VBScript program demonstrating the use of an efficient IsMember function to test for group membership for any number of users or computers. The function reveals membership in nested groups, as well as the "Primary Group". The IsMember function uses a dictionary object, so that group memberships only have to be enumerated once for each different user and computer, no matter how many times the function is called. The function uses a recursive subroutine to populate the dictionary object. The dictionary object keeps track of group memberships separately for each user or computer. The subroutine is coded to prevent an infinite loop if the "nested" groups are circular.

This program uses the LDAP provider to bind to the user or computer object in Active Directory. The function does reveal membership in cross-domain groups. If you have more than one domain, the function will show that a user or computer in one domain is a member of a group in another domain.

ADO is used to search the Active Directory domain for all group objects and retrieve their "primaryGroupToken" attribute value. When the group memberships are enumerated for each object to populate the dictionary object, the "primaryGroupID" attribute of the object is used to determine which of these groups is the "primary" group of the user or computer.

This program should work on any 32-bit Windows client that can log onto the domain. Windows NT and Windows 98/95 clients should have DSClient installed. If DSClient is not installed, WSH and ADSI should be installed.

Typically, this IsMember function would be used in a logon script to map drives to network shares according to user group membership. It can also be used to map local ports to shared printers according to computer group membership.

IsMember6.txt <<-- Click here to view or download the program