQUERY / filter out members of a specific group.

Batch, ASP, JScript, Kixtart, etc.
Forum rules
Do not post any licensing information in this forum.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
Locked
User avatar
n1ckn4m3
Posts: 2
Joined: Fri Dec 17, 2010 4:50 am

DSQUERY / filter out members of a specific group.

Post by n1ckn4m3 » Fri Dec 17, 2010 5:04 am

Hey team! Long time reader, you guys have published things many times in the past that have dug me out of a few sticky situations I'm in. I've got a fairly easy (hopefully!) one this time:I've been using one of the published password reset reminder scripts that uses a few for loops and a dsquery coupled with blat to e-mail users in our domain that their password is going to expire in x amount of days. Since a lot of our users are remote, we don't have the luxury of them being in contact with a DC when they log in every time, so many of them do not get the reminder that Windows can innately provide.The script works very well and has grown with our changing needs very well indeed. Unfortunately, I've been tasked with something that seems to be quite a boondoggle and I am unable to determine the proper way to do what I'm trying to do.This is the dsquery that we use in the script:dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(!userAccountControl:1.2.840.113556.1.4.803:=2)(sAMAccountName=%user%))" -attr mailThis queries my entire domain, returns User Accounts that are categorized as Persons, does NOT return disabled accounts (userAccountControl parameter), based on the %user% variable provided, one at a time. I'm aware that doing repeated single dsquery requests is not the most efficient way of requesting it, but as I'm taking an action on each single result I have been unable to find a better way to do this.The %user% variable is generated in a separate script by the commend:net user /domain^|findstr /v /c:"User accounts for "^|findstr /v /c:"----"^|findstr /v /i /c:"The command completed"This works very well and does serve the purpose. Now what I'm faced with is that we have about 60 OUs designed in our organization, one for each service line. Each service line has sub-OUs for computer accounts, user accounts, and external user accounts. The external user accounts are vendors/contractors/clients who need access to network resources. Though their passwords expire, management would like the solution to NOT e-mail them about their password expiring.My conundrum is that presently, I'm running one script against the domain that runs one time nightly and it does everything for me. I cannot seem to find a way to structure either the net user /domain or the dsquery to specifically avoid specific OUs (unless I target each OTHER OU with a specific dsquery request, which won't work for the script), and I am unable to find a way to have dsquery filter out members of a specific group -- as dsquery can seemingly only provide the group name and dsget must be used to enumerate the group members.Ultimately, I'd much rather find a catch-all filter that I can use, but besides their location in AD or the possibility of them all being added to a specific group, there is nothing identical with each user that I can filter against that would catch all of the users or would not catch other, non external users.I've got a fairly high level of control over what we do to solve this, but the infrastructure team would prefer not to have to add specific attributes to each of these user accounts due to the sheer number of them (over 900 at present and growing every day).Does anyone here know of a way that I can either tailor those commands to skip specific OUs or filter out members of a specific group? Or am I looking at changing the dsquery to targeting specific OUs manually opposed to targeting the domain root?I apologize if I've left anything important out, please return a request if there's any information I haven't provided that would help to assist.Thanks in advance for your time!

User avatar
n1ckn4m3
Posts: 2
Joined: Fri Dec 17, 2010 4:50 am

DSQUERY / filter out members of a specific group.

Post by n1ckn4m3 » Fri Dec 17, 2010 5:04 am

Hey team! Long time reader, you guys have published things many times in the past that have dug me out of a few sticky situations I'm in. I've got a fairly easy (hopefully!) one this time:I've been using one of the published password reset reminder scripts that uses a few for loops and a dsquery coupled with blat to e-mail users in our domain that their password is going to expire in x amount of days. Since a lot of our users are remote, we don't have the luxury of them being in contact with a DC when they log in every time, so many of them do not get the reminder that Windows can innately provide.The script works very well and has grown with our changing needs very well indeed. Unfortunately, I've been tasked with something that seems to be quite a boondoggle and I am unable to determine the proper way to do what I'm trying to do.This is the dsquery that we use in the script:dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(!userAccountControl:1.2.840.113556.1.4.803:=2)(sAMAccountName=%user%))" -attr mailThis queries my entire domain, returns User Accounts that are categorized as Persons, does NOT return disabled accounts (userAccountControl parameter), based on the %user% variable provided, one at a time. I'm aware that doing repeated single dsquery requests is not the most efficient way of requesting it, but as I'm taking an action on each single result I have been unable to find a better way to do this.The %user% variable is generated in a separate script by the commend:net user /domain^|findstr /v /c:"User accounts for "^|findstr /v /c:"----"^|findstr /v /i /c:"The command completed"This works very well and does serve the purpose. Now what I'm faced with is that we have about 60 OUs designed in our organization, one for each service line. Each service line has sub-OUs for computer accounts, user accounts, and external user accounts. The external user accounts are vendors/contractors/clients who need access to network resources. Though their passwords expire, management would like the solution to NOT e-mail them about their password expiring.My conundrum is that presently, I'm running one script against the domain that runs one time nightly and it does everything for me. I cannot seem to find a way to structure either the net user /domain or the dsquery to specifically avoid specific OUs (unless I target each OTHER OU with a specific dsquery request, which won't work for the script), and I am unable to find a way to have dsquery filter out members of a specific group -- as dsquery can seemingly only provide the group name and dsget must be used to enumerate the group members.Ultimately, I'd much rather find a catch-all filter that I can use, but besides their location in AD or the possibility of them all being added to a specific group, there is nothing identical with each user that I can filter against that would catch all of the users or would not catch other, non external users.I've got a fairly high level of control over what we do to solve this, but the infrastructure team would prefer not to have to add specific attributes to each of these user accounts due to the sheer number of them (over 900 at present and growing every day).Does anyone here know of a way that I can either tailor those commands to skip specific OUs or filter out members of a specific group? Or am I looking at changing the dsquery to targeting specific OUs manually opposed to targeting the domain root?I apologize if I've left anything important out, please return a request if there's any information I haven't provided that would help to assist.Thanks in advance for your time!

Locked