[APOC]

I wan't some specific rules for different gpo's, if I use: "gpresult /r /scope user" I get to see which GPO's (security groups) are active. Now how can I filter some of these active GPO's to my batch file?
This is part of the outcome from my gpresult:

Code:

    De gebruiker is lid van de volgende beveiligingsgroepen
          Domain Users
          Iedereen
          SophosAdministrator
          SophosUser
          BUILTIN\Administrators
          Gebruikers
          INTERACTIEF
          AANMELDEN OP DE CONSOLE
          Geverifieerde gebruikers
          Deze organisatie
          LOKAAL
          Iedereen
          GS_08_cv's
          Tekenkamer
          GS_03_verslagen_openbaar
          GS_07_overeenkomsten
          GS_01_facturen
          GS_04_Functieprofielen
          GS_00_documenten
          AEC
          GS_02_functioneringsgesprekken
          GS_06_offertes
          GS_05_Arbeidsovereenkomsten
          GS_09_ aanbevelingsbrieven
          GS_03_verslagen_beperkt
          Systeembeheer
          Hoog verplicht niveau

I know I can search for a specific name (string?) with findstr, i.e.

Code:

    gpresult /r /scope user | findstr /L /i "SysteemBeheer" > nul 2>&1
    REM *alternative* gpresult /r /scope user | FIND /i "SysteemBeheer" > nul 2>&1
    IF %ERRORLEVEL% EQU 0 (ECHO Sys.Beheer) ELSE ECHO NO.sys.beheer

But how can I change it so multiple lines being read?

i.e. (borrowed some code just for example)

Code:

    systeminfo | find "Microsoft Windows" > %TEMP%\osname.txt
    FOR /F "usebackq delims=: tokens=2" %%i IN (%TEMP%\osname.txt) DO set vers=%%i
    
    echo %vers% | find "Windows 7" > nul
    if %ERRORLEVEL% == 0 goto ver_7
    
    echo %vers% | find "Windows Server 2008" > nul
    if %ERRORLEVEL% == 0 goto ver_2008
    
    echo %vers% | find "Windows Vista" > nul
    if %ERRORLEVEL% == 0 goto ver_vista
    
    goto warnthenexit

I mean this does search for multiple variables I hope to some how find multiple Security Groups (GPO's) from the gpresult function (or perhaps a better way?)

I'd like it to do something like this, if systeembeheer exist do blaat1, if aec exist do blaat2, if tekenkamer exist do blaat3, BUT multiple GPO's can exists SO the script/search must not stop if 1 of the above does exist, it still has to "look" (search) further if one of the other(s) also exist.

***Perhaps a little more like this?

Code:

    @echo off
    CLS
    setlocal enabledelayedexpansion
    
    for %%i in (systeembeheer tekenkamer aec) do (
        gpresult /r /scope user | findstr /L /i %%i
        if errorlevel 0 if not errorlevel 1 echo %%i ok process found !errorlevel!
        if errorlevel 1 if not errorlevel 2 echo %%i no process found !errorlevel!
    )
    
    :exit
    pause

AND changed it a litte:

Code:

    @ECHO OFF
    CLS
    SETLOCAL ENABLEEXTENSIONS
    SETLOCAL ENABLEDELAYEDEXPANSION
    
    for %%i in (SysteemBeheer Administratie PersoneelsZaken TeamPlan) do (
        gpresult /r /scope user | findstr /L /i %%i > nul 2>&1
        if errorlevel 0 if not errorlevel 1 Set "GPO_%%i=True"
        if errorlevel 1 if not errorlevel 2 Set "GPO_%%i=False"
    REM if errorlevel 0 if not errorlevel 1 echo %%i ok process found !errorlevel! *debug lines*
    REM if errorlevel 1 if not errorlevel 2 echo %%i no process found !errorlevel! *debug lines*
    )
    
    if "%GPO_systeemBeheer%" == "True" (Echo GPO_SysteemBeheer=%GPO_systeemBeheer%) else Echo GPO_SysteemBeheer Not Found!
    if "%GPO_Administratie%" == "True" (Echo GPO_Administratie=%GPO_Administratie%) else Echo GPO_Administratie Not Found!
    if "%GPO_PersoneelsZaken%" == "True" (Echo GPO_PersoneelsZaken=%GPO_PersoneelsZaken%) else Echo GPO_PersoneelsZaken Not Found!
    if "%GPO_TeamPlan%" == "True" (Echo GPO_TeamPlan=%GPO_TeamPlan%) else Echo GPO_TeamPlan Not Found!
    
    :exit
    echo.
    echo.
    PAUSE

This does seem to do what I want, bu i'm not sure if it's the best way or the right way to do it ???

[APOC]

Does anyone know if the last piece of script is the best way to do it, or is there a better / more efficient way perhaps?

[Rems]

Quote:

Originally Posted by APOC

[...] I hope to some how find multiple Security Groups (GPO's) from the gpresult function...
[...] Does anyone know if the last piece of script is the best way to do it, or is there a better / more efficient way perhaps?

I notice that your batch is running already 4x a gpresult.exe command here in this script. That does make the batch run very slow!

You could also fire the command only once in the script by using a For statement - then search in every token for a phrase using each name separately from the list of the provided group names. Actually that will be a For-Do loop within a For-Do loop.

Secondly, a command that also returns the user's security group memberships is the command: net.exe user /domain %username%
While the Net.exe command is running much faster than doing a gpresult.exe. The limitation when using this command is however that the result will only show the first 21 characters of each of the group names.



_

Quote:

Originally Posted by APOC

I'd like it to do something like this, if systeembeheer exist do blaat1, if aec exist do blaat2, if tekenkamer exist do blaat3, BUT multiple GPO's can exists SO the script/search must not stop if 1 of the above does exist, it still has to "look" (search) further if one of the other(s) also exist.

In the batch make use of Calling labels instead of creating boolean variables for each group, it will make things easier (at first the code may look very complicated, but when used to it you'll find that it is much easier this way to read the code and for editing groupnames later on). Unlike the statement Goto :labelname a Call :labelname will return to the last position in the batch from where the label was called when this "subroutine" has ended (exit /b).

Code:

@echo off

:create a list of groups (assign each group a unique :label_number)
Set "Groups="
call :define_Groups   :01 "Systeembeheer"
call :define_Groups   :02 "AEC"
call :define_Groups   :03 "Tekenkamer"
 goto:begin

+----------------------------------------------------------------------+
   When the user is a Member Of,     (sub routines)

   :01 "Systeembeheer"
     echo.user is a member of the security group: "%*"
     ::\
         exit /b 0

   :02 "AEC"
     echo.user is a member of the security group: "%*"
     ::\
         exit /b 0

   :03 "Tekenkamer"
     echo.user is a member of the security group: "%*"
     ::\
         exit /b 0
+----------------------------------------------------------------------+

:begin
:: retrieve user's group memberships
For /f "tokens=* delims=*" %%* in (
   'net.exe user /domain %username% ^| findstr /c:" \*"'
   ) do (

   rem # now search in every token for a phrase using each name 
   rem # separately from the list of the provided group names.,
   for %%! in (%Groups%) do call:compare "*%%~!" "%%*"
   )

pause
:end


goto:EOF  + + +   sub routines   + + +
:compare
   set "testgroup=%~1"
   set "label=%testgroup:~23,2%"
   set "testgroup=%testgroup:~0,22%"
   set "string=%~2"
   echo.%string%|findstr /ic:"%testgroup%" >nul &&call:%label% %testgroup%
   exit /b 0

:define_Groups
   :: the number will be attached to the group. The number will be used in the batch for calling as sub routine when the user is a member of a matching group.

   :: because the net user command is used we have to cut
   :: or extend names to a fixed length of 21 characters long
   Set "testgroup=%~2                     " (adding 21 trailing spaces first)
   Set "testgroup=%testgroup:~0,21%%~1"    (then Trim. And additionally, appending the :number)

   if not defined groups (
     Set groups="%testgroup%") else (
     Set groups=%groups%, "%testgroup%")
   exit /b 0

_

final note: Why not simply using a vbs script for this? Making string comparing with a batch script is not always reliable, due to chacters in the string that could be wrongly interpreted by the batch.


/Rems

[APOC]

GREAT Tip(s)! Help! and Advice!

Really appreciated and helps me a lot and helps me understand it more and better and I'm really learning from this, GREAT SUPPORT!

I'll take a good look at this, thanks a lot and with kind regards, Tim.