Rem: Extracting Group Names from DNs


Do you have a scripting-related question or problem? You can send your question or problem to [email protected]

When I use the memberOf attribute to list the groups an Active Directory (AD) user is a member of, the group names are formatted as distinguished names (DNs), such as CN=Division 041,CN=Users, DC=Americas,DC=MyCompany,DC=com. However, I'm interested in only the group name. How can I extract Division 041 from the DN?

You can take several approaches to obtain just the group's name. Those approaches include the following:

  • Using the group's DN, you can bind (i.e., connect) to the group and read the group's common name (CN) attribute.
  • You can use VBScript's Split function to extract the group name from the DN.
  • You can use the VBScript Regular Expression (RegExp) object to extract the group name from the DN.

Because you already have the group's DN, using the Split function is the easiest and most efficient solution. Split accepts one mandatory argument (the string to split) and three optional arguments. The only optional argument you need to set is the function's second argument, which defines the delimiter—that is, the character that identifies the boundaries on which to split the target string. Based on the string and delimiter that you pass to Split, the function returns an array in which each element in the array is a substring of the original string. The script in Listing 1 demonstrates how to use Split to break apart a group's DN and echo just the group's name. Let's have a closer look at this script, which you must run on an AD server.

The first four lines of Listing 1 retrieve the currently logged-on user's name, bind to the corresponding user object in AD, and retrieve the user's multivalued memberOf attribute, which is stored in the array named arrGroups. The part of Listing 1 that answers your question is in the body of the For Each...Next statement. To understand what's going on inside this For Each loop, suppose memberOf returned the groups that Table 1 shows. These groups now reside in the arrGroups array.

The For Each loop enumerates each group in the arrGroups array. During each iteration, one of the groups in the arrGroups array initializes the variable named strGroupDN. The For Each loop then echoes the strGroupDN's value so that you can compare it with the final result. Next, the Split function uses the comma as a delimiter to split the strGroupDN's value into smaller segments. The array named arrRDNs stores the resulting array that Split returns, as Table 2 shows.

At this point, the only element in the arrRDNs array that you want is the first element, or arrRDNs(0). So, you use Split a second time to split the first element; however, this time you use the equal sign as the delimiter. (Optionally, you can combine the two Split statements into one statement, as the commented statement in Listing 1 shows.) The arrGroupRdnKeyAndValue array, which Table 3 shows, contains the second Split function's results.

As Table 3 shows, the value you want is in the second element of the arrGroupRdnKeyAndValue array, which the For Each loop echoes to the console. The For Each loop repeats the entire process I just described for each element in the arrGroups array.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.