Visio to Map Security Groups?

Started by jastronomy, October 24, 2010, 08:22:25 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.


Hello people,

I've been looking around for a while now to try and get this sorted, and this is all I can think of.

Story: at work, I use active directory security group nesting to deploy/control applications (via GPOs) to each client machine... best explained in this diagram I threw together:
(See attachment).
I use this inheritance in the following way: add a new machine object in AD; to the Machine Group; and all apps are inherited; GPUPDATE and 2 or 3 reboots later, and that box has all the software it needs for that department. pretty neat eh?!?

The diagram is easy to draw manually for a relatively small set of groups. However; talking 80-100 groups and it gets complicated quite quickly.
<>I use the Package group as a 'version control' layer.
<>Classification group, as a 'collection area' for packages that are dependant and commonly put together.
<>Logical machine groups are assigned Classes of products (yes can be more than 1) to simplify the design.

Change Control Layer:
<>Making changes to the Application and Package layer should be quick and easy.
<>Package and Class layers, easy to do, but can affect a lot of machines.
<>Class and Machine layer, and we could affect 1/4 of the company's computers and potentially cause ourselves big problems.
For the last reason; we need an up-to-date map, to know exactly where to make changes to have confidence that the change affects the right machines with the right software.

Do you know of any way of automating this mapping process active directory of security groups*?
*all groups follow a naming convention (App. / Package. / Class. / Machine.)

<fingers crossed>



ok, looks like this product can do what i wanted - wonder what it costs...

but, with a little vbs or c# code, the same could be accomplished i'm sure...

anyone got any code close to this?


Well you have two components that have to be worked on. The first of course is building something to read from AD, and I'd start by going over to technet ( and check to see what scripts have already been written. The second is the creating of the document. The basic (no pun intended) code for most of this is in the visio sdk. You might check this out also

and this




I like where you're pointing me here - :)

Given a lot more free time, I'd love to learn the C language and syntax and create a full console app like the "Microsoft Active Directory Topology Diagrammer" software, but for little things like Applications and Groups

The technet pages - got that lot, been using the VBS's there quite a bit for dynamic distribution lists based on fields
(customer service teams change around all the time - let them change their own team, and the email groups reflect the change the next day)

I'll probably start here:

Build me a CSV of groups and their parent names, and then pass the CV into the orgwiz to get the desired outcome - will have to create a 'top of tree', but it's easily done.

will keep you all posted.