Actually memberof probably wouldn't be the right one to use here.
The better tool would be adfind
http://www.joeware.net/win/free/tools/adfind.htm
which will do an LDAP query for you. Specifically you want a query like
Base: Domain_DN
Filter: (&(objectcategory=group)(member=user_DN)
Do say you had the domain sall.com and the user josebv and want to look
up what groups he was in in child.sall.com I would do the following
1. Get the DN for the user
adfind -sc u:josebv -dsq
If you there is one user by that name in the forest you will get one DN,
if you have multiple users with that name you will get multiple DNs,
pick the correct one.
2. Look up group memberships (all one line)
adfind -b dc=sall,dc=com -f "(&(objectcategory=group)(member=<insert
user DN from 1>)" -dn
There is a little trick you can do as well which may be faster. If you
know of GC that is a DC for the domain controller for the domain the
group is in, you can do the following
adfind -h GC_Name -sc u:josebv memberof
That will show all universal group memberships of the user as well as
any domain local group memberships in the domain that the GC is a DC
for. If that domain is the same domain as the user is in then it will
also show direct global group memberships as well other than primary
group. A lot of folks with multiple domains think that only universal
group membership is maintained in the GCs, that is only partially true.
Due to the implementation, depending on the GC you hit, you could find
other memberships as well, you just have to be away of your architecture
and the Domain the GC is hosting.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm