[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Enumerate Nested Users via LDAP ADSI- Can be VB

Posted on 2005-05-03
Medium Priority
Last Modified: 2007-12-19
I am trying to build a group access report.  You can assume that the starting group ADSI path is passed into a ASP page.  I need to take that AD group, look at all the nested users and groups and build a report with all users and the containers (nested groups) that they have access to.  So I want a complete view of every user that has access to the group (like the adminstrators group) listed on one report and not have to manually look in each nested group to see who is there.  For the example below:   Domain2\Enterprise Admins and Domain1\Domain Admins are nested in Domain1\Administrators.

UserName    Fullname   Description    Group Name
--------         --------     -----------       ---------------
user1        Jones,Bob  CA User            Domain1\Administrators
user2        Hots,Bob    NC User            Domain1\Domain Admins
user3        Tots,Bob    SC User            Domain1\Domain Admins
user4          Otts,Deb    US Field        Domain2\Enterprise Admins
4 Users found

So a group can potentially have multiple nestings (like Domain2\Enterprise Admins could have groups nested in it too) and I need the logic to be able to go as deep as it needs to back out all the users from each nested group.  That is what makes this one so much fun :)  This can be done in VB or VBscript.  Would like it sorted by the Group Name columns if possible and show the same user again and again if they are members of multiple nested groups.  Should be able to handle hundreds of entries, but I won't be running it on the Domain Users group of course.
Question by:sbdunn
1 Comment

Accepted Solution

TheMCSE earned 2000 total points
ID: 13922973
If you're looking for additional ADSI scripting, you may receive a faster response by posting here:


The code below should provide the information you desire.  The constants near the top of the script should be modified to reflect the appropriate values.  Running this may be frightening :)

Option Explicit
On Error Resume Next

Const GROUP_DN = "WinNT://YOURDOMAIN/Administrators"
Const OUTPUT_FILE_NAME = "Groups.txt"
Const DELIMITER = "      "

Dim intCounter, objFileOutput, objFSO, objGroup, objMember, strDomainName

Sub EnumGroups(strDN, strGroupName)
    Set objGroup = GetObject(strDN)
    For Each objMember In objGroup.Members
        Select Case objMember.Class
            Case "User"
                objFileOutput.WriteLine Replace(Mid(objMember.ADsPath, 9), "/", "\") & DELIMITER & objMember.FullName & DELIMITER & objMember.Description & DELIMITER & strGroupName
                intCounter = intCounter + 1
            Case "Group"
                EnumGroups objMember.ADsPath, Replace(Mid(objMember.ADsPath, 9), "/", "\")
            Case Else
                objFileOutput.WriteLine Replace(Mid(objMember.ADsPath, 9), "/", "\") & DELIMITER & DELIMITER & DELIMITER & DELIMITER & strGroupName
                intCounter = intCounter + 1
        End Select
End Sub

Set objFSO = WScript.CreateObject("Scripting.FileSystemObject")
Set objFileOutput = objFSO.CreateTextFile(OUTPUT_FILE_NAME)
objFileOutput.WriteLine Replace(Mid(GROUP_DN, 9), "/", "\") & vbCrLf & "------------------------------------------" & vbCrLf & "UserName" & DELIMITER & "FullName" & DELIMITER & "Description" & DELIMITER & "Group Name" & vbCrLf & "----------------------------------------------------------------------------------------------------------------"
EnumGroups GROUP_DN, Replace(Mid(GROUP_DN, 9), "/", "\")
objFileOutput.WriteLine intCounter & " user(s) found"

MsgBox "Completed enumerating users.", vbInformation, "Execution completed"

This creates a delimited file (fields separated by the value you specify in the DELIMITER constant, currently a tab).  If you have any questions, please let me know.  Good luck!

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This shares a stored procedure to retrieve permissions for a given user on the current database or across all databases on a server.
Integration Management Part 2
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question