Windows Tip Sheet

Expand Your Horizons

Try this scriptless approach to getting information on group memberships.

One of the biggest challenges it seems many administrators have is keeping tabs on group membership. This is even more of a problem now that we can nest groups. A popular script is one that queries group memberships recursively. But you don’t need a single line of VBScript. You can get all the information you need with the DSQuery and DSGet commands.

There are two parts to the ultimate solution but I want you to understand how they work. At the command prompt, type:

Dsquery user–samid yourlogonname

You should get the distinguished name of your user object. The beauty of the DS commands is that the output of one command can serve as the input for another. Try this:

Dsquery user –samid yourlogonname | dsget user

You'll end up with a little more information about your user account. You can use DSGet to return other information, but for our purposes we want to get at group membership. Run this command:

Dsquery user –samid yourlogonname | dsget user -memberof

You should be rewarded with the distinguished names of all the groups the user account belongs to. If you want to check for nested group membership, use a command like this:

Dsquery user –samid yourlogonname | dsget user –memberof -expand

Now you have a longer list of group names. You can’t tell where a group is necessarily nested, but you’ll at least know which group membership is affecting the user. You can also search for more than one user this way:

Dsquery user –limit 0 | dsget user –memberof -expand

This expands the group membership for all user accounts in the domain.
You can also come at this from the group angle:

dsquery group -samid "Sales Staff" | dsget group -members

If you want to expand nested group membership you can use –expand as I did earlier:

dsquery group -samid "Sales Staff" | dsget group –members -expand

By the way, if you don’t know the complete group name, wild cards are allowed:

dsquery group -samid "Sales*" | dsget group –members -expand

Tech Help—Just An
E-Mail Away

Got a Windows, Exchange or virtualization question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to the editors at [email protected]; the best questions get answered in this column and garner the questioner with a nifty Redmond T-shirt.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message, but submit the requested information for verification purposes.)

Finally, want to build a membership report for all users? Try these commands:

dsquery group –limit 0 >groups.txt
for /f "tokens=*" %g in (groups.txt) do @echo %g >>membership.txt && echo Members: >>membership.txt && dsget group % -members >>membership.txt && echo **************************************** >>membership.txt

The For command is one long expression. I had to jump through a few hoops to keep all the information together, but it’s there.

The next time you’re struggling with a group membership problem, I hope some of these steps will get you the information you need in practically no time.

About the Author

Jeffery Hicks is an IT veteran with over 25 years of experience, much of it spent as an IT infrastructure consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He is a multi-year recipient of the Microsoft MVP Award in Windows PowerShell. He works today as an independent author, trainer and consultant. Jeff has written for numerous online sites and print publications, is a contributing editor at, and a frequent speaker at technology conferences and user groups.

comments powered by Disqus
Most   Popular