Tutorial for Enumerating All Groups that a User is a memberOf
This page will show you how to list all the groups that a user is a memberOf. My examples enumerate the
groups to which the Administrator belongs, however you could adapt the scripts for any Active Directory account.
Topics for Enumerating All Groups
a User is a memberOf with VBScript
There are a remarkable number of techniques, methods and properties for handling Active Directory groups. However, this page has a
clear goal, to display all of the groups held by the memberOf attribute.
One special feature of the second example, is the way that VBScript finds and then displays the user's primary group. Surprisingly, finding the primary group turned out to be the most difficult part of
the mission.
Along the journey to display the user's groups, this script employs two lesser known scripting methods, Split and GetEx. A tiny point, but the key property is spelt memberOf not memberSof.
The idea is to build the DN (Distinguished
name) string for the Administrator, then to Get(Object) from Active Directory and finally to loop through all the memberOf groups.
Prerequisites
I recommend that you are logged on as administrator, preferably at a domain controller. Alternatively, try Remote Desktop. If all else fails, you can try these script on an XP machine as a non-administrator, but why introduce extra complications?
Let us start with some easy successes.
Instructions for Discovering who the Administrator is a memberOf
You should run this VBScript on a Windows Active Directory domain.
Copy and paste the example script below into notepad or a VBScript editor.
Save the file with a .vbs extension, for example: memberOf .vbs.
Double click memberOf .vbs and check the message box to see the groups that the strUser is a memberOf.
Script to discover which group the Administrator is a memberOf
' UsermemberOf .vbs ' To list the groups to which the administrator is a memberOf ' Author Guy Thomas http://computerperformance.co.uk/ ' Version 2.3 - May 2005 '
---------------------------------------------------------------' Option Explicit Dim objRootLDAP, objGroup, objUser, objOU, objmemberOf Dim strOU, strUser, strDNSDomain, strLDAP, strList
'
Commands to bind to AD and extract domain name Set objRootLDAP = GetObject("LDAP://RootDSE") strDNSDomain = objRootLDAP.Get("DefaultNamingContext")
' Build the LDAP DN from strUser, strOU and
strDNSDomain strUser ="cn=Administrator," strOU ="CN=Users," strLDAP ="LDAP://" & strUser & strOU & strDNSDomain
Set objUser = GetObject(strLDAP)
' Heart of the script, extract a list of Groups from memberOf objmemberOf = objUser.GetEx("memberOf") For Each objGroup in objmemberOf strList = strList & objGroup & vbcr Next
WScript.Echo "Groups for " & strUser & vbCr
& strList
Note 1: The first section of the VBScript prepares the ground by explaining the purpose and declaring the variables. In the central portion, VBScript carefully builds the LDAP path to
the Administrator. At the heart of the script the .GetEx method, which extracts the group information from the memberOf property.
Note 2: Often a user will be a member of several groups,
so we need a loop, which is supplied by the For Each ...Next construction.
Note 3: In the background, the strList variable stores all the groups and thanks to vbCr, separates them with a
carriage return.
Note 4: Strangely, the Administrator's Primary Group, the Domain Admins is not listed. However don't worry, we will tackle this anomaly in Example 2.
If you launch Active Directory Users and Computers and observe the 'Member Of' tab for the Administrator (or other users), then you will see that the Primary Group is listed separately from the other
groups. When I checked the LDAP property memberOf
with ADSI Edit, Domain Admins was not listed amongst the other groups. Nevertheless, I found away to display the Primary Group by interrogating a different LDAP property called primaryGroupID property. Further research
revealed:
' UsermemberOf Adv.vbs ' To list the groups to which the administrator is a memberOf ' Author Guy Thomas http://computerperformance.co.uk/ ' Version 2.3 - May 2005 '
---------------------------------------------------------------' Option Explicit Dim objRootLDAP, objGroup, objUser, objOU, objmemberOf Dim strOU, strUser, strDNSDomain, strLDAP, strList Dim
arrGroup
' Commands to bind to AD and extract domain name Set objRootLDAP = GetObject("LDAP://RootDSE") strDNSDomain = objRootLDAP.Get("DefaultNamingContext")
' Build the LDAP DN from
strUser, strOU and strDNSDomain strList ="-------------------------------" & vbCr strUser ="cn=Administrator," strOU ="CN=Users," strLDAP ="LDAP://" & strUser & strOU & strDNSDomain Set objUser =
GetObject(strLDAP)
' Heart of the script, extract a list of Groups from memberOf objmemberOf = objUser.GetEx("memberOf") For Each objGroup in objmemberOf objGroup = Mid(objGroup, 4, 330)
arrGroup = Split(objGroup, "," ) strList = strList & arrGroup(0) & vbcr Next
' Additional section to find the primary group. If objUser.primaryGroupID = 513 Then strList =
strList & vbCr & "Primary Group: " _ & vbCr & "Domain Users" & vbCr Else If objUser.primaryGroupID = 515 Then strList = strList & "Domain Computers" Else strList = strList
& "Maybe a Domain Controller" End If End If WScript.Echo "Groups for " & Mid(strUser, 4, 99) & vbCr & strList
WSCript.Quit
' End of Sample User memberOf and primaryGroupID VBScript
VBScript Tutorial - Learning Points for Enumerating a Group
Note 1: In the Additional Section, primaryGroupID = 513 translates to the Domain Users.
Note 2: By using the Mid and Split functions we break the LDAP string CN=Schema Admins,CN=Builtin,DC=xyz, into the more readable: Schema Admins.
Note 3: Naturally, you could enumerate the group membership of other users, however if you change strUser remember that you probably need to amend strOU = "CN=Users, " to strOU = "OU=NewOU,".
Do be careful with the CN= versus OU=, and remember that last comma.
Enumerating the groups to which a user is a memberOf, opens up other scripting possibilities, for
example, mapping network drives based on group membership. Mastering this technique is not easy, the secret is to isolate and understand each method, then bolt together the components to make your
final script.
Their topics and material are ideal for getting you started with VBScript. The
videos are easy to follow and you can control the pace. Try their free demo material and then see if you want to buy the full package.
See more about VB Script Training CD.
Download my eBook:
Introduction to VBScript - only $6.25
