How to view information for domain groups from the command line with just core Windows utilities

active-directorycommand-line-interfacewindows 7

I'm familiar with using the NET commands to get information for local users and groups in most scenarios. However, I'm running into a problem using it to get information for domain groups with long names. The output of NET USER appears to cap group names at around 20 characters, and I haven't found a way to use NET GROUP to get information about any groups that have names longer than that.

Certainly, from my own workstation I can use Remote Server Administration Tools utilities (e.g.: "ds…" commands, or the Active Directory module in PowerShell) to get the information I need. However, I also want to be able to look up domain group details from other systems which might not have RSAT and on which I may not be able/allowed to install additional tools.

While solving the problem with the NET GROUP command would be interesting, I'm not necessarily limited to that tool. However, I do need to limit myself to only the tools available in a core installation of the Windows 7 (or similar) operating systems so that I can easily port the solution across different computers where adding other tools might not be an option. If there's a way to do this with something like WMIC, or PowerShell without the additional RSAT modules, I'm definitely interested in hearing about it.

Example: "MyReallyLongDomainGroupName" is a member of the local Admins group. So, who has admin access to the system? Or "AnotherVerboseDomainGroupName" is in some file share permissions – who has access to that share?

Best Answer

The old NET command still has limitations from the Windows NT era that it was created in. To handle longer names you're better off using the various ds... commands dsquery, dsmod, etc, or third-party tools like adfind. You won't have name length limitations there.

Edit:

The ds tools are standalone EXEs that, while present in RSAT, can be freely copied around. Even so, because I want to honor the spirit of your request, here's a Powershell script that relies on the ADSI interface (present in Windows w/o requiring RSAT to be installed-- it's a base OS component) that will enumerate the membership of a group.

# iADSNameTranslate constants
$ADS_NAME_INITTYPE_GC = 3
$DISTINGUISHEDNAME = 1
$DOMAINSIMPLE = 5
$UNKNOWN = 8

if ($args.count -ne 1) { "`nUsage: ./GroupEnum.ps1 <DOMAIN\groupName>`n"; Exit; }

$ns = New-Object -ComObject NameTranslate

[System.__ComObject].InvokeMember(“init”, ”InvokeMethod”, $null, $ns, ($ADS_NAME_INITTYPE_GC, $null))
[System.__ComObject].InvokeMember(“Set”, ”InvokeMethod”, $null, $ns, ($UNKNOWN, $args[0]))
$dn = [System.__ComObject].InvokeMember(“Get”, ”InvokeMethod”, $null, $ns, $DISTINGUISHEDNAME)

$Group = [ADSI]"LDAP://$dn"
if ($Group.SchemaClassName -eq "group") {
    $Group.Member | ForEach-Object { 
        $x = [ADSI]"LDAP://$_" 
        if ($x.SchemaClassName -eq "user") { $x.sAMAccountName }
    }
}

I tested this with a limited user account on a Windows 7 x64 SP1 machine w/ no RSAT installed. I tested with a group named "123456789012345678901234567890123456789012345678901234567890", as well.

There's absolutely no error checking in this script.

Related Topic