Export AD group membership to a file

When I put in a network license server for AutoCAD a couple of years the challenge was not the installation but enabling the management to be done by others. Autodesk use a FLEXlm which is lightweight and uses a text file to define the options. Users who are able to use the software or a feature are listed by username in the text file. However logging on to a server and editing text files is not something you want a Service Desk doing.

As we already use Active Directory for user management why not use it to control who can log on and borrow a license. All you need is an automated way to export members of a group to a (correctly structured) text file. There are lots of ways of doing this but after a couple of years I have settled on the following.

To export the members of a group I have used the function walk method in the active_directory module. This works the same way as os.walk in that it recursively walks through the groups from the given root group. We can then recursively process the list of users returned in the tuple to get the username (or sAMAccountName as it is referred to in AD). As it is plausible the same user may appear more than once I have used a set to store the users; if the same user appears in groups further down the tree they will be silently ignored.

Just writing this out in a file is not enough, the file must be structured in a way the license manager will understand. For this I will use a template file and the sub method from the regular expression (re) module. I’ve created a separate blog post on how this works. This will replace any occurrence of AD{group_name} with the members of that group.

Finally you need to be able to tell the license manager that the options have been changed. This will be dependent on the license manager; FLEXlm allows you to do this by running lmutils from the command prompt. To do this in Python you can use the subprocess module which I’ll cover in the next post.

If you are still awake after readying that, try out the example program. If you are in a domain just change the group name to one that exists and you will see the results. In reality the template file would be a text file read by the script but in the example file I’ve embedded it in a variable. I’ve used three groups; one for people who can run the program, another for a list of users who can loan a license and a group for IT so they can test the software runs.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s