Tutorial for Enumerating Users in a Group with VBScript
This page will show you how to list all the members of a group. By group, I mean the Global, Domain Local
and Universal Groups found in Active Directory. Feel free to adapt my examples to enumerate groups in your Windows Server domain.
Part of the reason why groups are so tricky is the sheer number
of different VBScript techniques that you can apply to the group object. This page is all about listing members or enumerating. Incidentally, I love that first syllable - enuuuum.
Before we start scripting, let us pay attention to detail and examine the two relevant tabs in Active Directory Users
and Computers. The first tab is called Members and it means, 'who is in this group'. The second tab is Member Of, this lists not users, but other groups to which the selected group
belongs. It really is worth mastering this difference between Members (plural) and Member Of (singular).
This script employs the GetEx method to
interrogate
the members attribute of the Administrators group. Perhaps Members array would be a more descriptive term, in any case, the technique involves looping through the 'Members' field, listing the users.
When ever you want to discover more about these LDAP properties, launch ADSI Edit (see more here).
Prerequisites
I recommend that you logon as administrator, preferably at a domain controller. Alternatively, try Remote Desktop. If all else fails, you can try these script on an XP machine as a non-administrator, but why introduce extra complications?
Let us start with some easy successes.
Instructions for Listing the Administrators
You should run this VBScript on a Windows Active Directory domain.
Copy and paste the example script below into notepad or a VBScript editor.
Save the file with a .vbs extension, for example: GroupEnum.vbs.
Double click GroupEnum.vbs and check the strOU for your new group.
VBScript to Enumerate Members of the Administrators Group
Script corrected August 2010. Line 12 now says: strContainer= "cn=administrators,cn=Builtin"
' GroupEnum.vbs ' VBScript Enumerate Administrators Group ' Author Guy Thomas http://computerperformance.co.uk/ ' Version 1.3 August 2010 '
----------------------------------------------------------' Option Explicit Dim strMember, strDNSDomain, strContainer Dim objGroup, objRootDSE Dim arrMemberOf
' Bind to Active Directory'
strContainer = "cn=Administrators,cn=Builtin, " Set objRootDSE = GetObject("LDAP://RootDSE") strDNSDomain = objRootDSE.Get("DefaultNamingContext")
' Get the Builtin Administrators group Set
objGroup = GetObject ("LDAP://"& strContainer & strDNSDomain) objGroup.getInfo
arrMemberOf = objGroup.GetEx("member")
' Loop = For Each .... Next ' WScript.Echo "Members of Group " &
strContainer For Each strMember in arrMemberOf WScript.echo strMember Next
Note 1: The crucial feature of this script is: arrMemberOf = objGroup.GetEx("member"). Normally it would be plain Get("member"). However, since we are
dealing with an array, we must get the extended or expanded list, hence GetEx, not Get.
Note 2: Observe how the 'For... Next' loop is also extended to, 'For Each .... Next'. Or to be
accurate the construction is 'For Each.... in ...Next'. The reason for the extra command is that we are dealing with not one, but a collation of members in the Administrators group.
Note 3:
After case sensitive problems with 'user', (in other scripts), I can report that here, 'member' or 'MEMBERS' are equally effective. Neither produces an error.
Note 4: However, beware of
spaces "Member " does not work it should be "Member".
Recommended: Solarwinds' Permissions Analyzer - Free Active Directory Tool
I like the
Permissions Analyzer because it enables me to see WHO has permissions
to do WHAT at a glance. When you launch this tool it analyzes a users effective NTFS
permissions for a specific file or folder, and takes into account network share
access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free SolarWinds utility saves when you are
troubleshooting authorization problems for user's access to a resource.
Give this permissions monitor a try - it's free!
This script achieves the same result, but displays the names more clearly by removing the dc=domain clutter.
Script corrected August 2010. Line 12
now says: strContainer= "cn=administrators,cn=Builtin"
' GroupEnum2.vbs ' VBScript Group Membership ' Author Guy Thomas http://computerperformance.co.uk/ ' Version 2.4 August 2010 '
----------------------------------------------------------' Option Explicit Dim strMember, strDNSDomain, strContainer Dim objGroup, objRootDSE Dim arrMemberOf, strList, arrGroup
' Bind to
Active Directory' strContainer = "cn=users,cn=Builtin, " Set objRootDSE = GetObject("LDAP://RootDSE") strDNSDomain = objRootDSE.Get("DefaultNamingContext")
' Get the Builtin Administrators
group Set objGroup = GetObject ("LDAP://"& strContainer & strDNSDomain) objGroup.getInfo
arrMemberOf = objGroup.GetEx("member")
' Loop = For Each .... Next WScript.Echo "Members of Group
" & strContainer For Each strMember in arrMemberOf strMember = Mid(strMember, 4, 330) arrGroup = Split(strMember, "," ) strList = strList & arrGroup(0) & vbcr
Next
Note 1: The improvements are mainly cosmetic, nevertheless, there filters 'Mid' and 'Split' are handy to make the output easier to read.
Note 2:
With 'Split', arrGroup(0) on the following line, is crucial. To see what I mean change to arrGroup(1).
Guy Recommends: SolarWinds' Free Bulk Import Tool
Import users from a spreadsheet. Just provide a list of the
users with their fields in the top row, and save as .csv file.
Then launch this FREE utility and match your fields with AD's
attributes, click and import the users.
John says: "I'm using this to enable scheduled tasks. I spent a fair bit
of time trying to figure how to do this my way."
Guy says: "Never miss the chance of learning by studying two different
methods of achieving the same goal".
'John Wagner '20081229 'Sample Script to Detect membership of
user object and computer object in AD group.
'Connect to AD Set objSysInfo = CreateObject("ADSystemInfo")
'Get LDAP entry for current user. strUserDN =
objSysInfo.UserName Set objUser = GetObject("LDAP://" &
strUserDN) 'WScript.Echo "Current User is " & strUserDN
'Sanity Check
'Get LDAP entry to current computer object.
strComputerDN = objSysInfo.ComputerName Set objComputer =
GetObject("LDAP://" & strComputerDN) 'WScript.Echo
strComputerDN 'Sanity Check
'Bind objGroup to LDAP entry for a AD group. Set
objGroup = GetObject("LDAP://cn=TestGroup,ou=Administrative,ou=Users-DAS,dc=das,dc=ohioad,dc=local")
'Check AD Group for user member. if objGroup.IsMember(objUser.AdsPath)
= true then WScript.Echo strUserDN & " is a member of
the AD group." else WScript.Echo strUserDN & " is NOT a
member of the AD group." end if
'Check AD Group for computer member if
objGroup.IsMember(objComputer.AdsPath) = true then
WScript.Echo strComputerDN & " is a member of the AD Group."
else WScript.Echo strComputerDN & " is NOT a member of
the AD Group." end if
This script lists the membership of the Administrators group. The key attribute is "Member". The key to
understand what the script does is to investigate the User's Member and Member Of tabs and compare them with your script commands.
If you like this page then please share it with your friends
Windows Management Instrumentation (WMI) is
most useful for PowerShell scripting.
SolarWinds
have produced this
Free WMI Monitor to take the guess work out of which
WMI counters to use for applications like Microsoft Active Directory,
SQL or Exchange Server.
