Author Topic: Visio to Map Security Groups?  (Read 14636 times)

0 Members and 1 Guest are viewing this topic.

jastronomy

  • Jr. Member
  • **
  • Posts: 14
Visio to Map Security Groups?
« on: October 24, 2010, 03:22:25 AM »
Hello people,

I've been looking around for a while now to try and get this sorted, and this is all I can think of.

Story: at work, I use active directory security group nesting to deploy/control applications (via GPOs) to each client machine... best explained in this diagram I threw together:
(See attachment).
I use this inheritance in the following way: add a new machine object in AD; to the Machine Group; and all apps are inherited; GPUPDATE and 2 or 3 reboots later, and that box has all the software it needs for that department. pretty neat eh?!?

The diagram is easy to draw manually for a relatively small set of groups. However; talking 80-100 groups and it gets complicated quite quickly.
<>I use the Package group as a 'version control' layer.
<>Classification group, as a 'collection area' for packages that are dependant and commonly put together.
<>Logical machine groups are assigned Classes of products (yes can be more than 1) to simplify the design.

Change Control Layer:
<>Making changes to the Application and Package layer should be quick and easy.
<>Package and Class layers, easy to do, but can affect a lot of machines.
<>Class and Machine layer, and we could affect 1/4 of the company's computers and potentially cause ourselves big problems.
For the last reason; we need an up-to-date map, to know exactly where to make changes to have confidence that the change affects the right machines with the right software.

Do you know of any way of automating this mapping process active directory of security groups*?
*all groups follow a naming convention (App. / Package. / Class. / Machine.)


<fingers crossed>

aledlund

  • Hero Member
  • *****
  • Posts: 1412
Re: Visio to Map Security Groups?
« Reply #1 on: October 24, 2010, 08:23:10 AM »

jastronomy

  • Jr. Member
  • **
  • Posts: 14
Re: Visio to Map Security Groups?
« Reply #2 on: October 24, 2010, 09:47:51 AM »
Looking... downloading the demo..

jastronomy

  • Jr. Member
  • **
  • Posts: 14
Re: Visio to Map Security Groups?
« Reply #3 on: October 24, 2010, 10:42:44 AM »
ok, looks like this product can do what i wanted - wonder what it costs...

but, with a little vbs or c# code, the same could be accomplished i'm sure...

anyone got any code close to this?

aledlund

  • Hero Member
  • *****
  • Posts: 1412
Re: Visio to Map Security Groups?
« Reply #4 on: October 24, 2010, 09:39:55 PM »
Well you have two components that have to be worked on. The first of course is building something to read from AD, and I'd start by going over to technet (http://gallery.technet.microsoft.com/scriptcenter/en-us/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=activedirectory&f%5B0%5D.Text=Active%20Directory) and check to see what scripts have already been written. The second is the creating of the document. The basic (no pun intended) code for most of this is in the visio sdk. You might check this out also

http://msdn.microsoft.com/en-us/library/bb245820(office.12).aspx

and this

http://www.microsoft.com/downloads/en/details.aspx?familyid=9c68cd52-bd83-430e-9d3d-78570acf8b92&displaylang=en

al

jastronomy

  • Jr. Member
  • **
  • Posts: 14
Re: Visio to Map Security Groups?
« Reply #5 on: October 26, 2010, 03:21:58 PM »
Al,

I like where you're pointing me here - :)

Given a lot more free time, I'd love to learn the C language and syntax and create a full console app like the "Microsoft Active Directory Topology Diagrammer" software, but for little things like Applications and Groups

The technet pages - got that lot, been using the VBS's there quite a bit for dynamic distribution lists based on fields
(customer service teams change around all the time - let them change their own team, and the email groups reflect the change the next day)



I'll probably start here:
http://gallery.technet.microsoft.com/ScriptCenter/en-us/46071e64-729b-4c6b-8e2d-6d739fc09eb4

Build me a CSV of groups and their parent names, and then pass the CV into the orgwiz to get the desired outcome - will have to create a 'top of tree', but it's easily done.

will keep you all posted.