One nice benefit of Active Directory (AD) over Windows NT is that AD supports complex group nesting. Nested groups give you flexibility in designing your group structure and applying ACLs to resources. This feature becomes available as soon as you raise an AD domain to the Windows Server 2003 functional level or the Windows 2000 native domain mode.
Nested groups are powerful, but they also add complexity. Because some group members might be groups themselves, you often can't simply look at the members of a group and determine which users will be affected by granting the group access to a resource. The Microsoft Management Console (MMC) Active Directory Users and Computers snap-in doesn't provide much help because it displays only the users that are direct members of a group. You have to double-click each member group to view its membership individually. But a simple script can take the legwork out of drilling down through nested-group membership.
Group Attributes
To illustrate group nesting, consider a group structure that mimics the hierarchy of a university's Computer Science department. Each class in the department is a group consisting of the students who have signed up for the class. Together, all the departmental class groups make up the Computer Science department group. Finally, the Computer Science department group is a member of the Engineering school group. This nested group structure provides the flexibility to grant access to resources to as broad an audience as everyone in the Engineering school or to as limited an audience as only the students in a particular Computer Science class.
Group objects in AD have two attributes that pertain to group membership. One is the member attribute, which stores references to objects that are direct members of the group. The other is the memberOf attribute, which stores references to other groups to which the group belongs.
These two attributes are linked in AD. You don't modify the memberOf attribute to change group membership; you can modify only a group's member attribute. AD automatically computes the memberOf attribute for a group (or other type of object, such as a user) from all the groups of which the object is a direct member. The memberOf attribute lets you identify the groups that an object is a member of without having to search all groups. For example, if the student1 user ID is a member of the Engineering group, student1's memberOf attribute contains a reference (specifically the distinguished name—DN) to the Engineering group. The Engineering group's member attribute in turn has a reference (again a DN) that points to student1.
Using the Script
Now that you have a handle on group attributes, consider a script that enumerates nested-group membership. Listing 1 shows the code for enum_groups.vbs, which displays nested-group membership in a hierarchically indented list. To benefit from the output's nested display of the results, you need to use Windows Script Host's (WSH's) CScript engine to run enum_groups.vbs.
To use the script, copy it to a local directory on your computer and run the following command:
C:\Scripts> cscript enum_groups.vbs
This command causes the script to print the group membership of the Domain Admins group of the domain that authenticated you. Another way to run the script is to pass the DN of the group whose membership you want to enumerate. For example,
C:\Scripts> cscript enum_groups.vbs cn=engineering,cn=users,dc=foo,dc=edu
enumerates the members of the Engineering school group and produces the sample output that Figure 1 shows.
Retrieving the Group from AD
Within enum_groups.vbs, the code that callout A in Listing 1 shows determines which group to enumerate. To find out whether the user passed an argument to the script, the script creates a WScript.Arguments object, which provides access to all command-line arguments. If the number of arguments passed to the script doesn't equal 1, the script assumes that the user either didn't specify any arguments or specified too many.
In either case, the script makes a serverless bind to the RootDSE object. The DC Locator process automatically binds to a domain controller (DC) that's in the same domain as the user who's running the script. The script then constructs the DN of the Domain Admins group, so if someone runs the script without specifying a group to enumerate, the script will at least do something. When the user passes one parameter, the script puts that parameter in the strGroupDN variable.
The code at callout B starts by creating a VBScript dictionary object called dicSeenGroupMember. The script uses the dictionary object to keep track of groups it's already seen so that circular group nesting doesn't result in an infinite loop. Circular group nesting occurs when you have a loop in the group membership chain. For example, if groupA is a member of groupB, groupB is a member of groupC, and groupC is a member of groupA, the membership chain contains a loop. Circular group nesting isn't necessarily bad as long as you're aware of it when you're dealing with nested groups.
Finally, the code at callout B calls the DisplayMembers function. DisplayMembers uses three parameters: the ADsPath of the group to enumerate, the number of spaces to indent when printing members, and a reference to the dictionary object. I explain each of these parameters in more detail later.