Windows Tip Sheet
Expand Your Horizons
Try this scriptless approach to getting information on group memberships.
- By Jeffery Hicks
One of the biggest challenges it seems many administrators have is keeping tabs on group membership. This is even more of a problem now that we can nest groups. A popular script is one that queries group memberships recursively. But you don’t need a single line of VBScript. You can get all the information you need with the DSQuery and DSGet commands.
There are two parts to the ultimate solution but I want you to understand how they work. At the command prompt, type:
Dsquery user–samid yourlogonname
You should get the distinguished name of your user object. The beauty of the DS commands is that the output of one command can serve as the input for another. Try this:
Dsquery user –samid yourlogonname | dsget user
You'll end up with a little more information about your user account. You can use DSGet to return other information, but for our purposes we want to get at group membership. Run this command:
Dsquery user –samid yourlogonname | dsget user -memberof
You should be rewarded with the distinguished names of all the groups the user account belongs to. If you want to check for nested group membership, use a command like this:
Dsquery user –samid yourlogonname | dsget user –memberof -expand
Now you have a longer list of group names. You can’t tell where a group is necessarily nested, but you’ll at least know which group membership is affecting the user. You can also search for more than one user this way:
Dsquery user –limit 0 | dsget user –memberof -expand
This expands the group membership for all user accounts in the domain.
You can also come at this from the group angle:
dsquery group -samid "Sales Staff" | dsget group -members
If you want to expand nested group membership you can use –expand as I did earlier:
dsquery group -samid "Sales Staff" | dsget group –members -expand
By the way, if you don’t know the complete group name, wild cards are allowed:
dsquery group -samid "Sales*" | dsget group –members -expand
| Tech HelpJust An
Got a Windows, Exchange or virtualization question
or need troubleshooting help? Or maybe you want a better
explanation than provided in the manuals? Describe
your dilemma in an e-mail to the MCPmag.com editors
at [email protected];
the best questions get answered in this column and garner
the questioner with a nifty Redmond T-shirt.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message, but submit the requested
information for verification purposes.)
Finally, want to build a membership report for all users? Try these commands:
dsquery group –limit 0 >groups.txt
for /f "tokens=*" %g in (groups.txt) do @echo %g >>membership.txt && echo Members: >>membership.txt && dsget group % -members >>membership.txt && echo **************************************** >>membership.txt
The For command is one long expression. I had to jump through a few hoops to keep all the information together, but it’s there.
The next time you’re struggling with a group membership problem, I hope some of these steps will get you the information you need in practically no time.
Jeffery Hicks is an IT veteran with over 25 years of experience, much of it spent as an IT infrastructure consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He is a multi-year recipient of the Microsoft MVP Award in Windows PowerShell. He works today as an independent author, trainer and consultant. Jeff has written for numerous online sites and print publications, is a contributing editor at Petri.com, and a frequent speaker at technology conferences and user groups.