Recursive LDAP function to get nested groups

Here is a simple recursive function that I wrote which will give you nested groups and members for any given Active Directory group. Try it….it works! U can bind it to a tree later on to show it on the screen. I have also included an output of how it looks when bound to an iewc Treeview.


Dim AdsPath as string
Dim XMLRoles as string

AdsPath = GetAdsPathOfGroupThroughADO(“Domain Admins”)

XMLRoles = GetRoleMembers(Adspath)


Public Function GetAdsPathOfGroupThroughADO(ByVal Group As String) As String
On Error Resume Next
Set rs = CreateObject(“ADODB.RecordSet”)
rs.Open “;(sAMAccountName=” & Group & “);adspath”, “provider=ADsDSOObject”

If Not rs.EOF Then
s = rs(0).Value
End If

GetAdsPathOfGroupThroughADO = s
End Function

Public Function GetRoleMembers(ByVal RoleAdsPath As String) As String
Dim eu As Object
Dim XML As String

Set eu = CreateObject(“ess.user”)
Set Group = GetObject(RoleAdsPath)
XML = “”

For Each member In Group.Members
If member.Class = “Group” Then
XML = XML & vbCrLf & GetRoleMembers(member.ADsPath)
ElseIf member.Class = “foreignSecurityPrincipal” Then
On Error Resume Next
Set u = GetObject(“LDAP://=” & eu.SidStringToHexString( & “>”)
If Err.Number = 0 Then
XML = XML & vbCrLf & “”
End If
End If

XML = XML & vbCrLf & “”
GetRoleMembers = XML
End Function


eg. TreeView1.TreeNodeSrc = “XML returned by GetRoleMembers()….”
TreeView1.TreeNodeXsltSrc = Server.MapPath(“Treetransform.xslt”)�


3 thoughts on “Recursive LDAP function to get nested groups

  1. Hi,

    Thanks for sharing your insightful thoughts and suggestions – very cool and helpful indeed.

    In the spirit of sharing helpful information, thought I’d mention that one of my Microsoft colleagues informed us about a cool FREE tool from a Microsoft partner, that offers over 50 super-helpful Active Directory security reports, such as which accounts are locked out, which accounts are set to expire in the next few days, which security groups are nested, where all a user may have permissions etc.

    The tool is called Gold Finger, and it is developed by a company called Paramount Defenses. You can download it from

    Why bother writing complicated scripts, using unsupported command-line tools or paying for such tools, when you can use a 100% AUTOMATED, GUI based, FREE solution that is not only SUPPORTED but also ENDORSED by Microsoft?!

    If you’re into Active Directory security, then this tool is a must-have. Thought I’d share this helpful tip with you!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s