Another day in IT dungeon paradise. I received request to get a list of members from a domain group. How easy that is in Windows 2003 AD environment? It’s not easy for sure. Say let call the group name as "Corp_Finance".
Some of you say, it’s easy and you just don’t know "NET GROUP CORP_Finance /DOMAIN" command. Well for the record, I do know that command. But it list the usernames, not their full names. Outside of IT department they care by full name, not their username. So now you know why I wrote my own script to get the member list of their full names.
I hope it will be very useful for you if you are system admin. If you decide to use my script below, make sure read the information after this script.
‘ 🙂 🙂 🙂 🙂 🙂 🙂 🙂 🙂 🙂 🙂 🙂 🙂 🙂 🙂 🙂 🙂 🙂 🙂 🙂
‘
‘ Script: GroupMembers.vbs
‘ Purpose: This script returns members of a specified group in domain.
‘ It lists the group members’s full name
‘ Parameter: <Group Name>
‘ E.g., CScript GroupMembers.vbs Corp_finance
‘
‘ Written by: Anand Venkatachalapathy
‘ 🙂 🙂 🙂 🙂 🙂 🙂 🙂 🙂 🙂 🙂 🙂 🙂 🙂 🙂 🙂 🙂 🙂 🙂 🙂
Dim arrNames()
Dim sGroup, intSize
Dim strUser, ObjUser
Dim objGroup, strHolder
intSize = 0
‘Get the group name from command line parameter
sGroup = WScript.Arguments(0)
‘Get the distinguished name of the group
Set objGroup = GetObject(GetDN(sGroup))
‘Get the member’s full name in the group
For Each strUser in objGroup.Member
Set objUser = GetObject("LDAP://" & strUser)
ReDim Preserve arrNames(intSize)
arrNames(intSize) = objUser.CN
intSize = intSize + 1
Next
‘Sort the group member list 🙂
For i = (UBound(arrNames) – 1) to 0 Step -1
For j= 0 to i
If UCase(arrNames(j)) > UCase(arrNames(j+1)) Then
strHolder = arrNames(j+1)
arrNames(j+1) = arrNames(j)
arrNames(j) = strHolder
End If
Next
Next
‘Display the members name nicely
WScript.Echo "Group Name: " & sGroup
WScript.Echo "——————————————–"
i = 1
For Each strName in arrNames
Wscript.Echo i & ". " & strName
i = i + 1
Next
‘ 😦 😦 😦 😦 😦 😦 😦 😦 😦 😦 😦 😦 😦 😦 😦 😦 😦 😦 😦
‘ END OF SCRIPT
‘ 😦 😦 😦 😦 😦 😦 😦 😦 😦 😦 😦 😦 😦 😦 😦 😦 😦 😦 😦
‘-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
‘ Function: GetDN <Domain Group Name>
‘ Purpose: This function return the distinguished name of the given group
‘ from the domain
‘-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Function GetDN(sGroup)
Set rootDSE=GetObject("LDAP://RootDSE")
DomainContainer = rootDSE.Get("defaultNamingContext")
Set conn = CreateObject("ADODB.Connection")
conn.Provider = "ADSDSOObject"
conn.Open "ADs Provider"
ldapStrUsers = "<GC://" & DomainContainer & _
">;(&(&(& (cn=" & sGroup & _
") (| (&(objectCategory=*)(objectClass=*)) ))));adspath;subtree"
Set rs1 = conn.Execute(ldapStrUsers)
While Not rs1.EOF
Set FoundObject = GetObject (rs1.Fields(0).Value)
GetDN = "LDAP://" & FoundObject.distinguishedName
rs1.MoveNext
Wend
Set rs1=Nothing
Set conn = Nothing
Set rootDSE = Nothing
End Function
‘-*-*-*-*-*-*-*-*-*-*-End of Function*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Note: There is one problem with the above script of mine. It throws an error of the group member count is below 2.
Search Terms: List Group members, Get the user list from a Group
Anand, the Architect 
Much more graceful than mine. I had to do trim statements after the base:
On Error Resume Next Set objGroup = GetObject _ ("LDAP://cn=adgroup,ou=groups,dc=fabrikam,dc=com")objGroup.GetInfo arrMemberOf = objGroup.GetEx("member") WScript.Echo "Members:"For Each strMember in arrMemberOf WScript.echo strMemberNext
Thanks. When I think back, I started the script just like yours and end up with above.
Thanks. I’ll try this script soon.
To fix the issue of the error when the group membership is <=2 use:
"For Each objUser in objGroup.Members"
instead of
"For Each strUser in objGroup.Member"
and adapt the code accordingly (leave out the now unneeded commands)