MORE INFORMATION

The tokenGroups property of an Active Directory (AD) user object contains the binary security identifiers (SIDs) of all of the security groups that a user is a member of. This property is a constructed attribute, which means that the property is created on the client by the provider and not stored as data in the AD.

An alternate approach is to read the MemberOf attribute, which is an enumeration of the immediate groups, including both security and distribution groups. The MemberOf attribute does not enumerate the nested groups. The best approach for performing security group enumeration is to go through the security infrastructure and use the security APIs, but these APIs cannot be called directly from Visual Basic or VBScript. For more information on these alternate solutions, see the "References" section of this article.

Converting SIDs from binary to a human-readable form

The SID for the group is stored in its binary form in the TokenGroups attribute. This form is not human-readable nor can it be used to bind to the group object. The SID must be converted if you want to use it to bind to an object.

The IADsSID object that is exported by ADsSecurity.dll can be used in a Visual Basic program to convert the binary SID into a Security Account Manager (SAM) account name or a Lightweight Directory Access Protocol (LDAP) DN. Unfortunately, the IADsSID object cannot be used from a Visual Basic Script. "Using IADsSID from Visual Basic to Resolve a Binary SID into a String," which follows this section, contains a Visual Basic code snippet that uses the IADsSID object to convert the binary SID into a string.

A Visual Basic Script solution involves the use of the Array Converter sample (see the "References" section). The ADs.ArrayConvert object can be used to convert the binary SID into a hexstring. From this hexstring, an LDAP SID bind string can be created. By using the SID bind string, you can obtain the group object from the AD. The section "Using ADs.ArrayConvert from Visual Basic Script to Build an SID Bind String," following in this article, contains a Visual Basic Script example that illustrates how to use the ADs.ArrayConvert object to create an SID bind string.

Using IADsSID from Visual Basic to resolve a binary SID into a string

ADsSecurity.dll must be registered on the client through the use of Regsvr32 before you cans use the IADsSID object. In the Visual Basic project references, the ADsSecurity 2.5 Type Library and the Active DS Type Library must be selected.

  Dim oSid As New ADsSID
  Dim oUsr As IADsUser
  Dim oGrp As IADs
  Set oUsr = GetObject("LDAP_ADsPATH_TO_A_ACTIVE_DIRECTORY_OBJECT")
  oUsr.GetInfoEx Array("TokenGroups"), 0
  grps = oUsr.Get("tokenGroups")
  For Each grp In grps
    oSid.SetAs ADS_SID_RAW, grp
    Debug.Print oSid.GetAs(ADS_SID_SAM)
  Next grp
                

Using ADs.ArrayConvert from Visual Basic Script to build an SID bind string

In order for this code snippet to function correctly, the ADS.dll must be registered on the client (see "References").

set args = WScript.Arguments
if ( args.Count < 1 ) then
  WScript.Echo "ERROR: Wrong number of arguments."
  WScript.Echo "USAGE: tokengroups LDAP_ADsPath"
  WScript.Echo "WHERE: LDAP_ADsPath is the LDAP ADsPath of a user object in the domain"
  WScript.Echo
  WScript.Echo "NOTE: This script requires that ADs.DLL be registered on the client"
  WScript.Echo "In order to convert the binary SID into a form that can be used in a "
  WScript.Echo "bind string.  See KB Q250344"
  WScript.Echo
  WScript.quit
end if
set obj = GetObject( args(0) )
obj.GetInfoEx ARRAY("tokengroups"),0
grps = obj.Get("tokengroups")
set oCvrt = CreateObject("ADs.ArrayConvert")
wscript.echo "Created sidobj"
for  k = lbound(grps) to ubound(grps)
  b = grps(k)
  hexSid = oCvrt.CvOctetStr2vHexStr( b )
  bindSid = "LDAP://<SID=" & hexSid & ">"
  WScript.Echo bindSid
  set oVal = GetObject(bindSid)
  WScript.Echo oVal.Get("cn")
  set oVal = Nothing
next