VBScript Group Membership
Tutorial for Enumerating Users in a Group with VBScript
This page will show you how to list all the members of a group. By group, I mean the Global, Domain Local and Universal Groups found in Active Directory. Feel free to adapt my examples to enumerate groups in your Windows Server domain.
Topics for VBScript Group Membership
Part of the reason why groups are so tricky is the sheer number of different VBScript techniques that you can apply to the group object. This page is all about listing members or enumerating. Incidentally, I love that first syllable - enuuuum.
Before we start scripting, let us pay attention to detail and examine the two relevant tabs in Active Directory Users and Computers. The first tab is called Members and it means, 'who is in this group'. The second tab is Member Of, this lists not users, but other groups to which the selected group belongs. It really is worth mastering this difference between Members (plural) and Member Of (singular).
This script employs the GetEx method to interrogate the members attribute of the Administrators group. Perhaps Members array would be a more descriptive term, in any case, the technique involves looping through the 'Members' field, listing the users. When ever you want to discover more about these LDAP properties, launch ADSI Edit (see more here).
I recommend that you logon as administrator, preferably at a domain controller. Alternatively, try Remote Desktop. If all else fails, you can try these script on an XP machine as a non-administrator, but why introduce extra complications? Let us start with some easy successes.
Instructions for Listing the Administrators
VBScript to Enumerate Members of the Administrators Group
Script corrected August 2010. Line 12 now says:
Note 1: The crucial feature of this script is: arrMemberOf = objGroup.GetEx("member"). Normally it would be plain Get("member"). However, since we are dealing with an array, we must get the extended or expanded list, hence GetEx, not Get.
Note 2: Observe how the 'For... Next' loop is also extended to, 'For Each .... Next'. Or to be accurate the construction is 'For Each.... in ...Next'. The reason for the extra command is that we are dealing with not one, but a collation of members in the Administrators group.
Note 3: After case sensitive problems with 'user', (in other scripts), I can report that here, 'member' or 'MEMBERS' are equally effective. Neither produces an error.
Note 4: However, beware of spaces "Member " does not work it should be "Member".
I like the Permissions Analyzer because it enables me to see WHO has permissions to do WHAT at a glance. When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, and takes into account network share access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free SolarWinds utility saves when you are troubleshooting authorization problems for user's access to a resource. Give this permissions monitor a try - it's free!
This script achieves the same result, but displays the names more clearly by removing the dc=domain clutter.
Script corrected August 2010. Line 12
Note 1: The improvements are mainly cosmetic, nevertheless, there filters 'Mid' and 'Split' are handy to make the output easier to read.
Note 2: With 'Split', arrGroup(0) on the following line, is crucial. To see what I mean change to arrGroup(1).
Import users from a spreadsheet. Just provide a list of the users with their fields in the top row, and save as .csv file. Then launch this FREE utility and match your fields with AD's attributes, click and import the users.
Optionally, you can provide the name of the OU where the new accounts will be born. Download your FREE bulk import tool.
If you need more comprehensive software, download a free trial of SAM (Server & Application Monitor)
John says: "I'm using this to enable scheduled tasks. I spent a fair bit of time trying to figure how to do this my way."
Guy says: "Never miss the chance of learning by studying two different methods of achieving the same goal".
'Connect to AD
'Get LDAP entry for current user.
'Get LDAP entry to current computer object.
'Bind objGroup to LDAP entry for a AD group.
'Check AD Group for user member.
'Check AD Group for computer member
This script lists the membership of the Administrators group. The key attribute is "Member". The key to understand what the script does is to investigate the User's Member and Member Of tabs and compare them with your script commands.
If you like this page then please share it with your friends
See more VBScript examples: