Open the Active Directory Users and Computers snap-in (dsa.msc).
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, right-click on the domain and select Find.
Enter the name of the group and click Find Now.
Double-click on the group in the bottom results pane.
Click the Members tab.
Using a command-line interface
Use the lg command from Joeware.net to display the members of a local group:
> lg Administrators
The following dsget command displays the direct members of a group in Active Directory:
> dsget group "<GroupDN>" -members
Add the -expand option to enumerate all nested group members in Active Directory:
> dsget group "<GroupDN>" -members -expand
Using VBScript
' This code prints the members of a local group. ' ------ SCRIPT CONFIGURATION ------ strGroup = "<GroupName>" ' e.g. Administrators strComputer = "<ComputerName>" ' ------ END CONFIGURATION --------- set objGroup = GetObject("WinNT://" & strComputer & "/" & strGroup) Wscript.Echo "Members of " & objGroup.Name & ":" for each objMember in objGroup.Members Wscript.Echo objMember.Name next WScript.Echo "Done" ' This code prints the direct members of an Active Directory group. ' ------ SCRIPT CONFIGURATION ------ strGroupDN = "<GroupDN>" ' e.g. cn=SalesGroup,ou=Groups,dc=rallencorp,dc=com ' ------ END CONFIGURATION --------- set objGroup = GetObject("LDAP://" & strGroupDN) Wscript.Echo "Members of " & objGroup.Name & ":" for each objMember in objGroup.Members Wscript.Echo objMember.Name next WScript.Echo "Done" ' This code prints the nested membership of an Active Directory group. ' ------ SCRIPT CONFIGURATION ------ strGroupDN = "<GroupDN>" ' e.g. cn=SalesGroup,ou=Grps,dc=rallencorp,dc=com ' ------ END CONFIGURATION --------- strSpaces = " " set dicSeenGroupMember = CreateObject("Scripting.Dictionary") Wscript.Echo "Members of " & strGroupDN & ":" DisplayMembers "LDAP://" & strGroupDN, strSpaces, dicSeenGroupMember WScript.Echo "Done" Function DisplayMembers ( strGroupADsPath, strSpaces, dicSeenGroupMember) set objGroup = GetObject(strGroupADsPath) for each objMember In objGroup.Members Wscript.Echo strSpaces & objMember.Name if objMember.Class = "group" then if dicSeenGroupMember.Exists(objMember.ADsPath) then Wscript.Echo strSpaces & " ^ already seen group member " & _ "(stopping to avoid loop)" else dicSeenGroupMember.Add objMember.ADsPath, 1 DisplayMembers objMember.ADsPath, strSpaces & " ", _ dicSeenGroupMember end if end if next End Function
Discussion
Using VBScript
For the Active Directory examples, the member attribute of a group accounts contains the distinguished names of the direct members of the group. By direct members, we mean the members that have been directly added to the group. This is in contrast to indirect group members, which are members of the group due to nested group membership. To view the complete group membership, you have to recurse through each group's members.
In the second VBScript example, we used a dictionary object to ensure we did not get in an infinite loop. The dictionary object stores each group member; before the DisplayMembers function is called a check is performed to determine if the group has already been evaluated. If so, a message is displayed indicating the group will not be processed again. If this type of checking was not employed and you had a situation where group A was a member of group B, group B was a member of group C, and group C was a member of group A, the loop would repeat without terminating.
See Also
MSDN: IADsMember
Groups.