VBScript program demonstrating the use of an efficient IsMember function to test for group membership
for a single user or computer. The function reveals membership in
nested groups, but not the
"Primary Group". The IsMember function uses a dictionary object, so that group memberships
only have to be enumerated once, no matter how many times the function is called.
The program uses ADO to search Active Directory for all groups that specify the user or computer as a member. Then, ADO is used again to search Active Directory for all groups that specify any of the first list of groups as a member. This search is repeated recursively for each level of group nesting encountered.
For example, assume that user Johnny is a direct member of the three groups Grade1, Reading, and Keyboarding. The first ADO search returns these three groups. The next ADO search looks for all groups in Active Directory that have Grade1, Reading, or Keyboarding as members. Let's say that this second search reveals that the group Grade1 is a member of the group Students and the group Keyboarding is a member of group ComputerSkills. The next ADO search looks for groups that have either Students or ComputerSkills as members. Perhaps this third search reveals that the group Students is a member of the group School. Finally, ADO is used to find that the group School is not the member of any other group. In this example, ADO is used four times to reveal all nested group memberships for Johnny.
If the network has many sites with slow links, or sites with no Domain Controllers, this program could be faster than other methods because it requires binding to few objects over the Wide Area Network. In the example above, a program that enumerates all of the members of any group would have to bind to each member in order to determine if the member is a user or group, and thus determine if a nested group must be enumerated. If instead the program enumerated all groups that the user is a member of, it would have to bind to six groups in Active Directory in the example above. This program, however, binds to a few local objects to setup ADO, then queries the server once for all direct group memberships, and then again once for each level of group nesting encountered. Most of the work is done on the server to retrieve the information requested by the ADO searches. None of the groups or members is bound to, so the program may be significantly faster in some situations. The program uses the Global Catalog to avoid referrals if there are cross-domain group memberships.
This program should work on any 32-bit Windows client that can log onto the domain. Windows NT and Windows 98/95 clients should have DSClient installed. If DSClient is not installed, WSH and ADSI should be installed.
Typically, this IsMember function would be used in a logon script to map drives to network shares according to user group membership. It can also be used to map local ports to shared printers according to computer group membership. However, it can't be used to test both user and computer group membership in the same program.
IsMember7.txt <<-- Click here to view or download the program