Extract active Users from Microsoft AD group using LDAP

For one my project needed a script that retrieves a list of active users who are members of a specific group in Windows 2008 Active Directory using LDAP.

So we have a FreeBSD or Linux box and Windows Active Directory and we need a list of users who are members of specific group and we have access to LDAP. The main problem was that there was nested groups inside that so it was not possible to do it only with ldapsearch and parameters. The next problem was that I need my list in the form: username@DOMAIN and of course as a final this string should not be less than 20 characters. Easy job?

And this is what I made for this need:

#!/usr/local/bin/bash

### Exclusion group and file name must be listed bofore group
GROUP=(     "Unlimited Internet" "Extended Exclusions" "Extended Internet" "Limited Internet" )
FILENAME=(  "unlimited"          "ext_exclusions"      "extended"          "limited" )
EXCLUSIONS=("no"                 "no"                  "ext_exclusions"    "no" )

options="-LLL -D ITSOL\ldap_user -w pass"
totalg=${#GROUP[*]}
totalf=${#FILENAME[*]}

if [ $totalg -ne $totalf ]
then
    echo "Error - different count in arrays!"
    exit 1
fi

function groups_from_group {
    ldapsearch $options "(&(objectClass=group)(memberof=$1))" primaryGroupToken | sed -e :a -e '$!N;s/\n //;ta' -e 'P;D'|grep -v "#"|grep -v "^$" >> $2.grp2
}

function get_all_members {
    cat $1.grp | grep primaryGroupToken: | sed "s/primaryGroupToken: //g" | while read line
        do
            filter="(&(objectClass=user)(primarygroupid=$line)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
            ldapsearch $options $filter userPrincipalName |grep @itsol.biz | sed "s/itsol.biz/ITSOL.BIZ/g" |cut -d ' ' -f 2 >> $1
        done
    cat $1.grp | grep dn: | sed "s/dn: //g" | while read line
        do
            ldapsearch $options "(&(objectClass=user)(memberof=$line)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" userPrincipalName |grep @itsol.biz | sed "s/itsol.biz/ITSOL.BIZ/g" |cut -d ' ' -f 2 >> $1
            groups_from_group "$line" "$1"
        done
}


for (( i = 0; i < $totalg; i++ ))
do
    ldapsearch $options "(&(objectClass=group)(cn=${GROUP[$i]}))" primaryGroupToken | sed -e :a -e '$!N;s/\n //;ta' -e 'P;D'|grep -v "#"|grep -v "^$" > ${FILENAME[$i]}.grp
    get_all_members "${FILENAME[$i]}"
    index=0
    while [ $index == 0 ]
    do
        if [ -s ${FILENAME[$i]}.grp2 ]
          then
            mv ${FILENAME[$i]}.grp2 ${FILENAME[$i]}.grp
            get_all_members "${FILENAME[$i]}"
        else
            index=1
            rm ${FILENAME[$i]}.grp
            rm ${FILENAME[$i]}.grp2
            sort -f ${FILENAME[$i]} | uniq > ${FILENAME[$i]}.s
            mv -f ${FILENAME[$i]}.s ${FILENAME[$i]}
        fi
    done

# Changing usernames in pre-2000 format - 20 characters in username
    cut -d @ -f 1 ${FILENAME[$i]} |cut -c1-20 | sed -e 's/$/@ITSOL.BIZ/' > temp
    mv temp ${FILENAME[$i]}

    if [ ${EXCLUSIONS[$i]} != "no" ]
    then
        comm -23 ${FILENAME[$i]} ${EXCLUSIONS[$i]} > ${FILENAME[$i]}.tmp
        mv ${FILENAME[$i]}.tmp ${FILENAME[$i]}
        rm ${EXCLUSIONS[$i]}
    fi

done

After running this script you will get 3 files unlimited, extended and limited containing a list of users who are members of groups “Unlimited Internet”, “Extended Internet” and “Limited Internet” in our Microsoft AD. It is possible to make an exclusion of certain group as in extended – this mean that all members of “Extended Internet” without members of “Extended Exclusions” group. Note: exclusion group must bi listed in array before group which will be reduced.

That is all.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*