VBScript MemberOf Tutorial
This page will show you how to list all the groups that a user is a memberOf. My examples enumerate the groups to which the Administrator belongs, however you could adapt the scripts for any Active Directory account.
Topics for Enumerating All Groups a User is a memberOf with VBScript
- Our Mission and Goal
- Example 1: Discovering which groups the Administrator is a memberOf
- VBScript Tutorial – Learning Points for Enumerating a Group
- Example 2: Advanced Script Enumerate Group Membership
- VBScript Tutorial – Learning Points for Advanced memberOf Script
- Active Directory Permissions Tool
- Summary of memberOf
Our Mission and Goal
There are a remarkable number of techniques, methods and properties for handling Active Directory groups. However, this page has a clear goal, to display all of the groups held by the memberOf attribute.
One special feature of the second example, is the way that VBScript finds and then displays the user’s primary group. Surprisingly, finding the primary group turned out to be the most difficult part of the mission.
Along the journey to display the user’s groups, this script employs two lesser known scripting methods, Split and GetEx. A tiny point, but the key property is spelt memberOf not memberSof.
Example 1: Discovering which groups the Administrator is a memberOf
The idea is to build the DN (Distinguished name) string for the Administrator, then to Get(Object) from Active Directory and finally to loop through all the memberOf groups.
Prerequisites
I recommend that you are logged on as administrator, preferably at a domain controller. Alternatively, try Remote Desktop. If all else fails, you can try these script on an XP machine as a non-administrator, but why introduce extra complications? Let us start with some easy successes.
Instructions for Discovering Who the Administrator is a MemberOf
- You should run this VBScript on a Windows Active Directory domain.
- Copy and paste the example script below into notepad or a VBScript editor.
- Save the file with a .vbs extension, for example: memberOf .vbs.
- Double click memberOf .vbs and check the message box to see the groups that the strUser is a memberOf.
Script to discover which group the Administrator is a memberOf
‘ UsermemberOf .vbs
‘ To list the groups to which the administrator is a memberOf
‘ Author Guy Thomas https://computerperformance.co.uk/
‘ Version 2.3 VBScript MemberOf – May 2010
‘ ————————————————‘
Option Explicit
Dim objRootLDAP, objGroup, objUser, objOU, objmemberOf
Dim strOU, strUser, strDNSDomain, strLDAP, strList
‘ Commands to bind to AD and extract domain name
Set objRootLDAP = GetObject("LDAP://RootDSE")
strDNSDomain = objRootLDAP.Get("DefaultNamingContext")
‘ Build the LDAP DN from strUser, strOU and strDNSDomain
strUser ="cn=Administrator,"
strOU ="CN=Users,"
strLDAP ="LDAP://" & strUser & strOU & strDNSDomain
Set objUser = GetObject(strLDAP)
‘ Heart of the script, extract a list of Groups from memberOf
objmemberOf = objUser.GetEx("memberOf")
For Each objGroup in objmemberOf
strList = strList & objGroup & vbcr
Next
WScript.Echo "Groups for " & strUser & vbCr & strList
WScript.Quit
‘ End of Sample User memberOf VBScript
VBScript Memberof Tutorial – Learning Points
Note 1: The first section of the VBScript prepares the ground by explaining the purpose and declaring the variables. In the central portion, VBScript carefully builds the LDAP path to the Administrator. At the heart of the script the .GetEx method, which extracts the group information from the memberOf property.
Note 2: Often a user will be a member of several groups, so we need a loop, which is supplied by the For Each …Next construction.
Note 3: In the background, the strList variable stores all the groups and thanks to vbCr, separates them with a carriage return.
Note 4: Strangely, the Administrator’s Primary Group, the Domain Admins is not listed. However don’t worry, we will tackle this anomaly in Example 2.
Guy Recommends: SolarWinds’ Free Bulk Mailbox Import Tool
Import users from a spreadsheet, complete with their mailbox. Just provide a list of the users with the fields in the top row, and save as .csv file. Then launch this FREE utility, match your Exchange fields with AD’s attributes, click and import the users. Optionally, you can provide the name of the OU where the new mailboxes will be born.
There are also two bonus tools in the free download, and all 3 have been approved by Microsoft:
- Bulk-import new users and mailboxes into Active Directory.
- Seek and zap unwanted user accounts.
- Find inactive computers.
Download your FREE bulk mailbox import tool.
Example 2: Advanced VBScript Enumerate Group Membership
If you launch Active Directory Users and Computers and observe the ‘Member Of’ tab for the Administrator (or other users), then you will see that the Primary Group is listed separately from the other groups. When I checked the LDAP property memberOf with ADSI Edit, Domain Admins was not listed amongst the other groups. Nevertheless, I found away to display the Primary Group by interrogating a different LDAP property called primaryGroupID property. Further research revealed:
Values for primaryGroupID :
513 Domain Users 514 Domain Guests
515 Domain Computers 516 Domain Controllers
‘ UsermemberOf Adv.vbs
‘ To list the groups to which the administrator is a memberOf
‘ Author Guy Thomas https://computerperformance.co.uk/
‘ Version 2.3 – May 2010
‘ ————————————————‘
Option Explicit
Dim objRootLDAP, objGroup, objUser, objOU, objmemberOf
Dim strOU, strUser, strDNSDomain, strLDAP, strList
Dim arrGroup
‘ Commands to bind to AD and extract domain name
Set objRootLDAP = GetObject("LDAP://RootDSE")
strDNSDomain = objRootLDAP.Get("DefaultNamingContext")
‘ Build the LDAP DN from strUser, strOU and strDNSDomain
strList ="——————————-" & vbCr
strUser ="cn=Administrator,"
strOU ="CN=Users,"
strLDAP ="LDAP://" & strUser & strOU & strDNSDomain
Set objUser = GetObject(strLDAP)
‘ Heart of the script, extract a list of Groups from memberOf
objmemberOf = objUser.GetEx("memberOf")
For Each objGroup in objmemberOf
objGroup = Mid(objGroup, 4, 330)
arrGroup = Split(objGroup, "," )
strList = strList & arrGroup(0) & vbcr
Next
‘ Additional section to find the primary group.
If objUser.primaryGroupID = 513 Then
strList = strList & vbCr & "Primary Group: " _
& vbCr & "Domain Users" & vbCr
Else If objUser.primaryGroupID = 515 Then
strList = strList & "Domain Computers"
Else strList = strList & "Maybe a Domain Controller"
End If
End If
WScript.Echo "Groups for " & Mid(strUser, 4, 99) & vbCr & strList
WSCript.Quit
‘ End of Sample User memberOf and primaryGroupID VBScript
VBScript Tutorial – Learning Points for Enumerating a Group
Note 1: In the Additional Section, primaryGroupID = 513 translates to the Domain Users.
Note 2: By using the Mid and Split functions we break the LDAP string
CN=Schema Admins,CN=Builtin,DC=xyz, into the more readable:
Schema Admins.
Note 3: Naturally, you could enumerate the group membership of other users, however if you change strUser remember that you probably need to amend strOU = "CN=Users, " to strOU = "OU=NewOU,". Do be careful with the CN= versus OU=, and remember that last comma.
Summary of VBScript MemberOf
Enumerating the groups to which a user is a memberOf, opens up other scripting possibilities, for example, mapping network drives based on group membership. Mastering this technique is not easy, the secret is to isolate and understand each method, then bolt together the components to make your final script.
If you like this page then please share it with your friends
See more VBScript group examples:
• VBScript create users • VBScript create group • VBScript create OU • VBScript add users
• VBScript group membership • VBScript memberOf group • VBScript group const • Free WMI Monitor
•VBScript create computer • VBScript enumerate members • PowerShell group members
