VBScript program to document all members of a group. The members can be users or other groups.
Nested group members are revealed. However, the program will not include any members that have
the specified group designated as their "Primary Group".
The program will handle groups with more than 1500 members. Many enumeration methods fail when
there are more than 1500 members, because ADSI normally cannot handle more than 1500 items in
a multi-valued attribute. The limit was 1000 in Windows 2000 Active Directory, but was increased
to 1500 in Windows Server 2003 and above. This program demonstrates the use of ADO range limits to overcome
this limitation. The program will work no matter how many members the group has.
The program accepts the group name as a parameter. The program expects the NT name of the group,
also called the sAMAccountName, rather than the Distinguished Name. Like most administrative scripts,
the program should be run at a command prompt with the cscript host. The output can be redirected
to a text file. For example:
cscript //nologo EnumGroup2.vbs MyGroup > MyGroup.txt
The program uses a dictionary object to track memberships. This allows the program to indicate
duplicate members. This can happen if, for example, a user is a member of the group specified,
but is also a member of a nested group. The user will be listed twice, but the second entry
will be indicated as a duplicate. This also prevents a possible infinite loop due to circular
group nesting. A nested group is enumerated only the first time it is encountered.
This program should work on any 32 or 64-bit Windows client that can log onto the domain. Windows NT
and Windows 98/95 clients should have DSClient installed. If DSClient is not installed, they
need WSH and ADSI installed.
EnumGroup2.txt <<-- Click here to view or download the program
A similar PowerShell Version 1.0 script has been developed to enumerate all
direct members of any Active Directory group, even if there are over 1500
members. This program either accepts a group name as a parameter, or prompts
for the name. Use the "pre-Windows 2000" name (sAMAccountName) of the group. You should
redirect the output to a text file. If you have PowerShell Version 2.0 and
the Active Directory modules that come with Windows Server 2008 R2 and above, you can
also use Get-ADGroupMember (or even Get-ADObject) to retrieve the membership
of large groups. However, most other methods fail if they do not implement
range retrieval. For example, the dsget group command line utility fails if
there are more than 1500 members.
PSEnumLargeGroup.txt <<-- Click here to view or download the program