Recipe 15.12. Viewing a User s Group Membership

Previous page
Table of content
Next page

Recipe 15.12. Viewing a User's Group Membership

Problem

You want to view the group membership of an Active Directory user.

Solution

Using a graphical user interface

  1. Open the Active Directory Users and Computers snap-in (compmgmt.msc).

  2. In the left pane, right-click on the domain and select Find.

  3. Select the appropriate domain beside In.

  4. Type the name of the user beside Name and click Find Now.

  5. In the Search Results, double-click on the user.

  6. Click the Member Of tab.

  7. To view all indirect group membership (from nested groups), you'll need to double-click on each group.

Using a command-line interface

The net user command can display a user's group membership. The following displays the group membership for the local administrator account:

> net user administrator

This command displays the group membership of a domain account named rallen:

> net user rallen /domain

You can also use dsget user to display domain group membership. The following command displays the groups that the rallen user is a member of in Active directory. Use the -expand switch to list nested group membership as well:

> dsget user cn=rallen,cn=users,dc=rallencorp,dc=com -memberof -expand

Using VBScript
' This code displays the group membership of a user. ' It avoids infinite loops due to circular group nesting by  ' keeping track of the groups that have already been seen. ' ------ SCRIPT CONFIGURATION ------ strUserDN = "<UserDN>"  ' e.g. cn=jsmith,cn=Users,dc=rallencorp,dc=com ' ------ END CONFIGURATION --------- set objUser = GetObject("LDAP://" & strUserDN) Wscript.Echo "Group membership for " & objUser.Get("cn") & ":" strSpaces = "" set dicSeenGroup = CreateObject("Scripting.Dictionary") DisplayGroups "LDAP://" & strUserDN, strSpaces, dicSeenGroup       Function DisplayGroups ( strObjectADsPath, strSpaces, dicSeenGroup)          set objObject = GetObject(strObjectADsPath)    WScript.Echo strSpaces & objObject.Name    on error resume next ' Doing this to avoid an error when memberOf is empty    if IsArray( objObject.Get("memberOf") ) then       colGroups = objObject.Get("memberOf")    else       colGroups = Array( objObject.Get("memberOf") )    end if        for each strGroupDN In colGroups       if Not dicSeenGroup.Exists(strGroupDN) then          dicSeenGroup.Add strGroupDN, 1          DisplayGroups "LDAP://" & strGroupDN, strSpaces & " ", dicSeenGroup       end if    next       End Function

Discussion

The memberOf attribute on domain accounts is multivalued and contains the list of distinguished names for the groups of which the user is a member. memberOf is actually linked with the member attribute on group accounts, which holds the distinguished names of its members. For this reason, you cannot directly modify the memberOf attribute; you must instead modify the member attribute on the group.

See Also

Recipe 15.11 for more on viewing the members of a group


Previous page
Table of content
Next page
Windows XP Cookbook
Windows XP Cookbook (Cookbooks)
ISBN: 0596007256
EAN: 2147483647
Year: 2006
Pages: 408
Authors: Robbie Allen, Preston Gralla
BUY ON AMAZON
Cisco CallManager Fundamentals (2nd Edition)
GO! with Microsoft Office 2003 Brief (2nd Edition)
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
Extending and Embedding PHP
.NET System Management Services
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy