VBScript program to document all groups that a user is a member of. The LDAP provider is used to bind to the user and group objects. The program reveals nested group memberships. The program does not reveal membership in the "Primary Group".

A dictionary object is used so that the membership of any group is only enumerated once. This prevents an infinite loop if there are any circular nested groups.

This program should work on any 32 or 64-bit Windows client that can log onto the domain. Windows NT and Windows 98/95 clients should have DSClient installed. If DSClient is not installed, they need WSH and ADSI installed.

The program can be run at a command prompt with the cscript host. The output can be redirected to a text file. The Distinguished Name of a user is a required parameter. For example, you can run the program with the following command:

cscript //nologo EnumUserGroups.vbs "cn=TestUser,ou=Sales,dc=MyDomain,dc=com" > output.txt

If the user Distinguished Name includes a character that must be escaped, such as a comma in the Common Name, be sure to escape it with the backslash "\" escape character. The characters that must be escaped in Distinguished Names are:

, \ / # + < > ; " =

EnumUserGroups.txt <<-- Click here to view or download the program

An equivalent PowerShell script, which can be run in PowerShell V1 or V2:

PSEnumUserGroups.txt <<-- Click here to view or download the program