VBScript program to document all members of a group. The members can be users or other groups. Nested group members are revealed. However, the program will not include any members that have the specified group designated as their "Primary Group".
The program will handle groups with more than 1500 members. Many enumeration methods fail when there are more than 1500 members, because ADSI normally cannot handle more than 1500 items in a multi-valued attribute. The limit was 1000 in Windows 2000 Active Directory, but was increased to 1500 in Windows Server 2003. This program demonstrates the use of ADO range limits to overcome this limitation. The program will work no matter how many members the group has.

The program accepts the group name as a parameter. The program expects the NT name of the group, also called the sAMAccountName, rather than the Distinguished Name. Like most administrative scripts, the program should be run at a command prompt with the cscript host. The output can be redirected to a text file. For example:

cscript //nologo EnumGroup2.vbs MyGroup > MyGroup.txt

The program uses a dictionary object to track memberships. This allows the program to indicate duplicate members. This can happen if, for example, a user is a member of the group specified, but is also a member of a nested group. The user will be listed twice, but the second entry will be indicated as a duplicate. This also prevents a possible infinite loop due to circular group nesting. A nested group is enumerated only the first time it is encountered.

This program should work on any 32-bit Windows client that can log onto the domain. Windows NT and Windows 98/95 clients should have DSClient installed. If DSClient is not installed, they need WSH and ADSI installed.

EnumGroup2.txt <<-- Click here to view or download the program

A similar PowerShell Version 1.0 script has been developed to enumerate all direct members of any Active Directory group, even if there are over 1500 members. This program either accepts a group name as a parameter, or prompts for the name. Use the "pre-Windows 2000" name of the group. You should redirect the output to a text file. If you have PowerShell Version 2.0 and the Active Directory modules that come with Windows Server 2008 R2, you can also use Get-ADGroupMember (or even Get-ADObject) to retrieve the membership of large groups. However, most other methods fail if they do not implement range retrieval. For example, the dsget group command line utility fails if there are more than 1500 members.

PSEnumLargeGroup.txt <<-- Click here to view or download the program