What's the AD query syntax to enumerate all users for a particular group?

There are several things to consider for this type of query:

1. How many objects is this query likely to return?
2. Do you want to expand on groups that are members of groups?
3. Do you have to handle any "large" groups (greater 1500 members)?

You should always include "(ObjectCategory=person)" if your query will have to search a large database of users. There are several reasons you want to do this. ObjectCategory is an indexed attribute where objectClass is not, this will significantly increase your query speed on large AD databases. Also, using both the objectCategory and objectClass attributes will prevent "contact" objects from being returned in your query.

If your result set is going to return more than 1000 results, you need to be aware of performance issues. In the ADUC GUI there is a 2000 item limit that you can change via the "Options" dialogue, increasing can dramatically slow down your query. If you are going to use VBScript and enumerate over a GetObject result, this will also be VERY VERY slow, for large groups. For the Quest Powershell cmdlets you need to include the "-sizelimit" parameter to override the 1000 item limit:

get-qadgroupmember somegroup -sizelimit 0

If you are using code (VBScript, JScript, .Net) to create a connection object and add a LDAP query to it, you will need to set the ".pageSize" property on the connection object to get a paged result as the default is to not return a paged result, but to limit it to 1000 items. I usually set .pageSize to 1000 as that is the max.

Expanding nested groups is the tricky bit. The simplest way to get nested group info is to use the Quest Powershell cmdlets:

get-qadgroupmember somegroup -indirect -sizelimit 0

From a VBscript/JScript script you can use "GetObject" and enumerate over the members collection, test each member for "user or group" and then recurse into nested groups. This is slow and you shouldn't do it, except as an exercise in VBScript programming.

Ultimately you will probably want to learn to do it via a direct LDAP query. This is accomplished via the LDAP_MATCHING_RULE_IN_CHAIN operator. This operator can be difficult to use, and it can be VERY EXPENSIVE on the DC if you have a deep nesting structure for your groups. The bonus for this method is that for very large groups (over 1500 members by default) you will be able to do a query for users that are a member of the group (even indirectly), rather than retrieving the group and trying to read the member attribute (which has to be handled in a special method for "large" groups. i.e. You get a report of User objects, ratehr than a single group object where you are trying to read a large attrbiute array.

(&(objectCategory=person)(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=(cn=Group1,OU=groupsOU,DC=x)))

If you are having trouble with "large" groups you can also increase the limit that AD uses when restricting access to the .member attribute.

The third syntax works fine for me in LDP.EXE against one of my domains. I don't normally put the (objectCategory=person) in there, but it works fine with it, too.

What kind of error are you getting back when you try to use that?

I thought the question is to find ALL users of A group and not find whether A user is part of A group ?

if you want to find all members of a group use

dsquery group -name "MyGroup" | dsget group -member

And if you want to find nested members also use

dsquery group -name "MyGroup" | dsget group -member -expand

If there are more than 1000 or 1500 members, dsquery might not provide results in that case use adfind.exe from joeware.net

ADFIND -f "&(objectcategory=group)(cn=MyGroup)" member 

Worked for days to try to produce a script that would pull from a file containing a list of user DN's and parse attributes for them. Came across your site with JFV's response and had a heart attack. Here is the script I produced from JFV's response. Basically, why read from a file when you can pull directly from the group (no error trapping yet)... This script allows me to pull the text file into Excel or other spreadsheet app and deliminate on the pipes. I can do all the sorting I want at that point. Just thought others could gain from my loss. :-(

Dim objGroup

Dim objUser

on error resume next

'Create a file and write headers
Set fs = CreateObject("Scripting.FileSystemObject")

Set f = fs.CreateTextFile ("lastpassword.txt")

f.WriteLine "firstName|initials|lastName|userPrincipalName|physicalDeliveryOfficeName|sAMAccountName|mail|cn|description|mobile|telephoneNumber|physicalDeliveryOfficeName|department|facsimileTelephoneNumber|pager"

'Search for a group name in AD and parse information to a file in pipe delimination

   Set objGroup = Getobject ("LDAP: //CN=groupname,OU=GROUPS,DC=FQDN,DC=FQDN,DC=FQDN")

   For Each objUser In objGroup.Members

      f.WriteLine objUser.firstName & "|" & _

            objUser.initials & ".|" & _

            objUser.lastName & "|" & _

            objUser.userPrincipalName & "|" & _

            objUser.physicalDeliveryOfficeName & "|" & _

            objUser.sAMAccountName & "|" & _

            objUser.mail & "|" & _

            objUser.cn & "|" & _

            objUser.description & "|" & _

            objuser.mobile & "|" & _

            objuser.telephoneNumber & "|" & _

            objuser.physicalDeliveryOfficeName & "|" & _

            objuser.department & "|" & _

            objuser.facsimileTelephoneNumber & "|" & _

            objuser.userAccountControl & "|" & _

            objUser.PasswordLastChanged

   Next

f.close

This can be done most easily in PowerShell with the Quest AD cmdlets -

get-QADGroupMember [groupname]

Then filter and sort!

get-QADGroupMember [groupname] | where {$_.[Property] -like [criteria]} | sort-object

Here is something that I've used via VBScript:

Enumerating Users

   Dim objGroup
   Dim x 

   Set objGroup = Getobject ("LDAP: //CN=LocalGrp,OU=Staff, DC=net, DC=dom")
   For Each x In objGroup.Members
      WScript.Echo x.Class
      WScript.Echo x.Name
      WScript.Echo x.ADsPath
      WScript.Echo x.distinguishedName + vbCrLf
   Next

KAPes, you're answering the question I'm interested in, list all members of group A. However your command example does not work as "member" should be plural, -members. To enumerate all the members of an Active Directory group in a nicely formatted table of login name, display name, and email address (all on one line):

dsget group "CN=Group A,OU=DepartmentB,OU=Users and Groups,DC=my,DC=domain,DC=com" -members | dsget user -samid -display -email

More info: http://technet.microsoft.com/en-us/library/cc755876%28WS.10%29.aspx#BKMK_group