Using the Active Directory command-line tools and the primaryGroupID.bat batch, I have scripted AllUsrSecGrp.bat to display all users security group membership, including nested groups, in a semi-colon delimited format, like:

"User Distinguished Name";"Group Distinguished Name"

The syntax for using AllUsrSecGrp.bat is:

AllUsrSecGrp

AllUsrSecGrp.bat contains:

@echo off
setlocal ENABLEDELAYEDEXPANSION
if exist "%TEMP%\AllUsrSecGrp.TM1" del /q "%TEMP%\AllUsrSecGrp.TM1"
<font size="1">set qry1=dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User))" -attr primaryGroupID distinguishedName -limit 0</font>
for /f "Skip=1 Tokens=1*" %%t in ('%qry1%') do (
 set usr="%%u"
 set usr=!usr:  =!
 set usr=!usr: "="!
 call primaryGroupID %%t pgidn
 for /f "Tokens=1" %%s in ('dsget group !pgidn! -secgrp^|find "yes"') do (
  @echo !usr!;!pgidn!>>"%TEMP%\AllUsrSecGrp.TM1"
 )
 for /f "Tokens=*" %%g in ('dsget user !usr! -memberof -expand') do (
  for /f "Tokens=1" %%s in ('dsget group %%g -secgrp^|find "yes"') do (
   @echo !usr!;%%g>>"%TEMP%\AllUsrSecGrp.TM1"
  )
 )
)
if not exist "%TEMP%\AllUsrSecGrp.TM1" @echo No group membership&endlocal&goto :EOF
sort "%TEMP%\AllUsrSecGrp.TM1" /O "%TEMP%\AllUsrSecGrp.TM2"
del /q "%TEMP%\AllUsrSecGrp.TM1"
set prev=NONE
for /f "Tokens=*" %%u in ('type "%TEMP%\AllUsrSecGrp.TM2"') do (
 set line=%%u
 set line=!line:"=!
 if "!prev!" NEQ "!line!" @echo %%u
 set prev=!line!
)
del /q "%TEMP%\AllUsrSecGrp.TM2"
endlocal