Subscribe

Get the Network Administrators tool pack

Subscribe to our newsletter and get 11 free network administrator tools, plus a 30 page user guide so you can get the most out of them.

Click Here to get your free tools

Recent Posts

Search

Archives

Check group membership from a batch file

by Steve Wiseman on November 4, 2010 · 18 comments

in Tips,Tools,Utility,Windows


.

I received a message from Charles-André

Hello Steve,

First of all, keep on the good work, I really appreciate your newsletter.

Second, I’m looking to find a way to know, during logon script, if a user is in
a specific group. That way, a precise action, like a “net use”, could be done
on that user.

Sever is Windows 2003
Client is Windows 7

Thanks for your help

As far as I know, there is not a native command that will tell you this. We already have the source code for determining group membership – it is used heavily in our products

Why not take that code and make a little command line utility out of it?

That is what we did. Just under 120K, it does one thing. It checks to see if the current user is a member of a specified group

You can download it from our free downloads page (Look towards the bottom)

Here is how you use it:

IsMember.exe [GROUP_NAME]

The application will then set the batch file ERRORLEVEL. If the user is a member, it will set it to 1. If the user is not a member, it will set it to zero.

How can you use it in a batch file? Here is an example batch file that will echo the result:


@REM ================================
@REM = IsMember.exe Example Script =
@REM = http://www.intelliadmin.com =
@REM ================================

@REM == Calling the IsMember.exe cmd line tool ==
@REM == Replace 'users' with the group you want to test ==
@IsMember.exe Users

@REM == Now test the result. ==
@if ERRORLEVEL 0 goto NOT_MEMBER
@if ERRORLEVEL 1 goto MEMBER
@REM == If not a valid result, go to the end ==
@goto end

:MEMBER
@REM == Here you would put the batch commands that ==
@REM == should execute if the user is a member of ==
@REM == the group ==

@echo User is a member of the group

@goto end

:NOT_MEMBER
@REM == Here you would put the batch commands that ==
@REM == should execute if the user is *not* ==
@REM == not a member of the group ==

@echo User is *not* a member of the group
@goto end

:END

Now you could map network drives, set printers, or run just about any command – depending on the users group membership.

Simple to use, and no need to install anything. It works with Windows 2000, XP, 2003, Vista, 2008, and Windows 7 – Including the 64 bit versions.

Got an idea for a free tool? Send us an email at support@intelliadmin.com

One more thing…Subscribe to my newsletter and get 11 free network administrator tools, plus a 30 page user guide so you can get the most out of them. Click Here to get your free tools

Related Articles:

{ 18 comments… read them below or add one }

1 Jack November 5, 2010 at 6:56 am

Just a thought – there’s the Windows Resource Kit tool IFmember – it does exactly the same thig as your tool (and has a suspiciously similar name!) – but comes supported by Microsoft too….

2 Steve Wiseman November 5, 2010 at 5:07 pm

Did not know about that – Thanks for the tip

3 Thomas November 26, 2010 at 6:16 am

Thanks – this was much easier than having to write an entire VBS-script 🙂

4 John March 21, 2011 at 7:36 pm

I banged my head for four hours against a wall until I found your utility! A five minute fix and away I went. Thank you so much for providing this. (Server 2008 and Win7 x64)

5 Victor August 10, 2011 at 11:38 am

Is not working for me, it can’t determine my group membership. The same happens with ifmember.

Any ideas?

6 BlueEagle April 19, 2012 at 1:22 am

@Victor Does the user running the script have access to the Active Directory? If you are running the script as a service account and this account doesn’t have the access you’ll run into such an issue.

7 Brandon December 6, 2012 at 3:57 pm

Is there a way to get this executable to run silently?

8 Steve Wiseman December 7, 2012 at 11:40 am

There are no options from the command line to do this, but you can just redirect to nul and it will accomplish your goal:


IsMember.exe {GROUP} > nul

9 Andrew May 30, 2013 at 7:36 am

Hi, I’ve downloaded ISMEMBER.EXE and the following appears to be happening :
1. User added to AD group
2. User restarts machine and logs on
3. ISMEMBER indicates user is not part of group
4. User restarts machine again and logs on
5. ISMEMBER indicates user is a member of the group

Any suggestions please ?

10 Steve Wiseman May 31, 2013 at 9:08 am

Hi Andrew,

There is not much our program can do to fix this issue. More than likely it is windows that is not getting the group information until the next reboot.

Try this script when it is not working, and see if the group is on the list:


Option Explicit
Dim objNetwork, strDomain, strUser, objUser, objGroup, strGroupMemberships

' Get the domain and username from the WScript.Network object
Set objNetwork = CreateObject("WScript.Network")
strDomain = objNetwork.UserDomain
strUser = objNetwork.UserName

' Instanciate the user object from the data above
Set objUser = GetObject("WinNT://" & strDomain & "/" & strUser)

' Run through the users groups and put them in the string
For Each objGroup In objUser.Groups
strGroupMemberships = strGroupMemberships & objGroup.Name & ","
Next

MsgBox strGroupMemberships

If you copy and paste you might need to replace the quotes with regular ones…since I think the blog replaces them with quotes that won’t work in VBS

11 Alexandre Blanchette February 20, 2014 at 11:27 pm

It doesn’t work with nested group. Maybe looking up the group from the process’ security token would work better?

12 Mike January 9, 2015 at 12:35 am

Is a batch file running on Server 2008 R2, the commands:
@REM == Now test the result. ==
@if ERRORLEVEL 1 goto MEMBER
@if ERRORLEVEL 0 goto NOT_MEMBER

… seem to opposite. I had to to this
@REM == Now test the result. ==
@if ERRORLEVEL 0 goto MEMBER
@if ERRORLEVEL 1 goto NOT_MEMBER

13 Steve Wiseman February 13, 2015 at 6:47 am

Hi Mike,

You are right. I messed up. Error level if statements always need to start with a lower number. I have corrected the article

14 Abhishek March 6, 2015 at 7:05 am

Is there any way to make it work with nested group?

15 Kent Nilsen March 13, 2015 at 7:44 am

Hello,

I’m running this as a 4 part script on Windows2012 server:

REM (Gruppe = group)

:GRUPPE1
IsMember.exe Gruppe1

if ERRORLEVEL 0 goto GRUPPE1MEMBER else goto GRUPPE2

:GRUPPE1MEMBER
del “%USERPROFILE%\Desktop\*.lnk” /Q
xcopy /d /y “c:\Logonscript\Gruppe1\*.* ” “%USERPROFILE%\Desktop”

goto end

:Gruppe2
IsMember.exe Gruppe2

if ERRORLEVEL 0 goto GRUPPE2MEMBER else goto GRUPPE3

:GRUPPE2MEMBER
echo Gruppe2member
del “%USERPROFILE%\Desktop\*.lnk” /Q
xcopy /d /y “c:\Logonscript\Gruppe2\*.* ” “%USERPROFILE%\Desktop”

goto end

:Gruppe3
IsMember.exe Gruppe1

etc etc.

Problem is, on my Windows 2012 server it jumps to Gruppe1Member even on users that are not members of Gruppe1, and then goes to END. If I change my script to:

if ERRORLEVEL 0 goto GRUPPE2MEMBER else goto GRUPPE2

it will only execute the scripts under GRUPPE2MEMBER then end. Any ideas how to solve this?

16 Oggy Loukanov April 16, 2015 at 3:42 pm

Wrong syntax of ERRORLEVEL statement because there are more that one check. As shown above the second line of @if ERRORLEVEL will return the error-level of the previous line/command.

Should be:

@REM == Now test the result. ==
@if %ERRORLEVEL% EQU 0 goto NOT_MEMBER
@if %ERRORLEVEL% EQU 1 goto MEMBER

Happy scripting!

17 Don April 19, 2016 at 5:51 pm

Hello, it appears that Ismember does not recognize Window’s default groups like “domain admins”. Should this be the case? Thanks.

18 Steve Wiseman May 10, 2016 at 12:42 am

Hello Don,

It should work fine with those accounts. But one thing to note. Those names are dependent on the language your windows install is in.

MS has these special identifiers that work across the board (Yours would be DA):

“AO” Account operators
“RU” Alias to allow previous Windows 2000
“AN” Anonymous logon
“AU” Authenticated users
“BA” Built-in administrators
“BG” Built-in guests
“BO” Backup operators
“BU” Built-in users
“CA” Certificate server administrators
“CG” Creator group
“CO” Creator owner
“DA” Domain administrators
“DC” Domain computers
“DD” Domain controllers
“DG” Domain guests
“DU” Domain users
“EA” Enterprise administrators
“ED” Enterprise domain controllers
“WD” Everyone
“PA” Group Policy administrators
“IU” Interactively logged-on user
“LA” Local administrator
“LG” Local guest
“LS” Local service account
“SY” Local system
“NU” Network logon user
“NO” Network configuration operators
“NS” Network service account
“PO” Printer operators
“PS” Personal self
“PU” Power users
“RS” RAS servers group
“RD” Terminal server users
“RE” Replicator
“RC” Restricted code
“SA” Schema administrators
“SO” Server operators
“SU” Service logon user

Leave a Comment

Category Links - Windows Forum - Exchange Forum