Vista - Detecting if a User is a Member of a Group

permalink · 07-31-2008

I'm working on some VBscript code to detect whether a user account is a
member of a particular group. However, I ran into a snag because sometimes
the user is a member only indirectly. That is, the user is part of some
domain user group that in turn is a member of a given group on the local
computer. My code only detects users who are directly members of the group.
Currently the code queries the members of a group like this (assuming that
you're interested in the group Power Users):

Set objAdmin = GetObject("WinNT://./Power Users,Group")
For Each objUser in objAdmin.Members
strNextUser = LCase(objUser.AdsPath)
Next

So suppose my computer is part of a domain called MYDM, and there's a user
group called MYDM\Test Group which includes my domain account called
MYDM\JohnDoe. And suppose also that the MYDM\Test Group has been added to the
Power Users group on my local machine. The above code will list MYDM\Test
Group as a member of the Power Users group, but it won't list MYDM\JohnDoe as
a member.

Is there a simple, reliable way around this? Thanks!
--
Joseph

permalink · 07-31-2008

"Joseph Morales" <JosephMorales@xxxxxx> wrote in message
news:E8CAD6AF-0677-4A41-AF86-F29B4A52441A@xxxxxx

Quote:

> I'm working on some VBscript code to detect whether a user account is a
> member of a particular group. However, I ran into a snag because sometimes
> the user is a member only indirectly. That is, the user is part of some
> domain user group that in turn is a member of a given group on the local
> computer. My code only detects users who are directly members of the
> group.
> Currently the code queries the members of a group like this (assuming that
> you're interested in the group Power Users):
>
> Set objAdmin = GetObject("WinNT://./Power Users,Group")
> For Each objUser in objAdmin.Members
> strNextUser = LCase(objUser.AdsPath)
> Next
>
> So suppose my computer is part of a domain called MYDM, and there's a user
> group called MYDM\Test Group which includes my domain account called
> MYDM\JohnDoe. And suppose also that the MYDM\Test Group has been added to
> the
> Power Users group on my local machine. The above code will list MYDM\Test
> Group as a member of the Power Users group, but it won't list MYDM\JohnDoe
> as
> a member.
>
> Is there a simple, reliable way around this? Thanks!
> --
> Joseph

You want to either enumerate a local group, or check if a particular user is
a member of a local group. There is no simple solution. I have an example
VBScript program that enumerates a local group linked here:

http://www.rlmueller.net/Enumerate%20Local%20Group.htm

And I have an example VBScript program that demonstrates a function to test
membership in a local group linked here:

http://www.rlmueller.net/IsMember9.htm

Not only must nested local groups be considered, but nested domain groups
(which requires the LDAP provider).

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

permalink · 08-01-2008

"Richard Mueller [MVP]" <rlmueller-nospam@xxxxxx> wrote in
message news:%23CCz5618IHA.4892@xxxxxx

Quote:

> a member of a local group. There is no simple solution. I have an example
> VBScript program that enumerates a local group linked here...
> And I have an example VBScript program that demonstrates a function to
> test membership in a local group linked here...

Wow! These examples must have been a lot of work. Thanks for sharing.
--
Joseph Morales
http://cthulhufiles.com

07-31-2008	#1 (permalink)
Joseph Morales n/a posts	Detecting if a User is a Member of a Group I'm working on some VBscript code to detect whether a user account is a member of a particular group. However, I ran into a snag because sometimes the user is a member only indirectly. That is, the user is part of some domain user group that in turn is a member of a given group on the local computer. My code only detects users who are directly members of the group. Currently the code queries the members of a group like this (assuming that you're interested in the group Power Users): Set objAdmin = GetObject("WinNT://./Power Users,Group") For Each objUser in objAdmin.Members strNextUser = LCase(objUser.AdsPath) Next So suppose my computer is part of a domain called MYDM, and there's a user group called MYDM\Test Group which includes my domain account called MYDM\JohnDoe. And suppose also that the MYDM\Test Group has been added to the Power Users group on my local machine. The above code will list MYDM\Test Group as a member of the Power Users group, but it won't list MYDM\JohnDoe as a member. Is there a simple, reliable way around this? Thanks! -- Joseph
My System Specs

07-31-2008	#2 (permalink)
Richard Mueller [MVP] n/a posts	Re: Detecting if a User is a Member of a Group "Joseph Morales" <JosephMorales@xxxxxx> wrote in message news:E8CAD6AF-0677-4A41-AF86-F29B4A52441A@xxxxxx Quote: > I'm working on some VBscript code to detect whether a user account is a > member of a particular group. However, I ran into a snag because sometimes > the user is a member only indirectly. That is, the user is part of some > domain user group that in turn is a member of a given group on the local > computer. My code only detects users who are directly members of the > group. > Currently the code queries the members of a group like this (assuming that > you're interested in the group Power Users): > > Set objAdmin = GetObject("WinNT://./Power Users,Group") > For Each objUser in objAdmin.Members > strNextUser = LCase(objUser.AdsPath) > Next > > So suppose my computer is part of a domain called MYDM, and there's a user > group called MYDM\Test Group which includes my domain account called > MYDM\JohnDoe. And suppose also that the MYDM\Test Group has been added to > the > Power Users group on my local machine. The above code will list MYDM\Test > Group as a member of the Power Users group, but it won't list MYDM\JohnDoe > as > a member. > > Is there a simple, reliable way around this? Thanks! > -- > Joseph You want to either enumerate a local group, or check if a particular user is a member of a local group. There is no simple solution. I have an example VBScript program that enumerates a local group linked here: http://www.rlmueller.net/Enumerate%20Local%20Group.htm And I have an example VBScript program that demonstrates a function to test membership in a local group linked here: http://www.rlmueller.net/IsMember9.htm Not only must nested local groups be considered, but nested domain groups (which requires the LDAP provider). -- Richard Mueller MVP Directory Services Hilltop Lab - http://www.rlmueller.net --
My System Specs

08-01-2008	#3 (permalink)
Joseph Morales n/a posts	Re: Detecting if a User is a Member of a Group "Richard Mueller [MVP]" <rlmueller-nospam@xxxxxx> wrote in message news:%23CCz5618IHA.4892@xxxxxx Quote: > a member of a local group. There is no simple solution. I have an example > VBScript program that enumerates a local group linked here... > And I have an example VBScript program that demonstrates a function to > test membership in a local group linked here... Wow! These examples must have been a lot of work. Thanks for sharing. -- Joseph Morales http://cthulhufiles.com
My System Specs

Similar Threads
Thread	Forum
Create user group in vista basic without the user and group manager window	Vista security
add user to group /group scope - Global /Group type - Security	PowerShell
Log in as administrator vs a member of admin group	Vista installation & setup
Quest AD group member	PowerShell
Administrator group member	Vista General