Recipe 6.14 Viewing a User's Group Membership

6.14.1 Problem

You want to view the group membership of a user.

6.14.2 Solution Using a graphical user interface
  1. Open the Active Directory Users and Computers snap-in.

  2. In the left pane, right-click on the domain and select Find.

  3. Select the appropriate domain beside In.

  4. Type the name of the user beside Name and click Find Now.

  5. In the Search Results, double-click on the user.

  6. Click the Member Of tab.

  7. To view all indirect group membership (from nested groups), you'll need to double-click on each group. Using a command-line interface

The following command displays the groups <UserDN> is a member of. Use the -expand switch to list nested group membership as well:

> dsget user <UserDN> -memberof [-expand] Using VBScript
' This code displays the group membership of a user.
' It avoids infinite loops due to circular group nesting by 
' keeping track of the groups that have already been seen.
strUserDN = "<UserDN>"  ' e.g. cn=jsmith,cn=Users,dc=rallencorp,dc=com
' ------ END CONFIGURATION ---------

set objUser = GetObject("LDAP://" & strUserDN)
Wscript.Echo "Group membership for " & objUser.Get("cn") & ":"
strSpaces = ""
set dicSeenGroup = CreateObject("Scripting.Dictionary")
DisplayGroups "LDAP://" & strUserDN, strSpaces, dicSeenGroup

Function DisplayGroups ( strObjectADsPath, strSpaces, dicSeenGroup)

   set objObject = GetObject(strObjectADsPath)
   WScript.Echo strSpaces & objObject.Name
   on error resume next ' Doing this to avoid an error when memberOf is empty
   if IsArray( objObject.Get("memberOf") ) then
      colGroups = objObject.Get("memberOf")
      colGroups = Array( objObject.Get("memberOf") )
   end if
   for each strGroupDN In colGroups
      if Not dicSeenGroup.Exists(strGroupDN) then
         dicSeenGroup.Add strGroupDN, 1
         DisplayGroups "LDAP://" & strGroupDN, strSpaces & " ", dicSeenGroup
      end if

End Function

6.14.3 Discussion

The memberOf attribute on user objects is multivalued and contains the list of distinguished names for the groups the user is a member. memberOf is actually linked with the member attribute on group objects, which holds the distinguished names of its members. For this reason, you cannot directly modify the memberOf attribute; you must instead modify the member attribute on the group.

The primary group of a user, which the user is technically a member of, will not be shown in either the CLI or VBScript solutions. This is due to the fact that the primary group is not stored in the memberOf attribute like the rest of the groups. See Recipe 6.15 and Recipe 7.8 for more on finding the primary group of a user.

6.14.4 See Also

Recipe 7.3 for more on viewing the nested members of a group and Recipe 10.16 for more information on linked attributes

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List