Viewing the Nested Members of a Group
Using a graphical user interface
Using a command-line interface
> dsget group "<GroupDN>" -members -expand
' This code prints the nested membership of a group. ' ------ SCRIPT CONFIGURATION ------ strGroupDN = "<GroupDN>" ' e.g. cn=SalesGroup,ou=Groups,dc=rallencorp,dc=com ' ------ END CONFIGURATION --------- strSpaces = " " set dicSeenGroupMember = CreateObject("Scripting.Dictionary") Wscript.Echo "Members of " & strGroupDN & ":" DisplayMembers("LDAP://" & strGroupDN, strSpaces, dicSeenGroupMember) Function DisplayMembers ( strGroupADsPath, strSpaces, dicSeenGroupMember) set objGroup = GetObject(strGroupADsPath) for each objMember In objGroup. Members Wscript.Echo strSpaces & objMember.Name if objMember.Class = "group" then if dicSeenGroupMember.Exists(objMember.ADsPath) then Wscript.Echo strSpaces & " ^ already seen group member " & _ "(stopping to avoid loop)" else dicSeenGroupMember.Add objMember.ADsPath, 1 DisplayMembers objMember.ADsPath, strSpaces & " ", _ dicSeenGroupMember end if end if next End Function
As described in Recipe 7.3, group membership is stored in the multivalued member attribute on group objects. But that attribute will not show the complete picture because group nesting is allowed in Active Directory after you've transitioned from mixed mode. To view the complete group membership, you have to recurse through each group's members.
In the VBScript example, we used a dictionary object (referred to as a hash or associative array in other languages) to ensure that we did not get in an infinite loop. The dictionary object stores each group member; before the DisplayMembers function is called a check is performed to determine if the group has already been evaluated. If so, a message is displayed indicating the group will not be processed again. If this type of checking was not employed and you had a situation where group A was a member of group B, group B was a member of group C, and group C was a member of group A, the loop would repeat without terminating.
Recipe 7.3 for viewing group membership and MSDN: IADsMember