Scriptless approach to getting information on nested group memberships.
One of the biggest challenges it seems many administrators have is keeping tabs on group membership. This is even more of a problem now that we can nest groups. A popular script is one that queries group memberships recursively. But you don’t need a single line of VBScript. You can get all the information you need with the DSQuery and DSGet commands.
There are two parts to the ultimate solution but I want you to understand how they work. At the command prompt, type:
Dsquery user -samid yourlogonname
You should get the distinguished name of your user object. The beauty of the DS commands is that the output of one command can serve as the input for another. Try this:
Dsquery user -samid yourlogonname | dsget user
You’ll end up with a little more information about your user account. You can use DSGet to return other information, but for our purposes we want to get at group membership. Run this command:
Dsquery user -samid yourlogonname | dsget user -memberof
You should be rewarded with the distinguished names of all the groups the user account belongs to. If you want to check for nested group membership, use a command like this:
Dsquery user -samid yourlogonname | dsget user -memberof -expand
Now you have a longer list of group names. You can’t tell where a group is necessarily nested, but you’ll at least know which group membership is affecting the user. You can also search for more than one user this way:
Dsquery user -limit 0 | dsget user -memberof -expand
This expands the group membership for all user accounts in the domain.
You can also come at this from the group angle:
dsquery group -samid “Sales Staff” | dsget group -members
If you want to expand nested group membership you can use -expand as I did earlier:
dsquery group -samid “Sales Staff” | dsget group -members -expand
By the way, if you don’t know the complete group name, wild cards are allowed:
dsquery group -samid “Sales*” | dsget group -members -expand
Finally, want to build a membership report for all users? Try these commands:
dsquery group –limit 0 >groups.txt for /f “tokens=*” %g in (groups.txt) do @echo %g
>>membership.txt & echo Members: >>membership.txt & dsget group % -members >>membership.txt & echo