B
Ben Samuals
Has anyone had trouble using the ifmember utility? I seem to be having
trouble with it recognizing group memberships.
Thx, L
trouble with it recognizing group memberships.
Thx, L
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
B
Brendon Rogers
I had some hassles with it too - long since abondoned it for Kix.
M
Marty List
Ben Samuals said:Has anyone had trouble using the ifmember utility? I seem to be having
trouble with it recognizing group memberships.
Thx, L
I've never had any problems with it. Explain your "trouble" in more detail,
and give some command-line examples of how you are using it.
Some things to remember:
- You may need to add double quotes around names with spaces:
C:\>IfMember.exe /verbose MYDOMAIN\Domain Users
Group BUILTIN\Users matches list.
C:\>IfMember.exe /verbose "MYDOMAIN\Domain Users"
Group MYDOMAIN\Domain Users matches list.
- You should always specify the source, whether that be:
"%USERDOMAIN%\GroupName"
"%COMPUTERNAME%\GroupName"
"BUILTIN\GroupName"
"NT AUTHORITY\GroupName"
- If you are using "IF ERRORLEVEL" to test the result, remember the result
is true if the value of ERRORLEVEL is equal to *or greater than* the number
you specify. So if ERRORLEVEL is equal to 2, then "IF ERRORLEVEL 1" returns
true. You can get more specific results from "IF %ERRORLEVEL% EQU 1" etc.
- Remember the user's access token is only built when they login. So if a
user is added to a group after they have logged in, then their access token
does not show they are a member until they log out & log in again.
B
Ben Samuals
M, some groups it will detect a user id and others it won't. We have a group
called na\fla admins, it will detect my userid their. However, it will not
detect my userid in na\fla-eng...
ifmember "na\fla admins" ; this will list
group na\fla admins matches list...
Larry
called na\fla admins, it will detect my userid their. However, it will not
detect my userid in na\fla-eng...
ifmember "na\fla admins" ; this will list
group na\fla admins matches list...
Larry
M
Marty List
Ben Samuals said:M, some groups it will detect a user id and others it won't. We have a group
called na\fla admins, it will detect my userid their. However, it will not
detect my userid in na\fla-eng...
ifmember "na\fla admins" ; this will list
group na\fla admins matches list...
Larry
If you're seeing "group na\fla admins matches list" then I suspect there is
something wrong with the way you are checking for the ERRORLEVEL. If you
want help you need to post more details, including the IF ERRORLEVEL
statements. Copy'n'paste the actual lines, don't retype them.
B
Ben Samuals
Mar, Here we go.
@echo off
ifmember na\FZRVEW-eng
if not errorlevel 1 goto end
echo Your in!
goto end
:end
echo finished!
I am in the above group but it does not give the correct errorlevel. If I
substitute that group for another ie. fzrvew admins it will work...
Larry
@echo off
ifmember na\FZRVEW-eng
if not errorlevel 1 goto end
echo Your in!
goto end
:end
echo finished!
I am in the above group but it does not give the correct errorlevel. If I
substitute that group for another ie. fzrvew admins it will work...
Larry
M
Marty List
Ben Samuals said:Mar, Here we go.
@echo off
ifmember na\FZRVEW-eng
if not errorlevel 1 goto end
echo Your in!
goto end
:end
echo finished!
I am in the above group but it does not give the correct errorlevel. If I
substitute that group for another ie. fzrvew admins it will work...
Larry
Do some basic troubleshooting, like this:
Ver>NUL
Echo ERRORLEVEL: [%ERRORLEVEL%]
ifmember.exe na\FZRVEW-eng
Echo ERRORLEVEL: [%ERRORLEVEL%]
if %errorlevel% NEQ 1 goto end
J
Joe Richards [MVP]
Is your membership direct or is it nested, I don't believe ifmember will handle nested memberships. With that you can
check the whomami /groups dump which will give you your token or you can try memberof from the free win32 tools page of
www.joeware.net.
check the whomami /groups dump which will give you your token or you can try memberof from the free win32 tools page of
www.joeware.net.
A
Al Dunbar [MS-MVP]
We use IFMEMBER and find it acceptable. It correctly deduces the membership
of a user in Active Directory whose membership is inherited through nesting,
BUT ONLY when the groups being tested are all Active Directory groups.
When we test for membership in one of our (untrusted) NT4 resource domains,
I believe it works if the user is a direct member. It fails for sure if the
user is a member of an AD group that is in turn a member of a local NT4
group.
I would guess that, when IFMEMBER sees that a group is a WinNT group, it
enquires membership of a WinNT domain controller, which lacks the ability to
process nested AD groups.
One final point: make sure you are using the most recent version.
/Al
of a user in Active Directory whose membership is inherited through nesting,
BUT ONLY when the groups being tested are all Active Directory groups.
When we test for membership in one of our (untrusted) NT4 resource domains,
I believe it works if the user is a direct member. It fails for sure if the
user is a member of an AD group that is in turn a member of a local NT4
group.
I would guess that, when IFMEMBER sees that a group is a WinNT group, it
enquires membership of a WinNT domain controller, which lacks the ability to
process nested AD groups.
One final point: make sure you are using the most recent version.
/Al
handle nested memberships. With that you canJoe Richards said:Is your membership direct or is it nested, I don't believe ifmember will
try memberof from the free win32 tools page ofcheck the whomami /groups dump which will give you your token or you can