How Can I Determine Which Groups a User Belongs To?

Hey, Scripting Guy! Question

Hey, Scripting Guy! In my logon script, how can I find out which Active Directory groups a user belongs to?

— JB, Montpelier, VT

SpacerHey, Scripting Guy! AnswerScript Center

Hey, JB. This is pretty easy to do in a logon script:

On Error Resume Next
Set objADSysInfo = CreateObject(“ADSystemInfo”)
strUser = objADSysInfo.UserName
Set objUser = GetObject(“LDAP://” & strUser)
For Each strGroup in objUser.memberOf
Set objGroup = GetObject(“LDAP://” & strGroup)
Wscript.Echo objGroup.CN

So what’s going on here? Well, we begin by using the ADSystemInfo object to determine the distinguished name of the logged-on user; that will be a name similar to this:

CN=kenmyer, OU=Managers, DC=fabrikam, DC=com

As soon as we have the distinguished name, we can use the LDAP provider to bind to the user account in Active Directory. One of the properties of an Active Directory user account is memberOf, an array consisting of all the groups the user belongs to. Because memberOf is an array, we can use a For Each loop to list all the groups.

When we report back the group names, however, we do one last thing. By default groups are stored by distinguished name in the memberOf property; thus you get back things like this:

CN=Production Leads, OU=Managers, DC=fabrikam, DC=com

Distinguished names are great for binding to Active Directory, but less useful for answering questions like, “Does this user belong to the Production Leads group?” So we take one extra step and, after retrieving the distinguished name for a group, we then bind to the group account in Active Directory. By doing so we can retrieve the CN (common name) for the group, and thus report back group names like this:

Production Leads

A bit easier to deal with, to say the least.

Two things to keep in mind here. First, this script runs only on Windows 2000, Windows XP, and Windows 2003; that’s because the ADSystemInfo object isn’t supported on Windows NT 4.0 or Windows 98. Second, this script returns only the groups where the user is individually named as a member. So what, you ask? Well, suppose the user is a member of Group A, and Group A happens to be a member of Group B. This script can’t identify groups within groups; that requires a slightly more complicated bit of coding, something we’ll take up later.