{"id":71603,"date":"2004-08-20T11:51:00","date_gmt":"2004-08-20T11:51:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2004\/08\/20\/how-can-i-determine-which-groups-a-user-belongs-to\/"},"modified":"2004-08-20T11:51:00","modified_gmt":"2004-08-20T11:51:00","slug":"how-can-i-determine-which-groups-a-user-belongs-to","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/how-can-i-determine-which-groups-a-user-belongs-to\/","title":{"rendered":"How Can I Determine Which Groups a User Belongs To?"},"content":{"rendered":"

\"Hey,<\/p>\n

Hey, Scripting Guy! In my logon script, how can I find out which Active Directory groups a user belongs to? <\/p>\n

— JB, Montpelier, VT<\/p>\n

\"Spacer\"\"Hey,\"Script<\/a><\/p>\n

Hey, JB. This is pretty easy to do in a logon script:<\/p>\n

On Error Resume Next\nSet objADSysInfo = CreateObject(\"ADSystemInfo\")\nstrUser = objADSysInfo.UserName\nSet objUser = GetObject(\"LDAP:\/\/\" & strUser)\nFor Each strGroup in objUser.memberOf\n    Set objGroup = GetObject(\"LDAP:\/\/\" & strGroup)\n    Wscript.Echo objGroup.CN\nNext\n<\/pre>\n
So what\u2019s going on here? Well, we begin by using the ADSystemInfo object to determine the distinguished name of the logged-on user; that will be a name similar to this:<\/p>\n
CN=kenmyer, OU=Managers, DC=fabrikam, DC=com\n<\/pre>\n
As soon as we have the distinguished name, we can use the LDAP provider to bind to the user account in Active Directory. One of the properties of an Active Directory user account is memberOf, an array consisting of all the groups the user belongs to. Because memberOf is an array, we can use a For Each loop to list all the groups. <\/p>\n
When we report back the group names, however, we do one last thing. By default groups are stored by distinguished name in the memberOf property; thus you get back things like this:<\/p>\n
CN=Production Leads, OU=Managers, DC=fabrikam, DC=com\n<\/pre>\n
Distinguished names are great for binding to Active Directory, but less useful for answering questions like, \u201cDoes this user belong to the Production Leads group?\u201d So we take one extra step and, after retrieving the distinguished name for a group, we then bind to the group account in Active Directory. By doing so we can retrieve the CN (common name) for the group, and thus report back group names like this:<\/p>\n
Production Leads\n<\/pre>\n
A bit easier to deal with, to say the least.<\/p>\n
Two things to keep in mind here. First, this script runs only on Windows 2000, Windows XP, and Windows 2003; that\u2019s because the ADSystemInfo object isn\u2019t supported on Windows NT 4.0 or Windows 98. Second, this script returns only the groups where the user is individually named as a member. So what, you ask? Well, suppose the user is a member of Group A, and Group A happens to be a member of Group B. This script can\u2019t identify groups within groups; that requires a slightly more complicated bit of coding, something we\u2019ll take up later.<\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! In my logon script, how can I find out which Active Directory groups a user belongs to? — JB, Montpelier, VT Hey, JB. This is pretty easy to do in a logon script: On Error Resume Next Set objADSysInfo = CreateObject(“ADSystemInfo”) strUser = objADSysInfo.UserName Set objUser = GetObject(“LDAP:\/\/” & strUser) For Each […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[9,10,3,4,5],"class_list":["post-71603","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-adsi","tag-adsysteminfo","tag-scripting-guy","tag-scripting-techniques","tag-vbscript"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! In my logon script, how can I find out which Active Directory groups a user belongs to? — JB, Montpelier, VT Hey, JB. This is pretty easy to do in a logon script: On Error Resume Next Set objADSysInfo = CreateObject(“ADSystemInfo”) strUser = objADSysInfo.UserName Set objUser = GetObject(“LDAP:\/\/” & strUser) For Each […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/71603","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=71603"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/71603\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=71603"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=71603"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=71603"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}