I quote:

MemberOf - How do you handle enumerating the groups a user has in Active Directory? Especially when there could be n levels of nesting going on with possible recursive nesting. I was wondering that myself... I checked out Microsoft's Resource Kit Tool ifmember and it doesn't enumerate nested groups unless the nesting is the old NT way of nesting Global groups into Local Groups. Well I sat down this morning and worked out a solution. MemberOf is the solution, if you just run it it will give you the groups that the current process security context user has. You can specify a different user if you would like. It supports both UPN and Flat username specification formats (i.e. user@domain and domain\user). If you use the -h switch you can see usage help. Here is a little sample run:

G:\Dev\cpp\MemberOf>memberof -u test2@joehome.com

MemberOf V01.02.00cpp Joe Richards (joe@joeware.net) August 2001

Group Memberships:
  \[Global Security\] \[Domain Users\] CN=Domain Users,CN=Users,DC=joehome,DC=com
  \[Global Security\] \[GGroup1\] CN=GGroup1,OU=Test,DC=joehome,DC=com
  \[Global Security\] \[GGroup2\] CN=GGroup2,OU=Test,DC=joehome,DC=com
  \[Local Security\] \[TestGroup2\] CN=TestGroup2,OU=Test,DC=joehome,DC=com
  \[Local Security\] \[Users\] CN=Users,CN=Builtin,DC=joehome,DC=com
  \[Local Security\] \[testgroup1\] CN=testgroup1,OU=Test,DC=joehome,DC=com
  \[Local Security\] \[testgroup3\] CN=testgroup3,OU=Test,DC=joehome,DC=com

This program could be used in a logon script to check if a user is in a specific group in the following way:

@echo off
memberof -q | find /i "\[domain admins\]" >null
if %ERRORLEVEL%*

0* echo "User is member of domain admins"
if %ERRORLEVEL%*

1* echo "User is not a member of domain admins"

This program works by enumerating the MemberOf attribute of a userid hence the name, this means that the program would only display group memberships which would be in this attribute and that includes Global/Local Groups of the user's domain and Universal Groups of the user's Forest. For some reason, MS doesn't include the user's Primary group in the MemberOf attribute so the program by default will go figure out that group on the side. If you want to disable this feature you can specify -np on the command line.
\[Version: 1.02.00, Date: 8/11/01\]

memberof /?

MemberOf V01.02.00cpp Joe Richards (joe@joeware.net) August 2001

Usage:
 MemberOf \[-s DomainController\] \[-u userid\] \[-np\]

   DomainController    DC to direct queries to. Default value - Default
                       LDAP Server

   userid              User Id to look up. Default value - current user
                       format: username@domain or domain\username

   -np                 Disables default action of grabbing primary group
                       and adding to the list. The primary group is not a
                       member of memberOf attribute so it has to be grabbed
                       specially.

  Ex1: MemberOf
          This look up the current user info on whatever DC it finds.

  Ex2: MemberOf -s DC1 -u joe@joeware.net
           Will verify that DC1 is a DC that has info for joeware.net
           and then lookup info for the joe@joeware.net id.

  Ex3: MemberOf -p n
           Look up current user on default ldap server, don't get primary
           group information.


 This software is Freeware. Use it as you wish at your own risk.
 If you have improvement ideas, bugs, or just wish to say Hi, I
 receive email 24x7 and read it in a semi-regular timeframe.
 You can usually find me at http://www.joeware.net