Viewing the Nested Members of a Group






Viewing the Nested Members of a Group

Problem

You want to view the nested membership of a group.

Solution

Using a graphical user interface
  1. Open the ADUC snap-in.

  2. If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.

  3. In the left pane, right-click on the domain and select Find.

  4. Enter the name of the group and click Find Now.

  5. Double-click on the group in the bottom results pane.

  6. Click the Members tab.

  7. You must now double-click on each group member to view its membership.

Using a command-line interface
	> dsget group "<GroupDN>" -members -expand

Using VBScript
	' This code prints the  
nested membership of a group.
	' ------ SCRIPT CONFIGURATION ------
	strGroupDN = "<GroupDN>" ' e.g. cn=SalesGroup,ou=Groups,dc=rallencorp,dc=com
	' ------ END CONFIGURATION ---------

	strSpaces = " "
	set dicSeenGroupMember = CreateObject("Scripting.Dictionary")
	Wscript.Echo "Members of " & strGroupDN & ":"
	DisplayMembers("LDAP://" & strGroupDN, strSpaces, dicSeenGroupMember)

	Function  
DisplayMembers ( strGroupADsPath, strSpaces,  
dicSeenGroupMember)

	   set objGroup = GetObject(strGroupADsPath)
	   for each objMember In objGroup. 
Members
	      Wscript.Echo strSpaces & objMember.Name
	      if objMember.Class = "group" then
	         if dicSeenGroupMember.Exists(objMember.ADsPath) then
	            Wscript.Echo strSpaces & " ^ already seen group member " & _
	                                         "(stopping to avoid loop)"
	         else
	            dicSeenGroupMember.Add objMember.ADsPath, 1
	            DisplayMembers objMember.ADsPath, strSpaces & " ", _
	                           dicSeenGroupMember
	         end if
	      end if
	   next

	End Function

Discussion

As described in Recipe 7.3, group membership is stored in the multivalued member attribute on group objects. But that attribute will not show the complete picture because group nesting is allowed in Active Directory after you've transitioned from mixed mode. To view the complete group membership, you have to recurse through each group's members.

In the VBScript example, we used a dictionary object (referred to as a hash or associative array in other languages) to ensure that we did not get in an infinite loop. The dictionary object stores each group member; before the DisplayMembers function is called a check is performed to determine if the group has already been evaluated. If so, a message is displayed indicating the group will not be processed again. If this type of checking was not employed and you had a situation where group A was a member of group B, group B was a member of group C, and group C was a member of group A, the loop would repeat without terminating.

See Also

Recipe 7.3 for viewing group membership and MSDN: IADsMember



 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows