Tutorial for Enumerating Users in a Group with VBScript
This page will show you how to list all the members of a group. By group, I mean the Global, Domain Local
and Universal Groups found in Active Directory. Feel free to adapt my examples to enumerate groups in your Windows Server 2003 domain.
Topics for Discovering which Users
are in Group with VBScript
Part of the reason why groups are so tricky is the sheer number
of different VBScript techniques that you can apply to the group object. This page is all about listing members or enumerating. Incidentally, I love that first syllable - enuuuum.
Before we start scripting, let us pay attention to detail and examine the two relevant tabs in Active Directory Users
and Computers. The first tab is called Members and it means, 'who is in this group'. The second tab is Member Of, this lists not users, but other groups to which the selected group
belongs. It really is worth mastering this difference between Members (plural) and Member Of (singular).
This script employs the GetEx method to
interrogate
the members attribute of the Administrators group. Perhaps Members array would be a more descriptive term, in any case, the technique involves looping through the 'Members' field, listing the users.
When ever you want to discover more about these LDAP properties, launch ADSI Edit (see more here).
Prerequisites
I recommend that you logon as administrator, preferably at a domain controller. Alternatively, try Remote Desktop. If all else fails, you can try these script on an XP machine as a non-administrator, but why introduce extra complications?
Let us start with some easy successes.
®
Instructions for Listing the Administrators
You should run this VBScript on a Windows Active Directory domain.
Copy and paste the example script below into notepad or a VBScript editor.
Save the file with a .vbs extension, for example: GroupEnum.vbs.
Double click GroupEnum.vbs and check the strOU for your new group.
Sample Script to Discover who is a Member of the Administrators Group
Script corrected August 2005. Line 12 now says: strContainer= "cn=administrators,cn=Builtin"
' GroupEnum.vbs ' VBScript to discover who is a member of the Administrators Group ' Author Guy Thomas http://computerperformance.co.uk/ ' Version 1.3 August 2005 '
----------------------------------------------------------' Option Explicit Dim strMember, strDNSDomain, strContainer Dim objGroup, objRootDSE Dim arrMemberOf
' Bind to Active Directory'
strContainer = "cn=Administrators,cn=Builtin, " Set objRootDSE = GetObject("LDAP://RootDSE") strDNSDomain = objRootDSE.Get("DefaultNamingContext")
' Get the Builtin Administrators group Set
objGroup = GetObject ("LDAP://"& strContainer & strDNSDomain) objGroup.getInfo
arrMemberOf = objGroup.GetEx("member")
' Loop = For Each .... Next ' WScript.Echo "Members of Group " &
strContainer For Each strMember in arrMemberOf WScript.echo strMember Next
Note 1: The crucial feature of this script is: arrMemberOf = objGroup.GetEx("member"). Normally it would be plain Get("member"). However, since we are
dealing with an array, we must get the extended or expanded list, hence GetEx, not Get.
Note 2: Observe how the 'For... Next' loop is also extended to, 'For Each .... Next'. Or to be
accurate the construction is 'For Each.... in ...Next'. The reason for the extra command is that we are dealing with not one, but a collation of members in the Administrators group.
Note 3:
After case sensitive problems with 'user', (in other scripts), I can report that here, 'member' or 'MEMBERS' are equally effective. Neither produces an error.
Note 4: However, beware of
spaces "Member " does not work it should be "Member".
This script achieves the same result, but displays the names more clearly by removing the dc=domain clutter.
Script corrected August 2005. Line 12
now says: strContainer= "cn=administrators,cn=Builtin"
' GroupEnum2.vbs ' VBScript to discover who is a member of the Administrators ' Author Guy Thomas http://computerperformance.co.uk/ ' Version 2.4 August 2005 '
----------------------------------------------------------' Option Explicit Dim strMember, strDNSDomain, strContainer Dim objGroup, objRootDSE Dim arrMemberOf, strList, arrGroup
' Bind to
Active Directory' strContainer = "cn=users,cn=Builtin, " Set objRootDSE = GetObject("LDAP://RootDSE") strDNSDomain = objRootDSE.Get("DefaultNamingContext")
' Get the Builtin Administrators
group Set objGroup = GetObject ("LDAP://"& strContainer & strDNSDomain) objGroup.getInfo
arrMemberOf = objGroup.GetEx("member")
' Loop = For Each .... Next WScript.Echo "Members of Group
" & strContainer For Each strMember in arrMemberOf strMember = Mid(strMember, 4, 330) arrGroup = Split(strMember, "," ) strList = strList & arrGroup(0) & vbcr
Next
John says: "I'm using this to enable scheduled tasks. I spent a fair bit
of time trying to figure how to do this my way."
Guy says: "Never miss the chance of learning by studying two different
methods of achieving the same goal".
'John Wagner '20081229 'Sample Script to Detect membership of
user object and computer object in AD group.
'Connect to AD Set objSysInfo = CreateObject("ADSystemInfo")
'Get LDAP entry for current user. strUserDN =
objSysInfo.UserName Set objUser = GetObject("LDAP://" &
strUserDN) 'WScript.Echo "Current User is " & strUserDN
'Sanity Check
'Get LDAP entry to current computer object.
strComputerDN = objSysInfo.ComputerName Set objComputer =
GetObject("LDAP://" & strComputerDN) 'WScript.Echo
strComputerDN 'Sanity Check
'Bind objGroup to LDAP entry for a AD group. Set
objGroup = GetObject("LDAP://cn=TestGroup,ou=Administrative,ou=Users-DAS,dc=das,dc=ohioad,dc=local")
'Check AD Group for user member. if objGroup.IsMember(objUser.AdsPath)
= true then WScript.Echo strUserDN & " is a member of
the AD group." else WScript.Echo strUserDN & " is NOT a
member of the AD group." end if
'Check AD Group for computer member if
objGroup.IsMember(objComputer.AdsPath) = true then
WScript.Echo strComputerDN & " is a member of the AD Group."
else WScript.Echo strComputerDN & " is NOT a member of
the AD Group." end if
This script lists the membership of the Administrators group. The key attribute is "Member". The key to
understand what the script does is to investigate the User's Member and Member Of tabs and compare them with your script commands.
Their topics and material are ideal for getting you started with VBScript. The
videos are easy to follow and you can control the pace. Try their free demo material and then see if you want to buy the full package.
See more about VB Script Training CD.
Download my eBook:
Introduction to VBScript - only $6.25
