VBScript program to document the security group memberships of all users in the domain. The user names and their security group memberships are written to an Excel spreadsheet. The name and path of the spreadsheet file to be created is hardcoded in the program.

The program uses ADO to retrieve the names of all users. The tokenGroups attribute of a user object reveals all security groups the user is a member of, including the "Primary Group" and membership due to group nesting. However, ADO cannot retrieve this attribute, so the program binds to each user object, using the distinguishedName attribute, then uses the GetInfoEx method of the user object to load the tokenGroups attribute into the local property cache. The tokenGroups attribute is a multi-valued collection of group SID values. The collection must be enumerated and each value converted into a hex string. To retrieve the name of the group, the program must bind to the group object using the hex string format of the SID value, then retrieve the value of either the sAMAccountName or distinguishedName attribute. A dictionary object of group SID values and names is maintained, so that each group object needs to be bound to only once.

This program does not reveal membership in distribution groups, or groups in other domains.

UsersGroups.txt <<-- Click here to view or download the program

The program documents the sAMAccountName of each user, their Distinguished Name, and the Distinguished Names of each security group. If you would rather document the group sAMAccountNames, simply replace objGroup.distinguishedName with objGroup.sAMAccountName in two places in the program.