Export a list of dynamic group and it's membership rules.

rnowell 1 month ago

Is there a way to export a list of all dynamic groups and their membership rules? I've tried several suggestions from the forum but no luck.

Top Replies

Lee Andrews 1 month ago +1 verified

Yes you can read and calculate the rules - I wrote an audit script years ago and runs once a day and lists all the rules for each group.

It's too many lines to upload here and I don't think I can attach…
Lee Andrews 1 month ago in reply to Lee Andrews +1 verified

The above post should be adequate for you to work out the rest - the SDK does explain this but examples are using vbscript not powershell - once finished you can export $DGroupRules to csv - it's quite an…

+1 Lee Andrews 1 month ago

Yes you can read and calculate the rules - I wrote an audit script years ago and runs once a day and lists all the rules for each group.

It's too many lines to upload here and I don't think I can attach a file so I'll run through the basic steps for you - get an ARS connection and store it in $proxy
Set $script:searchRoot to the OU containing the groups you want to audit

#Get all the dynamic groups

$IncludedProperties = @(

'edsaIsDynamicGroup'

'accountNameHistory'

'edsaDGOriginatingService'

)

[array]$DGs = Get-QADGroup -SearchRoot $script:searchRoot -LdapFilter '(edsaIsDynamicGroup=TRUE)' -Connection $proxy -IncludedProperties $IncludedProperties -SizeLimit 0

#Inside a loop process the rules list which can be found here: ( note this is an old script if I was writing today I'd exclusively use arraylists and Hashsets but thats another post

$DGroupRules = @()

forEach ( $DG in $DGs ) {

$objRulesCollection = $DG.DirectoryEntry.MembershipRuleCollection

ForEach ( $objRule in $objRulesCollection ) {

# quick and dirty object creation

$DGroupRule = '' | Select-Object 'DynamicGroupDN', 'DynamicGroupMembers', 'RuleType', 'TargetGUID', 'TargetName', 'TargetMembers', 'TargetDN', 'LDAPFilter', 'LDAPSearchScope','edsaDGOriginatingService'

$DGroupRule.'DynamicGroupDN' = $DG.DN

$DGroupRule.'DynamicGroupMembers' = $DG.Member.Count # direct members only

$DGroupRule.'edsaDGOriginatingService' = $DG.edsadgoriginatingservice

switch ( $objRule.Type ) {

'5' {

$DGroupRule.RuleType = 'Include Group Members'

$object = Get-ADObject -Identity $objRule.BaseGuid -Properties member -server $DC

$DGroupRule.'TargetGUID' = $objRule.BaseGuid

$DGroupRule.'TargetName' = $object.Name

$DGroupRule.'TargetMembers' = $object.member.count # direct members only though - my script expands this later but not enough room to add this detail here

$DGroupRule.'TargetDN' = $object.DistinguishedName

$DGroupRules += $DGroupRule

Break

} # '5' { # Include Group Members

'6' {

$DGroupRule.RuleType = 'Exclude Group Members'

$object = Get-ADObject $objRule.BaseGuid -Properties member -server $DC

$DGroupRule.TargetGUID = $objRule.BaseGuid

$DGroupRule.'TargetName' = $object.Name

$DGroupRule.'TargetMembers' = $object.Member.Count

$DGroupRule.'TargetDN' = $object.DistinguishedName

$DGroupRules += $DGroupRule

Break

} # '6' { # exclude group members

'1' {

$DGroupRule.RuleType = 'Include by Query'

$DGroupRule.LDAPSearchScope = $(Get-ADObject $objRule.BaseGuid -server $DC).DistinguishedName

$DGroupRule.TargetGUID = $objRule.BaseGuid

$DGroupRule.LDAPFilter = $objRule.Filter

[array]$ldapObjects = Get-QADObject -LdapFilter $objRule.Filter -connection $proxy -SizeLimit 0 -SearchRoot $DGroupRule.LDAPSearchScope

if ( $ldapObjects.count -gt 0 ) { $DGroupRule.'TargetMembers' = $ldapobjects.Count }

$DGroupRules += $DGroupRule

Break

} # '1' { # include by Query

'2' {

$DGroupRule.RuleType = 'Exclude by Query'

$DGroupRule.LDAPSearchScope = $(Get-ADObject $objRule.BaseGuid -server $DC).DistinguishedName

$DGroupRule.TargetGUID = $objRule.BaseGuid

$DGroupRule.LDAPFilter = $objRule.Filter

[array]$ldapObjects = Get-QADObject -LdapFilter $objRule.Filter -connection $proxy -SizeLimit 0 -SearchRoot $DGroupRule.LDAPSearchScope

$DGroupRules += $DGroupRule

Break

} # '2' { # exclude by Query

'3' {

$DGroupRule.RuleType = 'Include Explicitly'

$object = Get-ADObject $objRule.BaseGuid -Properties employeeID, employeeNumber, proxyAddresses -server $DC

$DGroupRule.TargetGUID = $objRule.BaseGuid

$objectEnabled = $object.enabled

$DGroupRule.TargetName = $object.Name

$DGroupRule.TargetDN = $object.DistinguishedName

$DGroupRules += $DGroupRule

Break

} # '3' { # Include explicitly

'4' {

$DGroupRule.RuleType = 'Exclude explicitly'

$object = Get-ADObject $objRule.BaseGuid -Properties employeeID, employeeNumber -server $DC

$DGroupRule.TargetGUID = $objRule.BaseGuid

$objectEnabled = $object.enabled

$DGroupRules += $DGroupRule

Break

} # '4' { # Exclude explicitly

Default {

$bp = $bp + 1

}

} # switch ( $objRule.Type ) {

}

} # forEach ( $DG in $DGs ) {
Cancel
Up +1 Down

Reply

Reject Answer

Cancel
+1 Lee Andrews 1 month ago in reply to Lee Andrews

The above post should be adequate for you to work out the rest - the SDK does explain this but examples are using vbscript not powershell - once finished you can export $DGroupRules to csv - it's quite an old script - you can also read the edsaDGConditionsList which stores the rules as XML - see below for the syntax

the rule precidence is

[0x4]Exclude Explicitly # 1

[0x3]Include Explicitly # 2

[0x2]Exclude by Query # 3

[0x6]Exclude Group Members # 4

[0x1]Include by Query # 5

[0x5]Include Group Members # 6

SYNTAX:

Generic Syntax is : [<ruleType>;<GUID>;<parameters>]

WHERE:

<ruleType> = 0x1 | 0x2 | 0x3 | 0x4 | 0x5 | 0x6

<GUID> = ObjectGUID of target object or SearchBase OU for types 0x1, 0x2

<parameters> = Rule-specific parameters (see below)

PARAMETERS BY RULE TYPE:

0x1, 0x2 = Include/Exclude by Query <LDAPFilter>

0x3, 0x4 = Include / Exclude Explicitly (Empty)

0x5, 0x6 = Include/Exclude Group members (Empty)

MULTIPLE RULES:

Concatenate rules without separators:

[0x1;<guid>;<filter>][0x5;<guid>;][0x6;<guid>;]
Cancel
Up +1 Down

Reply

Verify Answer

Reject Answer

Cancel