OK. So I had the need to write a script that pulls the memberof attribute of a user.

I needed this script because there was a suspicion that the reason the customer in question could not open content as a superuser is because the RMS Service account doesn't have permission to read the memberof attribute of users in the organization.

So I launched the command prompt as a domain admin and run the below script. Works no problem.

Launch the command prompt as the RMS Service account ("runas /user:domain\rmsservice cmd"), and run the script again, but nothing is returned for the memberof attribute.

Well now we know the cause, and the customer is off on their merry way granting rights to the RMSService account.

Again...no error trapping done in this script and *USE AT YOUR OWN RISK*.

Usage: > cscript memberof.vbs domain user@domain.com 0

Note: If you want to check the memberof attribute of the user on every GC use a 1 as the final argument. Useful for checking for replication issues.

' Memberof.vbs - Jason Tyler 10/7/2011
Set Args = Wscript.Arguments
strForestName = Args(0)
FindAll = Args(2)
'***Get all the GCs***'

set objRootDSE = GetObject("LDAP://" & strForestName & "/" & "RootDSE")
strADsPath = "<LDAP://" & objRootDSE.Get("configurationNamingContext") & ">;"
strFilter  = "(&(objectcategory=ntdsdsa)(options=1));"
strAttrs   = "distinguishedname;"
strScope   = "SubTree"
set objConn = CreateObject("ADODB.Connection")
objConn.Provider = "ADsDSOObject"
objConn.Open "Active Directory Provider"
set objRS = objConn.Execute(strADsPath & strFilter & strAttrs & strScope)
If FindAll = 1 Then
End If

'***Get relative info from the user in question***
Do until objRS.EOF
    set objNTDS = GetObject("LDAP://" & objRS.Fields("distinguishedname").Value)
    set objServer = GetObject( objNTDS.Parent )
    strGC =  objServer.Get("dNSHostName")
 Wscript.Echo "Connecting to " & strGC & " ..."
 set objRSUser = objConn.Execute("<GC://" & strGC & ">;(|(proxyaddresses=smtp:" & strUser & _
                            ")(mail=" & strUser & "));adspath;subtree")

 Wscript.Echo "Found " & objRSUser.RecordCount & " users(s) matching that name."

 set objUser = GetObject(objRSUSer.Fields("adspath").Value)

 strName = objUser.Get("name")
 strMail = objUser.Get("mail")
 objMemberof = objUser.GetEx("memberof")
  For Each objGroup in objMemberof
    strGroup = strGroup + objGroup + vbcrlf

Wscript.Echo "Name: " + strName + vbcrlf + "Email: " + strMail + vbcrlf + "Member Of: " + strGroup


Wscript.Echo "Done"