I quote:
MemberOf - How do you handle enumerating
the groups a user has in Active Directory? Especially when there could be n levels of
nesting going on with possible recursive nesting. I was wondering that myself... I checked
out Microsoft's Resource Kit Tool ifmember and it doesn't enumerate nested groups unless the
nesting is the old NT way of nesting Global groups into Local Groups. Well I sat down this
morning and worked out a solution. MemberOf is the solution, if you just run it it will
give you the groups that the current process security context user has. You can specify
a different user if you would like. It supports both UPN and Flat username specification
formats (i.e. user@domain and domain\user). If you use the -h switch you can see usage
help. Here is a little sample run:
G:\Dev\cpp\MemberOf>memberof -u [email protected]
MemberOf V01.02.00cpp Joe Richards ([email protected]) August 2001
Group Memberships:
\[Global Security\] \[Domain Users\] CN=Domain Users,CN=Users,DC=joehome,DC=com
\[Global Security\] \[GGroup1\] CN=GGroup1,OU=Test,DC=joehome,DC=com
\[Global Security\] \[GGroup2\] CN=GGroup2,OU=Test,DC=joehome,DC=com
\[Local Security\] \[TestGroup2\] CN=TestGroup2,OU=Test,DC=joehome,DC=com
\[Local Security\] \[Users\] CN=Users,CN=Builtin,DC=joehome,DC=com
\[Local Security\] \[testgroup1\] CN=testgroup1,OU=Test,DC=joehome,DC=com
\[Local Security\] \[testgroup3\] CN=testgroup3,OU=Test,DC=joehome,DC=com
This program could be used in a logon script to check if a user is in a specific group
in the following way:
@echo off
memberof -q | find /i "\[domain admins\]" >null
if %ERRORLEVEL%*0* echo "User is member of domain admins"
1* echo "User is not a member of domain admins"
if %ERRORLEVEL%*
This program works by enumerating the MemberOf attribute of a userid hence the name, this
means that the program would only display group memberships which would be in this attribute
and that includes Global/Local Groups of the user's domain and Universal Groups of the user's
Forest. For some reason, MS doesn't include the user's Primary group in the MemberOf
attribute so the program by default will go figure out that group on the side. If you
want to disable this feature you can specify -np on the command line.
\[Version: 1.02.00, Date: 8/11/01\]
memberof /?
MemberOf V01.02.00cpp Joe Richards ([email protected]) August 2001 Usage: MemberOf \[-s DomainController\] \[-u userid\] \[-np\] DomainController DC to direct queries to. Default value - Default LDAP Server userid User Id to look up. Default value - current user format: username@domain or domain\username -np Disables default action of grabbing primary group and adding to the list. The primary group is not a member of memberOf attribute so it has to be grabbed specially. Ex1: MemberOf This look up the current user info on whatever DC it finds. Ex2: MemberOf -s DC1 -u [email protected] Will verify that DC1 is a DC that has info for joeware.net and then lookup info for the [email protected] id. Ex3: MemberOf -p n Look up current user on default ldap server, don't get primary group information. This software is Freeware. Use it as you wish at your own risk. If you have improvement ideas, bugs, or just wish to say Hi, I receive email 24x7 and read it in a semi-regular timeframe. You can usually find me at http://www.joeware.net