VBScript program demonstrating the use of an efficient IsMember function to test for group membership
for a single user or computer. The function reveals membership in
nested groups, but not the
"Primary Group". The IsMember function uses a dictionary object, so that group memberships
only have to be enumerated once, no matter how many times the function is called.
The program uses ADO to search Active Directory for all groups that specify the user or computer as a
member. Then, ADO is used again to search Active Directory for all groups that specify any of the first
list of groups as a member. This search is repeated recursively for each level of group nesting
encountered.
For example, assume that user Johnny is a direct member of the three groups Grade1, Reading,
and Keyboarding. The first ADO search returns these three groups. The next ADO search looks for
all groups in Active Directory that have Grade1, Reading, or Keyboarding as members. Let's say that
this second search reveals that the group Grade1 is a member of the group Students and the group
Keyboarding is a member of group ComputerSkills. The next ADO search looks for groups that have
either Students or ComputerSkills as members. Perhaps this third search reveals that the group
Students is a member of the group School. Finally, ADO is used to find that the group School is
not the member of any other group. In this example, ADO is used four times to reveal all nested
group memberships for Johnny.
If the network has many sites with slow links, or sites with no Domain Controllers, this program
could be faster than other methods because it requires binding to few objects over the Wide Area Network In the example above, a program that enumerates all of the members of any group would have
to bind to each member in order to determine if the member is a user or group, and thus determine
if a nested group must be enumerated. If instead the program enumerated all groups that the user
is a member of, it would have to bind to six groups in Active Directory in the example above. This
program, however, binds to a few local objects to setup ADO, then queries the server once for all
direct group memberships, and then again once for each level of group nesting encountered. Most of
the work is done on the server to retrieve the information requested by the ADO searches. None of
the groups or members is bound to, so the program may be significantly faster in some situations.
The program uses the Global Catalog to avoid referrals if there are cross-domain group memberships.
This program should work on any 32-bit Windows client that can log onto the domain. Windows NT and
Windows 98/95 clients should have DSClient installed. If DSClient is not installed, WSH
and ADSI should be installed.
Typically, this IsMember function would be used in a logon script to map drives to network shares
according to user group membership. It can also be used to map local ports to shared printers
according to computer group membership. However, it can't be used to test both user and computer
group membership in the same program.
IsMember7.txt <<-- Click here to view or download the program