MemberOf - How do you handle enumerating the groups a user has in Active Directory? Especially when there could be n levels of nesting going on with possible recursive nesting. I was wondering that myself... I checked out Microsoft's Resource Kit Tool ifmember and it doesn't enumerate nested groups unless the nesting is the old NT way of nesting Global groups into Local Groups. Well I sat down this morning and worked out a solution. MemberOf is the solution, if you just run it it will give you the groups that the current process security context user has. You can specify a different user if you would like. It supports both UPN and Flat username specification formats (i.e. user@domain and domain\user). If you use the -h switch you can see usage help. Here is a little sample run:
G:\Dev\cpp\MemberOf>memberof -u email@example.com
MemberOf V01.02.00cpp Joe Richards (firstname.lastname@example.org) August 2001
\[Global Security\] \[Domain Users\] CN=Domain Users,CN=Users,DC=joehome,DC=com
\[Global Security\] \[GGroup1\] CN=GGroup1,OU=Test,DC=joehome,DC=com
\[Global Security\] \[GGroup2\] CN=GGroup2,OU=Test,DC=joehome,DC=com
\[Local Security\] \[TestGroup2\] CN=TestGroup2,OU=Test,DC=joehome,DC=com
\[Local Security\] \[Users\] CN=Users,CN=Builtin,DC=joehome,DC=com
\[Local Security\] \[testgroup1\] CN=testgroup1,OU=Test,DC=joehome,DC=com
\[Local Security\] \[testgroup3\] CN=testgroup3,OU=Test,DC=joehome,DC=com
This program could be used in a logon script to check if a user is in a specific group in the following way:
memberof -q | find /i "\[domain admins\]" >null
This program works by enumerating the MemberOf attribute of a userid hence the name, this means that the program would only display group memberships which would be in this attribute and that includes Global/Local Groups of the user's domain and Universal Groups of the user's Forest. For some reason, MS doesn't include the user's Primary group in the MemberOf attribute so the program by default will go figure out that group on the side. If you want to disable this feature you can specify -np on the command line.
\[Version: 1.02.00, Date: 8/11/01\]
MemberOf \[-s DomainController\] \[-u userid\] \[-np\]
DomainController DC to direct queries to. Default value - Default
userid User Id to look up. Default value - current user
format: username@domain or domain\username
-np Disables default action of grabbing primary group
and adding to the list. The primary group is not a
member of memberOf attribute so it has to be grabbed
This look up the current user info on whatever DC it finds.
Ex2: MemberOf -s DC1 -u email@example.com
Will verify that DC1 is a DC that has info for joeware.net
and then lookup info for the firstname.lastname@example.org id.
Ex3: MemberOf -p n
Look up current user on default ldap server, don't get primary
This software is Freeware. Use it as you wish at your own risk.
If you have improvement ideas, bugs, or just wish to say Hi, I
receive email 24x7 and read it in a semi-regular timeframe.
You can usually find me at http://www.joeware.net