I quote:

MemberOf - How do you handle enumerating the groups a user has in Active Directory? Especially when there could be n levels of nesting going on with possible recursive nesting. I was wondering that myself... I checked out Microsoft's Resource Kit Tool ifmember and it doesn't enumerate nested groups unless the nesting is the old NT way of nesting Global groups into Local Groups. Well I sat down this morning and worked out a solution. MemberOf is the solution, if you just run it it will give you the groups that the current process security context user has. You can specify a different user if you would like. It supports both UPN and Flat username specification formats (i.e. user@domain and domain\user). If you use the -h switch you can see usage help. Here is a little sample run:

G:\Dev\cpp\MemberOf>memberof -u test2@joehome.com

MemberOf V01.02.00cpp Joe Richards (joe@joeware.net) August 2001

Group Memberships:
  \[Global Security\] \[Domain Users\] CN=Domain Users,CN=Users,DC=joehome,DC=com
  \[Global Security\] \[GGroup1\] CN=GGroup1,OU=Test,DC=joehome,DC=com
  \[Global Security\] \[GGroup2\] CN=GGroup2,OU=Test,DC=joehome,DC=com
  \[Local Security\] \[TestGroup2\] CN=TestGroup2,OU=Test,DC=joehome,DC=com
  \[Local Security\] \[Users\] CN=Users,CN=Builtin,DC=joehome,DC=com
  \[Local Security\] \[testgroup1\] CN=testgroup1,OU=Test,DC=joehome,DC=com
  \[Local Security\] \[testgroup3\] CN=testgroup3,OU=Test,DC=joehome,DC=com

This program could be used in a logon script to check if a user is in a specific group in the following way:

@echo off
memberof -q | find /i "\[domain admins\]" >null

0* echo "User is member of domain admins"

1* echo "User is not a member of domain admins"

This program works by enumerating the MemberOf attribute of a userid hence the name, this means that the program would only display group memberships which would be in this attribute and that includes Global/Local Groups of the user's domain and Universal Groups of the user's Forest. For some reason, MS doesn't include the user's Primary group in the MemberOf attribute so the program by default will go figure out that group on the side. If you want to disable this feature you can specify -np on the command line.
\[Version: 1.02.00, Date: 8/11/01\]

memberof /?

MemberOf V01.02.00cpp Joe Richards (joe@joeware.net) August 2001                              Usage:                               MemberOf \[-s DomainController\] \[-u userid\] \[-np\]                                 DomainController    DC to direct queries to. Default value - Default                                                     LDAP Server                                 userid              User Id to look up. Default value - current user                                                     format: username@domain or domain\username                                 -np                 Disables default action of grabbing primary group                                                     and adding to the list. The primary group is not a                                                     member of memberOf attribute so it has to be grabbed                                                     specially.                                Ex1: MemberOf                                        This look up the current user info on whatever DC it finds.                                Ex2: MemberOf -s DC1 -u joe@joeware.net                                         Will verify that DC1 is a DC that has info for joeware.net                                         and then lookup info for the joe@joeware.net id.                                Ex3: MemberOf -p n                                         Look up current user on default ldap server, don't get primary                                         group information.                               This software is Freeware. Use it as you wish at your own risk.                               If you have improvement ideas, bugs, or just wish to say Hi, I                               receive email 24x7 and read it in a semi-regular timeframe.                               You can usually find me at http://www.joeware.net