Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2006
  • Last Modified:

VB replacement of ifmember.exe /list

I try to convert a logon script to VB, but i could not find an equivalent function for the IFMEMBER.EXE.

To script is completely based on the array of group memberships the ifmember /list returns.

Therefore I need a function in vb, that returns such an array as simple as ifmember /list does.

I do not want to care about or predefine in which domain or ou the user is, all must to relate to the current user.

I saw a lot of AD-Scripting and LDAP stuff, but could not find something that simply returns all groups the current user belongs to without predefine at least the LDAP domain.

Anyone have an idea?
  • 4
  • 2
1 Solution
GryznAuthor Commented:
I see, that this will give me what I want:

arrMemberOf = objUser.GetEx("memberOf")

... but still don't know, how to get an user object from the current user...
That's a tricky question.  ifmember /list reads your access token to include EVERY group SID you are a member of, including nested groups, built-in security principals (like EVERYONE, INTERACTIVE, and Authenticated Users) which you won't get if you just query the user object's memberOf attribute.

There is another Microsoft command line utility that provides info very similar to ifmember:  whoami.exe

whoami /GROUPS

will dump much the same list as ifmember.  If you absolutely need this to be in a VBScript LDAP search, I would recommend starting with one of Richard Mueller's sample scripts (www.rlmueller.net) under "Free VBScript Code", "Group Membership Tests".  He has several versions of this type of script demonstrating different techniques, each with slightly different advantages and disadvantages.

But a compiled application that reads your access token directly is definitely the most efficient way to get this info (like ifmember or whoami).

GryznAuthor Commented:
Thanks for the hints dlwyatt82.

Frankly, I  don't really need all of the information ifmember /list returns.

In the AD is an OU "LoginControl" which contains global groups, neesting possible. I just need these groups the current user is member of. But the OU name LoginControl is the only constant allowed. It must work on every domain.

The problem of all the samples around is, that it is all based on "is a user a member of a KNOWN group". But I need to RETRIEVE the names of groups, which I don't know. This is because, the group names itself contains the action to do in the script. Different approach..

The main reason I cannot use an external program is: I do not have a guaranteed space to write to output to....

But I will study the samples of rlmueller, maybe I find a solution for me.
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

I see.  Well, Richard Mueller's examples pretty much cover all the bases (with some solution handling nested groups, cross-domain nested groups, Primary Group, etc).  On that subject, a user's Primary Group is kind of a strange attribute, but 'most' of the time, that will just be Domain Users anyway.  Only legacy POSIX style applications might require the Primary Group to be changed.

But you do have the right idea to start with.  Querying a user's "memberOf" attribute will give you a list of the groups they are directly a member of (not nested), minus the primary group.  Here's an example of how you can obtain this basic information from Active Directory if you only know the user's login name:


Dim strLogin
Dim strDomainDN
Dim strGroup
Dim objAdoCon, objAdoCmd, objAdoRS

strLogin = "UserName"
' (You can obtain this however you like.  For this example,
' it's hard coded).

strDomainDN = "dc=company,dc=com"
' You AD domain's distinguished name.  Again hard coded
' for simplicity in this example.

Set objAdoCon = CreateObject("ADODB.Connection")
Set objAdoCmd = CreateObject("ADODB.Command")

objAdoCon.Open "Provider=ADsDSOObject;"
Set objAdoCmd.ActiveConnection = objAdoCon

objAdoCmd.CommandText = _
  "SELECT memberOf FROM 'LDAP://" & strDomainDN & "' " & _
  "WHERE objectCategory='person' AND objectClass='user' AND " & _
  "sAMAccountName='" & strLogin & "'"

Set objAdoRS = objAdoCmd.Execute

Do While (Not objAdoRS.EOF)
  WScript.Echo Join(objAdoRS("memberOf"), vbCrLf)
GryznAuthor Commented:
Sorry for leaving this question orphaned. I couldn't find the time to test the suggestions yet, but will do in the next few days and feeding back.
GryznAuthor Commented:

Thanks for your input. Even I was not able to re-create the full funcionality of IFMEMBER, I've got the all information that I need for my generic login script.

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now