VBScript Group Membership

Tutorial for Enumerating Users in a Group with VBScript

This page will show you how to list all the members of a group.  By group, I mean the Global, Domain Local and Universal Groups found in Active Directory.  Feel free to adapt my examples to enumerate groups in your Windows Server domain.

Topics for VBScript Group Membership

Our Mission and GoalVBScript Group Membership

Part of the reason why groups are so tricky is the sheer number of different VBScript techniques that you can apply to the group object.  This page is all about listing members or enumerating.  Incidentally, I love that first syllable – enuuuum.

Before we start scripting, let us pay attention to detail and examine the two relevant tabs in Active Directory Users and Computers.  The first tab is called Members and it means, ‘who is in this group’.  The second tab is Member Of, this lists  not users, but other groups to which the selected group belongs.  It really is worth mastering this difference between Members (plural) and Member Of (singular).

Example 1: Discover who are the ‘Members’ belonging to the
Administrators Group

This script employs the GetEx method to interrogate the members attribute of the Administrators group.  Perhaps Members array would be a more descriptive term, in any case, the technique involves looping through the ‘Members’ field, listing the users.  When ever you want to discover more about these LDAP properties, launch ADSI Edit (see more here).

Prerequisites

I recommend that you logon as administrator, preferably at a domain controller.  Alternatively, try Remote Desktop.  If all else fails, you can try these script on an XP machine as a non-administrator, but why introduce extra complications?  Let us start with some easy successes.

Instructions for Listing the Administrators

  1. You should run this VBScript on a Windows Active Directory domain.
  2. Copy and paste the example script below into notepad or a VBScript editor.
  3. Save the file with a .vbs extension, for example: GroupEnum.vbs.
  4. Double click GroupEnum.vbs and check the strOU for your new group.

VBScript to Enumerate Members of the Administrators Group

Script corrected August 2010. Line 12 now says:
strContainer= "cn=administrators,cn=Builtin"

 

‘ GroupEnum.vbs
‘ VBScript Enumerate Administrators Group
‘ Author Guy Thomas https://computerperformance.co.uk/
‘ Version 1.3 August 2010
‘ ———————————————————-‘
Option Explicit
Dim strMember, strDNSDomain, strContainer
Dim objGroup, objRootDSE
Dim arrMemberOf

‘  Bind to Active Directory’
strContainer = "cn=Administrators,cn=Builtin, "
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")

‘  Get the Builtin Administrators group
Set objGroup = GetObject ("LDAP://"& strContainer & strDNSDomain)
objGroup.getInfo

arrMemberOf = objGroup.GetEx("member")

‘ Loop = For Each …. Next
‘ WScript.Echo "Members of Group " & strContainer
For Each strMember in arrMemberOf
   WScript.echo strMember
Next

Wscript.Quit

‘ End of Sample Group Enum Member Script

VBScript Group Membership – Learning Points

Note 1: The crucial feature of this script is: arrMemberOf = objGroup.GetEx("member"). Normally it would be plain Get("member").  However, since we are dealing with an array, we must get the extended or expanded list, hence GetEx, not Get.

Note 2: Observe how the ‘For… Next’ loop is also extended to,  ‘For Each …. Next’.  Or to be accurate the construction is ‘For Each…. in …Next’.  The reason for the extra command is that we are dealing with not one, but a collation of members in the Administrators group.

Note 3:  After case sensitive problems with ‘user’, (in other scripts), I can report that here, ‘member’ or ‘MEMBERS’ are equally effective.  Neither produces an error.

Note 4: However, beware of spaces "Member  " does not work it should be "Member".

Recommended: Solarwinds’ Permissions Analyzer – Free Active Directory ToolFree Permissions Analyzer for Active Directory

I like thePermissions Analyzer because it enables me to see WHO has permissions to do WHAT at a glance.  When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, and takes into account network share access, then displays the results in a nifty desktop dashboard!

Think of all the frustration that this free SolarWinds utility saves when you are troubleshooting authorization problems for user’s access to a resource.  Give this permissions monitor a try – it’s free!

Download SolarWinds’ Free Permissions Analyser – Active Directory Tool

Example 2:  Amended Script to Display Group Members Neatly

This script achieves the same result, but displays the names more clearly by removing the dc=domain clutter.

Script corrected August 2010. Line 12 now says:
strContainer= "cn=administrators,cn=Builtin"

 

‘ GroupEnum2.vbs
‘ VBScript Group Membership
‘ Author Guy Thomas https://computerperformance.co.uk/
‘ Version 2.4 August 2010
‘ ———————————————————-‘
Option Explicit
Dim strMember, strDNSDomain, strContainer
Dim objGroup, objRootDSE
Dim arrMemberOf, strList, arrGroup

‘ Bind to Active Directory’
strContainer = "cn=users,cn=Builtin, "
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")

‘ Get the Builtin Administrators group
Set objGroup = GetObject ("LDAP://"& strContainer & strDNSDomain)
objGroup.getInfo

arrMemberOf = objGroup.GetEx("member")

‘ Loop = For Each …. Next
WScript.Echo "Members of Group " & strContainer
   For Each strMember in arrMemberOf
      strMember = Mid(strMember, 4, 330)
      arrGroup = Split(strMember, "," )
      strList = strList & arrGroup(0) & vbcr
  Next

Wscript.Echo strContainer & " contains " & vbCr & strList

Wscript.Quit

‘ End of free example Group Enum Member Script

Learning Points

Note 1: The improvements are mainly cosmetic, nevertheless, there filters ‘Mid’ and ‘Split’ are handy to make the output easier to read.

Note 2: With ‘Split’, arrGroup(0) on the following line, is crucial.  To see what I mean change to arrGroup(1).

Guy Recommends:  SolarWinds’ Free Bulk Import ToolFree Download Solarwinds Bulk Import Tool

Import users from a spreadsheet.  Just provide a list of the users with their fields in the top row, and save as .csv file.  Then launch this FREE utility and match your fields with AD’s attributes, click and import the users.

Optionally, you can provide the name of the OU where the new accounts will be born. Download your FREE bulk import tool.

If you need more comprehensive software, download a free trial of SAM (Server & Application Monitor)

Example 3: Enumerating Group with VBScript Kindly Sent by John Wagner

John says: "I’m using this to enable scheduled tasks. I spent a fair bit of time trying to figure how to do this my way."

Guy says: "Never miss the chance of learning by studying two different methods of achieving the same goal".

 

‘John Wagner
‘20081229
‘Sample Script to Detect membership of user object and computer object in AD group.

‘Connect to AD
Set objSysInfo = CreateObject("ADSystemInfo")

‘Get LDAP entry for current user.
strUserDN = objSysInfo.UserName
Set objUser = GetObject("LDAP://" & strUserDN)
‘WScript.Echo "Current User is " & strUserDN ‘Sanity Check

‘Get LDAP entry to current computer object.
strComputerDN = objSysInfo.ComputerName
Set objComputer = GetObject("LDAP://" & strComputerDN)
‘WScript.Echo strComputerDN ‘Sanity Check

‘Bind objGroup to LDAP entry for a AD group.
Set objGroup = GetObject("LDAP://cn=TestGroup,ou=Administrative,ou=Users-DAS,dc=das,dc=ohioad,dc=local")

‘Check AD Group for user member.
if objGroup.IsMember(objUser.AdsPath) = true then
WScript.Echo strUserDN & " is a member of the AD group."
else WScript.Echo strUserDN & " is NOT a member of the AD group."
end if

‘Check AD Group for computer member
if objGroup.IsMember(objComputer.AdsPath) = true then
WScript.Echo strComputerDN & " is a member of the AD Group."
else WScript.Echo strComputerDN & " is NOT a member of the AD Group."
end if

Summary of VBScript Group Membership

This script lists the membership of the Administrators group.  The key attribute is "Member".  The key to understand what the script does is to investigate the User’s Member and Member Of tabs and compare them with your script commands.

If you like this page then please share it with your friends

 


See more VBScript examples:

VBScript create users   • VBScript create contact  • Create contact Exchange  • VBS PwdLastSet

VBScript create computer   • PowerShell create computer from spreadsheet  • Free Import Users Tool

VBScript change password  • VBScript to create group  • SolarWinds Free WMI Monitor