OK. So I had the need to write a script that pulls the memberof attribute of a user.

I needed this script because there was a suspicion that the reason the customer in question could not open content as a superuser is because the RMS Service account doesn't have permission to read the memberof attribute of users in the organization.

So I launched the command prompt as a domain admin and run the below script. Works no problem.

Launch the command prompt as the RMS Service account ("runas /user:domain\rmsservice cmd"), and run the script again, but nothing is returned for the memberof attribute.

Well now we know the cause, and the customer is off on their merry way granting rights to the RMSService account.

Again...no error trapping done in this script and *USE AT YOUR OWN RISK*.

Usage: > cscript memberof.vbs domain user@domain.com 0

Note: If you want to check the memberof attribute of the user on every GC use a 1 as the final argument. Useful for checking for replication issues.

'**********************************************************
' Memberof.vbs - Jason Tyler 10/7/2011
'**********************************************************
 
Set Args = Wscript.Arguments
 
strForestName = Args(0)
strUser=Args(1)
FindAll = Args(2)
 
'***Get all the GCs***'

set objRootDSE = GetObject("LDAP://" & strForestName & "/" & "RootDSE")
strADsPath = "<LDAP://" & objRootDSE.Get("configurationNamingContext") & ">;"
strFilter  = "(&(objectcategory=ntdsdsa)(options=1));"
strAttrs   = "distinguishedname;"
strScope   = "SubTree"
 
set objConn = CreateObject("ADODB.Connection")
objConn.Provider = "ADsDSOObject"
objConn.Open "Active Directory Provider"
 
set objRS = objConn.Execute(strADsPath & strFilter & strAttrs & strScope)
If FindAll = 1 Then
objRS.MoveFirst
Else
objRS.MoveLast
End If

'***Get relative info from the user in question***
 
Do until objRS.EOF
    set objNTDS = GetObject("LDAP://" & objRS.Fields("distinguishedname").Value)
    set objServer = GetObject( objNTDS.Parent )
    strGC =  objServer.Get("dNSHostName")
 Wscript.Echo "Connecting to " & strGC & " ..."
 set objRSUser = objConn.Execute("<GC://" & strGC & ">;(|(proxyaddresses=smtp:" & strUser & _
                            ")(mail=" & strUser & "));adspath;subtree")

 Wscript.Echo "Found " & objRSUser.RecordCount & " users(s) matching that name."

 set objUser = GetObject(objRSUSer.Fields("adspath").Value)
 

 
 strName = objUser.Get("name")
 strMail = objUser.Get("mail")
 objMemberof = objUser.GetEx("memberof")
  For Each objGroup in objMemberof
    strGroup = strGroup + objGroup + vbcrlf
  Next

Wscript.Echo "Name: " + strName + vbcrlf + "Email: " + strMail + vbcrlf + "Member Of: " + strGroup

objRS.MoveNext
Loop
 

Wscript.Echo "Done"

 

-Jason