At my company, many managers were asking me for membership lists so that they could determine who has access to what applications. To get this information, I was constantly pulling lists from the Microsoft Management Console (MMC) Active Directory Users and Computer snap-in. To alleviate this time-consuming task, I created the Group Enumerator utility (AD-GroupMem.hta). This HTML Application (HTA) provides users with group membership information without-having to give them access to the domain through the Active Directory Users and Computer snap-in. Now that I've created the Group Enumerator utility, managers can look up membership information themselves.

Figure 2 shows the Group Enumerator utility's UI. If you select a group in the Distribution Groups or Security Groups column, the members of that group will appear in the Group Membership column. The Group Enumerator utility supports subgroups. A plus sign (+) will appear in front of each subgroup in the Distribution Groups and Security Groups columns. In the Group Membership column, a hyphen (-) will appear in front of each submember. If you click the Export Results button, the HTA will export the results to Microsoft Excel.

You can download the Group Enumerator utility from the Windows Scripting SolutionsWeb site. (See page 1 for download information.) Listing 3 shows the code you need to customize to get the Group Enumerator utility to work in your environment. You need to replace the DOMAIN constant's value with your AD domain's name. If you don't want groups from certain organizational units (OUs) to display in the Group Enumerator utility, you can customize the code at callout A in Listing 3. After you customize this code, you need to remove the comment characters that precede it and comment out the line that callout B shows.