VBScript ; Find User Group Memberships (+ Nested groups)

VBScript ; Find User Group Memberships (including Nested groups)


This fast, simple logon script will enumerate a user accounts group memberships, including nested groups.


‘Obtain fqdn of domain
Set oRoot = GetObject(“LDAP://rootDSE”)
Set oDomain = GetObject(“LDAP://” & oRoot.Get(“defaultNamingContext”))
fqDomain = oRoot.Get(“defaultNamingContext”)

‘Obtain netbios username, computername and domainname
Set objNetwork = CreateObject(“Wscript.Network”)
currentDomain = objNetwork.UserDomain
currentUser = objNetwork.UserName
strComputerName = objNetwork.ComputerName

‘————————————————- Main Program

‘Find user DistingishedName and bind to user object to find nested group memberships
uCN = findDN
Set objUser=GetObject(“LDAP://” & uCN)

If IsMember(“Domain Admins”) Then
MsgBox “User is a member of the domain admins group….”
‘Perform required functions here.
End If

‘————————————————- Functions

Function IsMember(grpName) ‘Function to find groups to which user is a *DIRECT* member of.
If IsEmpty(grpList) Then
Set grpList = CreateObject(“Scripting.Dictionary”)
grpList.CompareMode = TextCompare

Set colGroups = objUser.Groups
For Each objGroup in colGroups
If NOT CBool(grpList.Exists(objGroup.CN)) Then
grpList.Add objGroup.CN, “-“
End If
End If
IsMember = CBool(grpList.Exists(grpName))
End Function

Function GetNested(objGroup) ‘New Recursive Nested Group Membership Function.
On Error Resume Next
colMembers = objGroup.GetEx(“memberOf”)
For Each strMember in colMembers
If NOT strMember = “” Then
strPath = “LDAP://” & strMember
Set objNestedGroup = GetObject(strPath)
If NOT CBool(grpList.Exists(objNestedGroup.CN)) Then
grpList.Add objNestedGroup.CN, “-“
End If
End If
End Function

Function findDN ‘Funtion to find DistinguishedName of User Object using sAMAccountName
Set objConnection = CreateObject(“ADODB.Connection”)
objConnection.Open “Provider=ADsDSOObject;”

Set objCommand = CreateObject(“ADODB.Command”)
objCommand.ActiveConnection = objConnection

objCommand.CommandText = _
“<LDAP://” & fqDomain & “>;(&(objectCategory=” & “User” & “)” & _
“(samAccountName=” & currentUser & “));samAccountName,distinguishedName;subtree”

Set objRecordSet = objCommand.Execute

If objRecordset.RecordCount = 0 Then
findDN = objRecordSet.Fields(“distinguishedName”).Value
End If
End Function