How to view or list group memberships for a user in Active Directory

There are two ways. One is to use a support tool called "ldp.exe" and the other is to script. Lets us talk about ldp.exe first.

LDP

This is a GUI tool that lets you view objects stored in active directory along with metadata. A very useful tool. The tool is included when you install windows server 2003 support tools from your install CD or http://www.microsoft.com/downloads/details.aspx?FamilyID=96a35011-fd83-419d-939b-9a772ea2df90&DisplayLang=en.

Assuming you have installed the support tools on your client computer, here is how we use it to view group memberships for a user.

1. Go to start --> Run and bring up the command prompt by typing "cmd".
2. Navigate to C:\Program Files\Support Tools and type ldp.exe. If you don't want to type in the path everytime you go to command prompt you can create a shortcut and have "C:\WINDOWS\system32\cmd.exe /K" as the Target and "C:\Program Files\Support Tools\" as the "Start in:" location. So whenever you hit that shortcut it will take you to "C:\Program Files\Support Tools\".
3. Upon execution of ldp.exe, you will get a GUI. Go to "Connection"-->Connect. A dialog box appears. On the "Server" field type in the name of your primary domain controller. Port is "389". You don't need to check the "connectionless" and "ssl" option. Click OK. LDP will then retrieve base DSA information. If it can't connect it will error out saying "Fail to connect" to "server".
4. After successful connection you will need to bind to the domain controller. Click on Connection-->Bind. Enter your domain username, password and domain name. Check the domain name checkbox. Click Ok. You should be able to bind if you are an authenticated user. Most domains allow Read permission to authenticated users by default.
5. Go to "View"-->Tree. A "Tree View" dialog box appears. To the right of BaseDN: is a drop down menu. Choose your domain Base DN from there eg. DC=Kathmandu,DC=local. Click OK.On the left pane you will see baseDN of your domain with a + sign on the left.
6. Expand the + to the left of baseDN.That will list all the available OUs in your active directory.
7. Expand the OU where the user belongs by double clicking it. This will list the users and objects in that OU. If the OU contains large number of users it may take sometime before everyone is listed.
8. Once expanded, double click the user in context. On the right pane you will see the user's attributes listed. The attribute of interest to us is "memberOf". This lists what group membership the user has. Every group membership is shown in distinguished name format eg if the user belongs to group "twain" in OU=fiction in domain "kathmandu.local" then " CN=twain,OU=fiction,DC=kathmandu,DC=local".
9. You may copy the whole of the text under "memberOf" and paste it to a notepad for further editing.
   

VBScript

We will need to know the user's distinguished name before we can retrieve the information. For more info on distinguished name go to http://msdn.microsoft.com/en-us/library/aa366101(VS.85).aspx. For now lets say, we have a user Huckleberry Finn (as is displayed in Active Directory listing) in Twain OU in Kathmandu.local domain. Then the DN for that user would be CN=Huckleberry Finn,OU=Twain,DC=Kathmandu,DC=local. Having said that, here's the script:

Set objSysInfo = CreateObject("ADSystemInfo")

strUserDN = "CN=Huckleberry Finn,OU=Twain,DC=Kathmandu,DC=local"

Set objUser = GetObject("LDAP://" &strUserDN)

On Error Resume Next

arrGroups = objUser.GetEx("memberOf")

If (Err.Number <> 0) Then

On Error GoTo 0

Wscript.Echo "Member of no groups"

Else

On Error GoTo 0

WScript.Echo "Member of Group: "

For Each strGroup In arrGroups

strFormatted = Split(strGroup,",")

strFinal = Split(strFormatted(0),"=")

Wscript.Echo " " &strFinal(1)

Next

End If

(This script is entirely not mine. Parts of the code was gotten from http://www.rlmueller.net/MemberOf.htm and slightly modified to generate desired output. )

Save the file to a folder in your computer. Lets say I saved it as groupmembership.vbs in C:\scripts. To run it go to the command prompt. Change the directory to C:\Scripts then use cscript to run the script. It would look something like

C:\Scripts\cscript //nologo groupmembership.vbs > C:\groupmembershipOutput.txt

This will generate a text file in C:\ with a name groupmembershipOutput.

If you don't specify the full path of the output location eg:

C:\Scripts\cscript //nologo groupmembership.vbs > groupmembershipOutput.txt

then the output file will be generated in the C:\Scripts folder itself.

The //nologo can be omitted. If you omit that, it will write a couple of lines about the script version and copyright info on your output file.

Last but not the least, changing the output type to .csv extension will generate a comma separated value output file which can be manipulated in excel.

Final note: don't reinvent the wheel but make sure you have a grasp of what you are doing.