VBScript program demonstrating the use of an efficient IsMember function to test for group membership for any number of users or computers, using the "tokenGroups" attribute. The function reveals membership in nested groups and the "Primary Group". The IsMember function uses a dictionary object, so that group memberships only have to be enumerated once, no matter how many times the function is called.

Instead of using the objectSid of each group in the tokenGroups collection to bind to the group object and retrieve the group name, this program uses ADO to search for the objects in Active Directory that have the values for objectSid and retrieve the group names. If the user or computer is a member of many groups, this method should be much faster, at the expense of more lines of code.

This program uses the LDAP provider to bind to the user or computer object in Active Directory. The "tokenGroups" attribute does not reveal cross-domain groups. If you have more than one domain, this function will not reveal membership in groups that are not in the same domain as the user or computer.

This program should work on any 32-bit Windows client that can log onto the domain. Windows NT and Windows 98/95 clients should have DSClient installed. If DSClient is not installed, WSH and ADSI should be installed.

Typically, this IsMember function would be used in a logon script to map drives to network shares according to user group membership. It can also be used to map local ports to shared printers according to computer group membership.

IsMember8.txt <<-- Click here to view or download the program

A PowerShell script that performs the same function is linked below.

PSIsMember8.txt <<-- Click here to view or download the program