Recipe 16.13. Viewing the Members of a GroupProblemYou want to view the members of a group. SolutionUsing a graphical user interface
Using a command-line interfaceThe following command displays the direct members of a group: > dsget group "<GroupDN>" -members Add the -expand option to enumerate all nested group members: > dsget group "<GroupDN>" -members -expand Using VBScript' This code prints the direct members of the specified group. ' ------ SCRIPT CONFIGURATION ------ strGroupDN = "<GroupDN>" ' e.g., cn=SalesGroup,ou=Groups,dc=rallencorp,dc=com ' ------ END CONFIGURATION --------- set objGroup = GetObject("LDAP://" & strGroupDN) Wscript.Echo "Members of " & objGroup.Name & ":" for each objMember in objGroup.Members Wscript.Echo objMember.Name next ' This code prints the nested membership of a group. ' ------ SCRIPT CONFIGURATION ------ strGroupDN = "<GroupDN>" ' e.g., cn=SalesGroup,ou=Grps,dc=rallencorp,dc=com ' ------ END CONFIGURATION --------- strSpaces = " " set dicSeenGroupMember = CreateObject("Scripting.Dictionary") Wscript.Echo "Members of " & strGroupDN & ":" DisplayMembers "LDAP://" & strGroupDN, strSpaces, dicSeenGroupMember Function DisplayMembers ( strGroupADsPath, strSpaces, dicSeenGroupMember) set objGroup = GetObject(strGroupADsPath) for each objMember In objGroup.Members Wscript.Echo strSpaces & objMember.Name if objMember.Class = "group" then if dicSeenGroupMember.Exists(objMember.ADsPath) then Wscript.Echo strSpaces & " ^ already seen group member " & _ "(stopping to avoid loop)" else dicSeenGroupMember.Add objMember.ADsPath, 1 DisplayMembers objMember.ADsPath, strSpaces & " ", _ dicSeenGroupMember end if end if next End Function DiscussionThe member attribute of a group object contains the distinguished names of the directly added group members. This is in contrast to indirect group members, which are group members due to nested group membership. To view the complete group membership, recurse through each group's members. In the second VBScript example, I used a dictionary object to prevent an infinite loop. The dictionary object stores each group member; before the DisplayMembers function is called, a check is performed to determine if the group has already been evaluated. If so, a message is displayed indicating the group will not be processed again. If this type of checking was not employed and you had a situation where group A was a member of group B, group B was a member of group C, and group C was a member of group A, the loop would repeat without terminating. See AlsoMSDN: IADsMember |