When I first replied to your posting, I assumed the task
would not be much different from enumerating all the
groups a given user is a member of. When I tested the
code, however, it was more complex than I expected. It
requires two ADO searches, plus the recursive subroutine.
When I explored the "TokenGroups" method I referred to, I
found it is much worse. "TokenGroups" is great if you are
enumerating the groups a user is a member of. The
collection includes all groups (nested and primary). It
takes work to convert the Byte Arrays, but you only have
to bind to one user, plus each group (to get the group
When you enumerate members of a group, however, I find
that ADO cannot return the "TokenGroups" attribute.
(Someone correct me if I an wrong). Instead, to find all
users with a TokenGroups entry that matches the Sid of the
group in question, you must bind to every user in the
domain. This is not feasible in a large network.
That means that the code I posted previously is the best I
know of to date. It could be greatly simplified if you
don't need nested groups or the primary group, but a
function that claims to enumerate all members of a group
shouldn't have such shortcomings. I would welcome anyone
with better code.
>A few notes on the attached code.
>1. The PrimaryGroupToken attribute of the group object is
>not stored in AD, but is calculated. The only way I know
>to force the calculation is to use ADO to find the group
>and return the PrimaryGroupToken attribute.
>2. Although the user attribute PrimaryGroupID is stored
>AD, ADO is still the best way to find all users with a
>given PrimaryGroupID attribute (that matches the
>PrimaryGroupToken for the group).
>3. Since you are using LDAP, I assume you want to include
>nested group memberships. The sub EnumGroup is recursive
>to handle this.
>4. A dictionary object is necessary to prevent an
>loop if the group nesting is circular. Also, a user can
>included in the group because the group is their "primary
>group", but also because they belong to another group
>has the given group as a member. Again, the dictionary
>object prevents such a user from being listed twice.
>5. The script as written takes the AdsPath of a group as
>the argument and displays all members of the group in a
>MsgBox. The script could be modified to output
>differently. For example, the MsgBox statement could be
>replaced by a Wscript.Echo statement. The output could
>then be redirected to a text file.
>6. The attached file has been renamed with .txt extension
>to prevent blocking by virus software. Rename to .vbs.
>>Thank you for the prompt reply & explanation.
>>Given the structure of our code, I think my best option
>>would be to "find all users in the domain
>>whose "PrimaryGroupID" matched the "PrimaryGroupToken"
>>the group". I would be very grateful if you could supply
>>me with some sample code for this scenario.
>>or reply to this email with the code as attachment (this
>>might be preferable as it maybe of interest to others in
>>>>We have an application that basically enumerates
>>>>within our Active Directory domain.
>>>>For some reason, it will not enumerate any members
>>>>Domain Users. It has a member count of 0; yet if look
>>>>this group from "Active Directory Users and
>>>>it lists several users (some of whom I've explicitly
>>>>Am I doing doing something wrong?
>>>>Any help / insight would be greatly appreciated.
>>>A common frustration results because the LDAP provider
>>>does NOT reveal membership in the "Primary Group". All
>>>your users have "Domain Users" as the primary group.
>>>is the default primary group, but can be changed. A few
>>>1. Assume that every user is a member of "Domain Users".
>>>2. Use the WinNT provider, which does reveal membership
>>>the primary group. However, WinNT cannot reveal
>>>in "nested" groups (of universal and global security
>>>3. Use the "TokenGroups" attribute of the user. This
>>>more code to use, but this multi-valued attribute is a
>>>collection of group SID's. It includes all groups the
>>>is a member of, including the primary group and all
>>>groups. Reply to this post if you want code.
>>>4. Use the methods in Q321360 and Q297951 to determine
>>>primary group membership.
>>>For your purpose (enumerating members of a group), if
>>>1 and 2 above are not options, you would have to
>>>the members revealed by LDAP, then find all users in
>>>domain whose "PrimaryGroupID" matched
>>>the "PrimaryGroupToken" of the group. Again, reply if