If you need to quickly get a handle on how many members each group in your domain or forest has, here is a quick and dirty method of generating that information:
Retrieving information for a single domain:
adfind -default -f objectcategory=group member -csv -cv
Which would look like
C:\>adfind -default -f objectcategory=group member -csv -cv
"dn","member"
"CN=Administrators,CN=Builtin,DC=testvn,DC=testvg,DC=loc","3"
"CN=Users,CN=Builtin,DC=testvn,DC=testvg,DC=loc","3"
"CN=Guests,CN=Builtin,DC=testvn,DC=testvg,DC=loc","2"
"CN=Print Operators,CN=Builtin,DC=testvn,DC=testvg,DC=loc","0"
"CN=Backup Operators,CN=Builtin,DC=testvn,DC=testvg,DC=loc","0"
<SNIP>
If you have a large environment you may need to add -t 0 to disable an LDAP timeout.
This could also be done by specifying the domain or even a container somewhere within a given domain via the -b switch like -b dc=testvn,dc=testvg,dc=loc instead of -default (which is a shortcut or alias for “Look up the default domain DN and use it”) or by specifying a specific domain name via the host switch such as -h testvn.testvg.loc
Note that primary group membership is maintained in a different manner and will not be reported this way. See primaryGroupID attribute on a user object for this info.
If you need this information for an entire forest, you can use a for /f loop to execute a similar command above for every domain.
for /f %i in (‘adfind -sc domainlist’) do @adfind -h %i -default -f objectcategory=group member -csv -cv -nocsvheader
That would produce commands like
adfind -h testvg.loc -default -f objectcategory=group member -csv -cv -nocsvheader
adfind -h testvn.testvg.loc -default -f objectcategory=group member -csv -cv –nocsvheader
You will note the use of -csvheader, that switch turns off the header so it isn’t repeated for every domain so you will have a cleaner CSV output.
Alternately, if you would like the output for each domain to go to its own individual text CSV file, you could do something like
for /f %i in (‘adfind -sc domainlist’) do @adfind -h %i -default -f objectcategory=group member -csv -cv >%i.csv
Which would look like:
C:\>for /f %i in (‘adfind -sc domainlist’) do @adfind -h %i -default -f objectcategory=group member -csv -cv >%i.csv
C:\>dir *.csv
Volume in drive C has no label.
Volume Serial Number is 2C39-AD1C
Directory of C:\
10/05/2012 11:10 AM 2,085 testvg.loc.csv
10/05/2012 11:10 AM 2,269 testvn.testvg.loc.csv
2 File(s) 4,354 bytes
0 Dir(s) 10,312,482,816 bytes free
