JSI Tip 9941. How can I display the security group membership of all users, in semi-colon delimited format?

Using the Active Directory command-line tools and the primaryGroupID.bat batch, I have scripted AllUsrSecGrp.bat to display all users security group membership, including nested groups, in a semi-colon delimited format, like:

"User Distinguished Name";"Group Distinguished Name"

The syntax for using AllUsrSecGrp.bat is:


AllUsrSecGrp.bat contains:

@echo off
if exist "%TEMP%\AllUsrSecGrp.TM1" del /q "%TEMP%\AllUsrSecGrp.TM1"
set qry1=dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User))" -attr primaryGroupID distinguishedName -limit 0
for /f "Skip=1 Tokens=1*" %%t in ('%qry1%') do (
 set usr="%%u"
 set usr=!usr:  =!
 set usr=!usr: "="!
 call primaryGroupID %%t pgidn
 for /f "Tokens=1" %%s in ('dsget group !pgidn! -secgrp^|find "yes"') do (
  @echo !usr!;!pgidn!>>"%TEMP%\AllUsrSecGrp.TM1"
 for /f "Tokens=*" %%g in ('dsget user !usr! -memberof -expand') do (
  for /f "Tokens=1" %%s in ('dsget group %%g -secgrp^|find "yes"') do (
   @echo !usr!;%%g>>"%TEMP%\AllUsrSecGrp.TM1"
if not exist "%TEMP%\AllUsrSecGrp.TM1" @echo No group membership&endlocal&goto :EOF
sort "%TEMP%\AllUsrSecGrp.TM1" /O "%TEMP%\AllUsrSecGrp.TM2"
del /q "%TEMP%\AllUsrSecGrp.TM1"
set prev=NONE
for /f "Tokens=*" %%u in ('type "%TEMP%\AllUsrSecGrp.TM2"') do (
 set line=%%u
 set line=!line:"=!
 if "!prev!" NEQ "!line!" @echo %%u
 set prev=!line!
del /q "%TEMP%\AllUsrSecGrp.TM2"

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.