WindowsDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement

Windows Topics


AddThis Social Bookmark Button

Cooking with Active Directory, Part 2
Pages: 1, 2

Recipe 7.3: Viewing the Nested Members of a Group

Problem

You want to view the nested members of a group.

Solution

Using a graphical user interface

  1. Open the Active Directory Users and Computers snap-in.
  2. If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.
  3. In the left pane, right-click on the domain and select Find.
  4. Enter the name of the group and click Find Now.
  5. Double-click on the group in the bottom results pane.
  6. Click the Members tab.
  7. You now have to double-click on each group member to view its membership.

Using a command-line interface

> dsget group "<GroupDN>" -members -expand

Using VBScript

' This code prints the nested membership of a group.
' ------ SCRIPT CONFIGURATION ------
strGroupDN = "<GroupDN>"  ' e.g. cn=SalesGroup,ou=Groups,dc=rallencorp,dc=com
' ------ END CONFIGURATION ---------
 
strSpaces  = " "
set dicSeenGroupMember = CreateObject("Scripting.Dictionary")
Wscript.Echo "Members of " & strGroupDN & ":"
DisplayMembers "LDAP://" & strGroupDN, strSpaces, dicSeenGroupMember
 
Function DisplayMembers ( strGroupADsPath, strSpaces, dicSeenGroupMember)
 
   set objGroup = GetObject(strGroupADsPath)
   for each objMember In objGroup.Members
      Wscript.Echo strSpaces & objMember.Name
      if objMember.Class = "group" then
         if dicSeenGroupMember.Exists(objMember.ADsPath) then
            Wscript.Echo strSpaces & "   ^ already seen group member " & _
                                     "(stopping to avoid loop)"
         else
            dicSeenGroupMember.Add objMember.ADsPath, 1
            DisplayMembers objMember.ADsPath, strSpaces & " ", _
                           dicSeenGroupMember
         end if
      end if
   next
 
End Function

Discussion

As described in "Viewing the Direct Members of a Group," group membership is stored in the multivalued member attribute on group objects. But that attribute will not show the complete picture because group nesting is allowed in Active Directory after you've transitioned from mixed mode. To view the complete group membership, you have to recurse through each group's members.

In the VBScript example, I used a dictionary object (referred to as a hash or associative array in other languages) to ensure I did not get in an infinite loop. The dictionary object stores each group member; before the DisplayMembers function is called a check is performed to determine if the group has already been evaluated. If so, a message is displayed indicating the group will not be processed again. If this type of checking was not employed and you had a situation where group A was a member of group B, group B was a member of group C, and group C was a member of group A, the loop would repeat without terminating.

See Also

"Viewing the Direct Members of a Group" for viewing group membership and MSDN: IADsMember

Return to ONDotnet.com

Recommended for You

Tagged Articles

Be the first to post this article to del.icio.us

Related to this Article

Programming Windows® 8 Apps with HTML, CSS, and JavaScript Programming Windows® 8 Apps with HTML, CSS, and JavaScript
by Kraig Brockschmidt
November 2012
$0.00 USD

Take Control of CrashPlan Backups Take Control of CrashPlan Backups
April 2012
$10.00 USD