JSI Tip 7225. How can I retrieve the list of groups that a domain user is a member of through nesting (recursion)?

In tip 2407 ยป Windows 2000 group types and scope usage, I explained that Global and Universal groups can be nested.

Using the Directory Service command-line tools from Windows Server 2003, I have scripted Nested.bat to return the domain groups that a domain user is indirectly a member of, because a directly assigned group is nested. The format of the returned groups are "NetBIOSDomainName\GroupName"

To simply see the list, type nested \[username\] at a CMD prompt. To retrieve each nested group in a batch file, use a command similar to:

for /f "Tokens=*" %%g in ('nested \[username\]') do call :your_routine %%g

where \[username\] is an optional parameter. If omitted, the current user (%UserName%) is used.

Nested.bat contains:

@echo off
set usr=%username%
if not \{%1\}==\{\} set usr=%1
if exist %TEMP%\nested.tmp del /a %TEMP%\nested.tmp
for /f "Tokens=*" %%u in ('dsquery user -samid %usr%') do set dn=%%u
for /f "Tokens=*" %%a in ('dsget user %dn% -memberof') do @echo %%a>>%TEMP%\nested.tmp
for /f "Tokens=*" %%b in ('dsget user %dn% -memberof -expand ^|findstr /i /l /v /g:%TEMP%\nested.tmp') do set DN=%%b&call :parse
if exist %TEMP%\nested.tmp del /a %TEMP%\nested.tmp
goto :EOF
for /f "Tokens=1-6 Delims=," %%a in ('@echo %DN%') do set grp=%%a&set d1=%%c&set d2=%%d&set d3=%%e&set d4=%%f
set grp=%grp:~4%
set d1=%d1:"=%
if "%d1:~0,3%" EQU "DC=" set domain=%d1:~3%&goto continue
set d2=%d2:"=%
if "%d2:~0,3%" EQU "DC=" set domain=%d2:~3%&goto continue
set d3=%d3:"=%
if "%d3:~0,3%" EQU "DC=" set domain=%d3:~3%&goto continue
set d4=%d4:"=%
if "%d4:~0,4%" EQU "DC=" set domain=%d3:~3%&goto continue
set domain=UNKOWN
@echo "%domain%\%grp%"

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.