The DisplayMembers Function
Callout C shows the script's workhorse code—the code for the DisplayMembers function. DisplayMembers is a recursive function that enumerates the members of a group, then calls itself to enumerate all those members that are groups. Then, DisplayMembers begins a For Each...Next loop. The loop iterates over all members of the group, calling the Members method for each member. Only IADsGroup objects have the Members method; if the ADsPath doesn't belong to a group object, the script will die rather ungracefully at the first line of the loop. When the ADsPath belongs to a group object, the script returns an IADsMember object for each member of the group.
Within the loop, enum_groups.vbs first uses the Get method to retrieve the member's DN, then prints it. At this point in the script, DisplayMembers' second parameter—the number of spaces to indent—comes into play. Because I want the script to show the hierarchy of group nesting, the script prints spaces before it prints each member. Later, when DisplayMembers calls itself, it increases the number of spaces to indent for each level in the members hierarchy, as Figure 1 shows.
Next, enum_groups.vbs uses the Class method to check the member object's class type. For groups, the Class method returns group, which indicates that group nesting occurs and that the script needs to enumerate the members of the nested group as well. However, before enum_groups.vbs enumerates the nested group's membership, it needs to determine whether it's already enumerated that group. I don't want the script to enumerate a group more than once because doing so could cause an infinite loop, as I explained earlier. To determine whether it's already enumerated the group, enum_groups.vbs checks whether the group has been added to the dictionary object. If it hasn't, the script hasn't enumerated it.
Whenever enum_groups.vbs enumerates a group, the script first adds the group to the dictionary object so that the script won't enumerate the group again. Then, the script calls DisplayMembers again, and recursion comes into play. Remember that DisplayMembers' first parameter is the ADsPath of the group to enumerate, which the script obtains by using the ADsPath method. The second DisplayMembers parameter is the number of spaces to indent, and the script adds two spaces to the indentation for the nested group. The final parameter is a copy of the dictionary object.
That's all there is to enum_groups.vbs. Recursion works in this script because the script keeps track of groups that have been enumerated and calls DisplayMembers only when a group hasn't been enumerated. With recursive functions, you always need exit criteria. In enum_groups.vbs, the dictionary object serves that purpose.
Stay Turned for More Group Fun
Another task that's helpful when you use group nesting is viewing a user's complete group membership, including the user's membership in nested groups. You can accomplish this task by using the user's memberOf attribute to view all groups to which the user belongs and traversing the membership hierarchy of each of those groups. In an upcoming article, I'll describe how you can use a short script to accomplish this task.
End of Article
Prev. page
1
[2]
next page -->
