How Can I Determine Which Groups a User Belongs To?

Hey, Scripting Guy! Question

Hey, Scripting Guy! In my logon script, how can I find out which Active Directory groups a user belongs to?

— JB, Montpelier, VT

SpacerHey, Scripting Guy! AnswerScript Center

Hey, JB. This is pretty easy to do in a logon script:

On Error Resume Next
Set objADSysInfo = CreateObject(“ADSystemInfo”)
strUser = objADSysInfo.UserName
Set objUser = GetObject(“LDAP://” & strUser)
For Each strGroup in objUser.memberOf
Set objGroup = GetObject(“LDAP://” & strGroup)
Wscript.Echo objGroup.CN

So what’s going on here? Well, we begin by using the ADSystemInfo object to determine the distinguished name of the logged-on user; that will be a name similar to this:

CN=kenmyer, OU=Managers, DC=fabrikam, DC=com

As soon as we have the distinguished name, we can use the LDAP provider to bind to the user account in Active Directory. One of the properties of an Active Directory user account is memberOf, an array consisting of all the groups the user belongs to. Because memberOf is an array, we can use a For Each loop to list all the groups.

When we report back the group names, however, we do one last thing. By default groups are stored by distinguished name in the memberOf property; thus you get back things like this:

CN=Production Leads, OU=Managers, DC=fabrikam, DC=com

Distinguished names are great for binding to Active Directory, but less useful for answering questions like, “Does this user belong to the Production Leads group?” So we take one extra step and, after retrieving the distinguished name for a group, we then bind to the group account in Active Directory. By doing so we can retrieve the CN (common name) for the group, and thus report back group names like this:

Production Leads

A bit easier to deal with, to say the least.

Two things to keep in mind here. First, this script runs only on Windows 2000, Windows XP, and Windows 2003; that’s because the ADSystemInfo object isn’t supported on Windows NT 4.0 or Windows 98. Second, this script returns only the groups where the user is individually named as a member. So what, you ask? Well, suppose the user is a member of Group A, and Group A happens to be a member of Group B. This script can’t identify groups within groups; that requires a slightly more complicated bit of coding, something we’ll take up later.

Comments (1)

  1. Robin Rowe says:

    Hi Scripting Guy – I wasn’t sure how to get in touch with you so I decided to try this – I noticed some of your earlier posts and thought you might be able to help me – please – I have a friend of mine that’s trying to do the following, and I want to be able to help him. Can this be done and if so, how. He’s trying to create a Macro in Word 2010 to do this:

    “I’m looking to build a Document search for Rescinded words. That’s the easy part. (I can find and highlight words). What I would like it to do is Find the word and have it change the font to red and be stricken through, the add a word after it in Blue and underlined. (Rescinded word / New Word). And maybe add a yellow Highlight over them all in one search.”