I received a message from Charles-André
Hello Steve,
First of all, keep on the good work, I really appreciate your newsletter.
Second, I’m looking to find a way to know, during logon script, if a user is in
a specific group. That way, a precise action, like a “net use”, could be done
on that user.
Sever is Windows 2003
Client is Windows 7
Thanks for your help
As far as I know, there is not a native command that will tell you this. We already have the source code for determining group membership – it is used heavily in our products
Why not take that code and make a little command line utility out of it?
That is what we did. Just under 120K, it does one thing. It checks to see if the current user is a member of a specified group
You can download it from our free downloads page (Look towards the bottom)
Here is how you use it:
IsMember.exe [GROUP_NAME]
The application will then set the batch file ERRORLEVEL. If the user is a member, it will set it to 1. If the user is not a member, it will set it to zero.
How can you use it in a batch file? Here is an example batch file that will echo the result:
@REM ================================
@REM = IsMember.exe Example Script =
@REM = http://www.intelliadmin.com =
@REM ================================
@REM == Calling the IsMember.exe cmd line tool ==
@REM == Replace 'users' with the group you want to test ==
@IsMember.exe Users
@REM == Now test the result. ==
@if ERRORLEVEL 0 goto NOT_MEMBER
@if ERRORLEVEL 1 goto MEMBER
@REM == If not a valid result, go to the end ==
@goto end
:MEMBER
@REM == Here you would put the batch commands that ==
@REM == should execute if the user is a member of ==
@REM == the group ==
@echo User is a member of the group
@goto end
:NOT_MEMBER
@REM == Here you would put the batch commands that ==
@REM == should execute if the user is *not* ==
@REM == not a member of the group ==
@echo User is *not* a member of the group
@goto end
:END
Now you could map network drives, set printers, or run just about any command – depending on the users group membership.
Simple to use, and no need to install anything. It works with Windows 2000, XP, 2003, Vista, 2008, and Windows 7 – Including the 64 bit versions.
Got an idea for a free tool? Send us an email at support@intelliadmin.com
One more thing…Subscribe to my newsletter and get 11 free network administrator tools, plus a 30 page user guide so you can get the most out of them. Click Here to get your free tools
{ 18 comments… read them below or add one }
Just a thought – there’s the Windows Resource Kit tool IFmember – it does exactly the same thig as your tool (and has a suspiciously similar name!) – but comes supported by Microsoft too….
Did not know about that – Thanks for the tip
Thanks – this was much easier than having to write an entire VBS-script 🙂
I banged my head for four hours against a wall until I found your utility! A five minute fix and away I went. Thank you so much for providing this. (Server 2008 and Win7 x64)
Is not working for me, it can’t determine my group membership. The same happens with ifmember.
Any ideas?
@Victor Does the user running the script have access to the Active Directory? If you are running the script as a service account and this account doesn’t have the access you’ll run into such an issue.
Is there a way to get this executable to run silently?
There are no options from the command line to do this, but you can just redirect to nul and it will accomplish your goal:
IsMember.exe {GROUP} > nul
Hi, I’ve downloaded ISMEMBER.EXE and the following appears to be happening :
1. User added to AD group
2. User restarts machine and logs on
3. ISMEMBER indicates user is not part of group
4. User restarts machine again and logs on
5. ISMEMBER indicates user is a member of the group
Any suggestions please ?
Hi Andrew,
There is not much our program can do to fix this issue. More than likely it is windows that is not getting the group information until the next reboot.
Try this script when it is not working, and see if the group is on the list:
Option Explicit
Dim objNetwork, strDomain, strUser, objUser, objGroup, strGroupMemberships
' Get the domain and username from the WScript.Network object
Set objNetwork = CreateObject("WScript.Network")
strDomain = objNetwork.UserDomain
strUser = objNetwork.UserName
' Instanciate the user object from the data above
Set objUser = GetObject("WinNT://" & strDomain & "/" & strUser)
' Run through the users groups and put them in the string
For Each objGroup In objUser.Groups
strGroupMemberships = strGroupMemberships & objGroup.Name & ","
Next
MsgBox strGroupMemberships
If you copy and paste you might need to replace the quotes with regular ones…since I think the blog replaces them with quotes that won’t work in VBS
It doesn’t work with nested group. Maybe looking up the group from the process’ security token would work better?
Is a batch file running on Server 2008 R2, the commands:
@REM == Now test the result. ==
@if ERRORLEVEL 1 goto MEMBER
@if ERRORLEVEL 0 goto NOT_MEMBER
… seem to opposite. I had to to this
@REM == Now test the result. ==
@if ERRORLEVEL 0 goto MEMBER
@if ERRORLEVEL 1 goto NOT_MEMBER
Hi Mike,
You are right. I messed up. Error level if statements always need to start with a lower number. I have corrected the article
Is there any way to make it work with nested group?
Hello,
I’m running this as a 4 part script on Windows2012 server:
REM (Gruppe = group)
:GRUPPE1
IsMember.exe Gruppe1
if ERRORLEVEL 0 goto GRUPPE1MEMBER else goto GRUPPE2
:GRUPPE1MEMBER
del “%USERPROFILE%\Desktop\*.lnk” /Q
xcopy /d /y “c:\Logonscript\Gruppe1\*.* ” “%USERPROFILE%\Desktop”
goto end
:Gruppe2
IsMember.exe Gruppe2
if ERRORLEVEL 0 goto GRUPPE2MEMBER else goto GRUPPE3
:GRUPPE2MEMBER
echo Gruppe2member
del “%USERPROFILE%\Desktop\*.lnk” /Q
xcopy /d /y “c:\Logonscript\Gruppe2\*.* ” “%USERPROFILE%\Desktop”
goto end
:Gruppe3
IsMember.exe Gruppe1
etc etc.
Problem is, on my Windows 2012 server it jumps to Gruppe1Member even on users that are not members of Gruppe1, and then goes to END. If I change my script to:
if ERRORLEVEL 0 goto GRUPPE2MEMBER else goto GRUPPE2
it will only execute the scripts under GRUPPE2MEMBER then end. Any ideas how to solve this?
Wrong syntax of ERRORLEVEL statement because there are more that one check. As shown above the second line of @if ERRORLEVEL will return the error-level of the previous line/command.
Should be:
@REM == Now test the result. ==
@if %ERRORLEVEL% EQU 0 goto NOT_MEMBER
@if %ERRORLEVEL% EQU 1 goto MEMBER
Happy scripting!
Hello, it appears that Ismember does not recognize Window’s default groups like “domain admins”. Should this be the case? Thanks.
Hello Don,
It should work fine with those accounts. But one thing to note. Those names are dependent on the language your windows install is in.
MS has these special identifiers that work across the board (Yours would be DA):
“AO” Account operators
“RU” Alias to allow previous Windows 2000
“AN” Anonymous logon
“AU” Authenticated users
“BA” Built-in administrators
“BG” Built-in guests
“BO” Backup operators
“BU” Built-in users
“CA” Certificate server administrators
“CG” Creator group
“CO” Creator owner
“DA” Domain administrators
“DC” Domain computers
“DD” Domain controllers
“DG” Domain guests
“DU” Domain users
“EA” Enterprise administrators
“ED” Enterprise domain controllers
“WD” Everyone
“PA” Group Policy administrators
“IU” Interactively logged-on user
“LA” Local administrator
“LG” Local guest
“LS” Local service account
“SY” Local system
“NU” Network logon user
“NO” Network configuration operators
“NS” Network service account
“PO” Printer operators
“PS” Personal self
“PU” Power users
“RS” RAS servers group
“RD” Terminal server users
“RE” Replicator
“RC” Restricted code
“SA” Schema administrators
“SO” Server operators
“SU” Service logon user