How to enumerate a user's security group membership using Visual Basic or Visual Basic Script

This article describes a method for enumerating the security groups that a user is a member of by using Microsoft Visual Basic or Microsoft Visual Basic Script (VBScript). The method described here does not enumerate the local security groups and will not work across foreign forests.

The tokenGroups property of an Active Directory (AD) user object contains the binary security identifiers (SIDs) of all of the security groups that a user is a member of. This property is a constructed attribute, which means that the property is created on the client by the provider and not stored as data in the AD.

An alternate approach is to read the MemberOf attribute, which is an enumeration of the immediate groups, including both security and distribution groups. The MemberOf attribute does not enumerate the nested groups. The best approach for performing security group enumeration is to go through the security infrastructure and use the security APIs, but these APIs cannot be called directly from Visual Basic or VBScript. For more information on these alternate solutions, see the "References" section of this article.

Converting SIDs from binary to a human-readable form

The SID for the group is stored in its binary form in the TokenGroups attribute. This form is not human-readable nor can it be used to bind to the group object. The SID must be converted if you want to use it to bind to an object.

The IADsSID object that is exported by ADsSecurity.dll can be used in a Visual Basic program to convert the binary SID into a Security Account Manager (SAM) account name or a Lightweight Directory Access Protocol (LDAP) DN. Unfortunately, the IADsSID object cannot be used from a Visual Basic Script. "Using IADsSID from Visual Basic to Resolve a Binary SID into a String," which follows this section, contains a Visual Basic code snippet that uses the IADsSID object to convert the binary SID into a string.

A Visual Basic Script solution involves the use of the Array Converter sample (see the "References" section). The ADs.ArrayConvert object can be used to convert the binary SID into a hexstring. From this hexstring, an LDAP SID bind string can be created. By using the SID bind string, you can obtain the group object from the AD. The section "Using ADs.ArrayConvert from Visual Basic Script to Build an SID Bind String," following in this article, contains a Visual Basic Script example that illustrates how to use the ADs.ArrayConvert object to create an SID bind string.

Using IADsSID from Visual Basic to resolve a binary SID into a string

ADsSecurity.dll must be registered on the client through the use of Regsvr32 before you cans use the IADsSID object. In the Visual Basic project references, the ADsSecurity 2.5 Type Library and the Active DS Type Library must be selected.

Using ADs.ArrayConvert from Visual Basic Script to build an SID bind string

In order for this code snippet to function correctly, the ADS.dll must be registered on the client (see "References").

For more information on groups in Windows 2000, see the following MSDN Library topic: For more information about ADS.dll and ARRAYCONVERT, click the following article number to view the article in the Microsoft Knowledge Base: Adssecurity.dll is part of the Active Directory Service Interfaces (ADSI) 2.5 Resource Kit. To download the ADSI 2.5 Resource kit, visit the following Microsoft Web site. Use Regsvr32 to register ADsSecurity.dll.
For more information about using the memberOf attribute, click the following article number to view the article in the Microsoft Knowledge Base: For more information about the Security API, click the following article number to view the article in the Microsoft Knowledge Base: See also the following MSDN Library topics: