How to Enumerate Groups that a User is a memberOf
VBScript MemberOf Tutorial
This page will show you how to list all the groups that a user is a memberOf. My examples enumerate the groups to which the Administrator belongs, however you could adapt the scripts for any Active Directory account.
Topics for Enumerating All Groups a User is a memberOf with VBScript
There are a remarkable number of techniques, methods and properties for handling Active Directory groups. However, this page has a clear goal, to display all of the groups held by the memberOf attribute.
One special feature of the second example, is the way that VBScript finds and then displays the user's primary group. Surprisingly, finding the primary group turned out to be the most difficult part of the mission.
Along the journey to display the user's groups, this script employs two lesser known scripting methods, Split and GetEx. A tiny point, but the key property is spelt memberOf not memberSof.
The idea is to build the DN (Distinguished name) string for the Administrator, then to Get(Object) from Active Directory and finally to loop through all the memberOf groups.
I recommend that you are logged on as administrator, preferably at a domain controller. Alternatively, try Remote Desktop. If all else fails, you can try these script on an XP machine as a non-administrator, but why introduce extra complications? Let us start with some easy successes.
Instructions for Discovering Who the Administrator is a MemberOf
Script to discover which group the Administrator is a memberOf
' UsermemberOf .vbs
Note 1: The first section of the VBScript prepares the ground by explaining the purpose and declaring the variables. In the central portion, VBScript carefully builds the LDAP path to the Administrator. At the heart of the script the .GetEx method, which extracts the group information from the memberOf property.
Note 2: Often a user will be a member of several groups, so we need a loop, which is supplied by the For Each ...Next construction.
Note 3: In the background, the strList variable stores all the groups and thanks to vbCr, separates them with a carriage return.
Note 4: Strangely, the Administrator's Primary Group, the Domain Admins is not listed. However don't worry, we will tackle this anomaly in Example 2.
Import users from a spreadsheet, complete with their mailbox. Just provide a list of the users with the fields in the top row, and save as .csv file. Then launch this FREE utility, match your Exchange fields with AD's attributes, click and import the users. Optionally, you can provide the name of the OU where the new mailboxes will be born.
If you launch Active Directory Users and Computers and observe the 'Member Of' tab for the Administrator (or other users), then you will see that the Primary Group is listed separately from the other groups. When I checked the LDAP property memberOf with ADSI Edit, Domain Admins was not listed amongst the other groups. Nevertheless, I found away to display the Primary Group by interrogating a different LDAP property called primaryGroupID property. Further research revealed:
Values for primaryGroupID :
' UsermemberOf Adv.vbs
VBScript Tutorial - Learning Points for Enumerating a Group
Note 1: In the Additional Section, primaryGroupID = 513 translates to the Domain Users.
Note 2: By using the Mid and Split functions we break the LDAP string
Note 3: Naturally, you could enumerate the group membership of other users, however if you change strUser remember that you probably need to amend strOU = "CN=Users, " to strOU = "OU=NewOU,". Do be careful with the CN= versus OU=, and remember that last comma.
Enumerating the groups to which a user is a memberOf, opens up other scripting possibilities, for example, mapping network drives based on group membership. Mastering this technique is not easy, the secret is to isolate and understand each method, then bolt together the components to make your final script.
If you like this page then please share it with your friends
See more VBScript group examples: