Checking if User is member of group including nested/sub groups!

Download: [download#4#size#nohits]

I had a challenge today.

Problem:

My Customer needs to insert a specific text in the Computer description field on the local PC, if the user is member of a specific group.

Challenges:

The problem is that most of the user are not directly members of the group.

but they are members of a nested group that if member of the group, or a nested group , that is member of a nested group , that is member of the group and so on.

This gave me a problem, since the usual way of checking the user membership is by using the “memberOf” property via ADSI.

This only shows the groups the users is directly connected to, and not the nested groups.

Ideas:

I found an example on Microsoft Scripting Guys:

http://technet.microsoft.com/en-us/magazine/cc161018.aspx

This example give you a complete list of the groups the user is member of.

This could be used for the checking, but the problem is that it is really slow! On our small AD it was 4-5 seconds before it was finished!

And I can only imagine how long it would take in a much larger forest!

Solution:

So I had to think it over, and I decided to go the other way around.

To check the group, and list the nested users.

and I came up with this solution:

You can use the example for all kinds of jobs, but in this case it runs the “InsertComputerDescription” function to insert computer description.

By | 2008-12-01T12:41:43+00:00 December 1st, 2008|Scripting & Development|8 Comments

About the Author:

Jakob Gottlieb Svendsen

Twitter: @JakobGSvendsen

Jakob Gottlieb Svendsen is a Microsoft Cloud and Data Center Management MVP (http://mvp.microsoft.com/en-us/default.aspx), Working as Global Lead Developer, Senior Consultant and Trainer at CTGlobal, where he is one of the driving forces in keeping CTGlobal a System Center Gold Partner and member of the System Center Alliance.

Since he started at Coretech in 2007, he has focused on Scripting and Development, primarily developing tools, extensions and scripts for the System Center Suite. His main area is Automation (including OMS/Azure Automation, Service Management Automation, PowerShell and Orchestrator). Another area is Windows Azure Pack / Azure Stack, where he does implementation, development, workshops and presentations. He is a world-wide renowned voice in the Automation field.

He is passionately devoted to the community, to which he contributes by being a moderator at TechNet and sharing his knowledge at http://blog.ctglobalservices.com/jgs

  • Co-founder: PowerShell User Group Denmark
  • Speaker at MMS 2016, Minneapolis (www.mmsmoa.com)
  • SCU Europe 2014, 2015, 2016 (www.systemcenteruniverse.ch)
  • Microsoft TechEd North America 2014, Houston
  • NIC 2012,2013,2014,2015, Oslo (www.nic.com)
  • Microsoft CampusDays 2011, 2013, Copenhagen
  • Microsoft TechDays 2015, Sweden (www.techdays.se)
  • Microsoft Partner Event: New in SC2012 SP1
  • User group meetings (PSUG.DK , SCUG.DK/BE/NO, AZMUG + more)
  • Microsoft Certified Trainer.
  • Microsoft Scripting Guys Forum Moderator

Main working areas:

  • Automation (Azure Automation, SMA, SCO)
  • Windows Azure Pack / Azure Stack
  • System CenterVisual Studio Team Services / Team Foundation Server
  • Development:C#.Net, VB.NET, VBScript, PowerShell, Service Manager, OpsMgr, ConfigMgr
  • Orchestrator
  • Windows Azure Pack / Azure Stack

Training:

  • Azure Automation
  • Service Management Automation
  • System Center Orchestrator
  • PowerShell, VBScript, C#.Net, VB.Net
  • Windows Azure Pack / Azure Stack Development Workshops

8 Comments

  1. Jorge Cortez February 11, 2009 at 22:56 - Reply

    Hi i im trying to use you script to add printers determined by groups areas, a similar problem with the subgroups, im having trouble with this part in specific ‘If (UserList.Exists(“LDAP://” & oADSystemInfo.UserName)) Then
    the problem is that its alway think that the user doesnt esxist, i was chequed the userlist colection and when i use userlist.count it says that is zero, i dont know why this var is geting erased or something like that any idea? thanks in advance

  2. Jakob Gottlieb Svendsen
    Jakob Gottlieb Svendsen February 12, 2009 at 10:35 - Reply

    Hello Jorge

    i sound like your

    GetMembers “LDAP://” & strGroupDN, strSpaces, dicSeenGroupMember

    is failing. This usually happens when the LDAP:// & strGroupGN is not correct

    Please check that the
    strGroupDN = “CN=CT Konsulenter,OU=Security,OU=Groups,OU=Coretech,DC=coretech,DC=intra”

    is correct for your system. otherwise the list will be empty.

    but there could be other reasons too.

    – Jakob

  3. Wity July 10, 2009 at 6:01 - Reply

    The script does’t work because the array is always empty.
    Line 67 should be :
    If NOT UserList.Exists(objMember.ADsPath) Then

  4. Jakob August 3, 2009 at 9:36 - Reply

    Wity:

    You are absolutely correct!
    I do not know how this error have appeared, if you look in the downloable file, it is correct.

    Thank you for the notice.

    – Jakob

  5. dirk adamsky March 17, 2010 at 19:02 - Reply

    Hi,

    I have created a script to enumerate the members of a nested group.
    It can be found here:

    http://deludi.nl/blog/vbscript/active-directory/groups/active-directory-vbscript-to-enumerate-the-members-of-nested-groups-v2/

    best regards,

    dirk adamsky

  6. joseph August 24, 2011 at 10:57 - Reply
  7. jak grać na giełdzie October 17, 2011 at 3:18 - Reply

    I am now not sure where you are getting your info, but great topic. I must spend a while studying more or understanding more. Thanks for wonderful info I was looking for this information for my mission.

  8. Raja December 29, 2014 at 14:14 - Reply

    Hi,

    i need to modify the above script such that, i want to verify if all users are member of a particular groups and need the output in a excel.(list of users not part of those groups)

    Can anyone suggest.

    thanks

Leave A Comment