PDA

View Full Version : Using Ifmember.exe?

Ben Samuals
Has anyone had trouble using the ifmember utility? I seem to be having
trouble with it recognizing group memberships.

Thx, L


Brendon Rogers
I had some hassles with it too - long since abondoned it for Kix.

"Ben Samuals" wrote in message
news:O2tHwnDlDHA.1808@TK2MSFTNGP09.phx.gbl...
> Has anyone had trouble using the ifmember utility? I seem to be having
> trouble with it recognizing group memberships.
>
> Thx, L
>
>


Marty List

"Ben Samuals" wrote in message
news:O2tHwnDlDHA.1808@TK2MSFTNGP09.phx.gbl...
> Has anyone had trouble using the ifmember utility? I seem to be having
> trouble with it recognizing group memberships.
>
> Thx, L
>
>

I've never had any problems with it. Explain your "trouble" in more detail,
and give some command-line examples of how you are using it.

Some things to remember:

- You may need to add double quotes around names with spaces:
C:\>IfMember.exe /verbose MYDOMAIN\Domain Users
Group BUILTIN\Users matches list.

C:\>IfMember.exe /verbose "MYDOMAIN\Domain Users"
Group MYDOMAIN\Domain Users matches list.

- You should always specify the source, whether that be:
"%USERDOMAIN%\GroupName"
"%COMPUTERNAME%\GroupName"
"BUILTIN\GroupName"
"NT AUTHORITY\GroupName"

- If you are using "IF ERRORLEVEL" to test the result, remember the result
is true if the value of ERRORLEVEL is equal to *or greater than* the number
you specify. So if ERRORLEVEL is equal to 2, then "IF ERRORLEVEL 1" returns
true. You can get more specific results from "IF %ERRORLEVEL% EQU 1" etc.

- Remember the user's access token is only built when they login. So if a
user is added to a group after they have logged in, then their access token
does not show they are a member until they log out & log in again.



Ben Samuals
M, some groups it will detect a user id and others it won't. We have a group
called na\fla admins, it will detect my userid their. However, it will not
detect my userid in na\fla-eng...

ifmember "na\fla admins" ; this will list
group na\fla admins matches list...


Larry
"Marty List" wrote in message
news:bmpeim$q58r9$1@ID-172409.news.uni-berlin.de...
>
> "Ben Samuals" wrote in message
> news:O2tHwnDlDHA.1808@TK2MSFTNGP09.phx.gbl...
> > Has anyone had trouble using the ifmember utility? I seem to be having
> > trouble with it recognizing group memberships.
> >
> > Thx, L
> >
> >
>
> I've never had any problems with it. Explain your "trouble" in more
detail,
> and give some command-line examples of how you are using it.
>
> Some things to remember:
>
> - You may need to add double quotes around names with spaces:
> C:\>IfMember.exe /verbose MYDOMAIN\Domain Users
> Group BUILTIN\Users matches list.
>
> C:\>IfMember.exe /verbose "MYDOMAIN\Domain Users"
> Group MYDOMAIN\Domain Users matches list.
>
> - You should always specify the source, whether that be:
> "%USERDOMAIN%\GroupName"
> "%COMPUTERNAME%\GroupName"
> "BUILTIN\GroupName"
> "NT AUTHORITY\GroupName"
>
> - If you are using "IF ERRORLEVEL" to test the result, remember the result
> is true if the value of ERRORLEVEL is equal to *or greater than* the
number
> you specify. So if ERRORLEVEL is equal to 2, then "IF ERRORLEVEL 1"
returns
> true. You can get more specific results from "IF %ERRORLEVEL% EQU 1" etc.
>
> - Remember the user's access token is only built when they login. So if a
> user is added to a group after they have logged in, then their access
token
> does not show they are a member until they log out & log in again.
>
>
>


Marty List

"Ben Samuals" wrote in message
news:etUelLOlDHA.1808@TK2MSFTNGP09.phx.gbl...
> M, some groups it will detect a user id and others it won't. We have a
group
> called na\fla admins, it will detect my userid their. However, it will not
> detect my userid in na\fla-eng...
>
> ifmember "na\fla admins" ; this will list
> group na\fla admins matches list...
>
>
> Larry

If you're seeing "group na\fla admins matches list" then I suspect there is
something wrong with the way you are checking for the ERRORLEVEL. If you
want help you need to post more details, including the IF ERRORLEVEL
statements. Copy'n'paste the actual lines, don't retype them.



Ben Samuals
Mar, Here we go.

@echo off

ifmember na\FZRVEW-eng

if not errorlevel 1 goto end

echo Your in!

goto end

:end

echo finished!

I am in the above group but it does not give the correct errorlevel. If I
substitute that group for another ie. fzrvew admins it will work...

Larry
"Marty List" wrote in message
news:bmpfn3$pcqou$1@ID-172409.news.uni-berlin.de...
>
> "Ben Samuals" wrote in message
> news:etUelLOlDHA.1808@TK2MSFTNGP09.phx.gbl...
> > M, some groups it will detect a user id and others it won't. We have a
> group
> > called na\fla admins, it will detect my userid their. However, it will
not
> > detect my userid in na\fla-eng...
> >
> > ifmember "na\fla admins" ; this will list
> > group na\fla admins matches list...
> >
> >
> > Larry
>
> If you're seeing "group na\fla admins matches list" then I suspect there
is
> something wrong with the way you are checking for the ERRORLEVEL. If you
> want help you need to post more details, including the IF ERRORLEVEL
> statements. Copy'n'paste the actual lines, don't retype them.
>
>
>


Marty List

"Ben Samuals" wrote in message
news:ObxzlaOlDHA.3312@tk2msftngp13.phx.gbl...
> Mar, Here we go.
>
> @echo off
>
> ifmember na\FZRVEW-eng
>
> if not errorlevel 1 goto end
>
> echo Your in!
>
> goto end
>
> :end
>
> echo finished!
>
> I am in the above group but it does not give the correct errorlevel. If I
> substitute that group for another ie. fzrvew admins it will work...
>
> Larry
> "Marty List" wrote in message
> news:bmpfn3$pcqou$1@ID-172409.news.uni-berlin.de...
> >
> > "Ben Samuals" wrote in message
> > news:etUelLOlDHA.1808@TK2MSFTNGP09.phx.gbl...
> > > M, some groups it will detect a user id and others it won't. We have a
> > group
> > > called na\fla admins, it will detect my userid their. However, it will
> not
> > > detect my userid in na\fla-eng...
> > >
> > > ifmember "na\fla admins" ; this will list
> > > group na\fla admins matches list...
> > >
> > >
> > > Larry
> >
> > If you're seeing "group na\fla admins matches list" then I suspect there
> is
> > something wrong with the way you are checking for the ERRORLEVEL. If
you
> > want help you need to post more details, including the IF ERRORLEVEL
> > statements. Copy'n'paste the actual lines, don't retype them.
> >
> >
> >


Do some basic troubleshooting, like this:

Ver>NUL
Echo ERRORLEVEL: [%ERRORLEVEL%]
ifmember.exe na\FZRVEW-eng

Echo ERRORLEVEL: [%ERRORLEVEL%]
if %errorlevel% NEQ 1 goto end



Marty List

"Ben Samuals" wrote in message
news:O2tHwnDlDHA.1808@TK2MSFTNGP09.phx.gbl...
> Has anyone had trouble using the ifmember utility? I seem to be having
> trouble with it recognizing group memberships.
>
> Thx, L
>
>

I've never had any problems with it. Explain your "trouble" in more detail,
and give some command-line examples of how you are using it.

Some things to remember:

- You may need to add double quotes around names with spaces:
C:\>IfMember.exe /verbose MYDOMAIN\Domain Users
Group BUILTIN\Users matches list.

C:\>IfMember.exe /verbose "MYDOMAIN\Domain Users"
Group MYDOMAIN\Domain Users matches list.

- You should always specify the source, whether that be:
"%USERDOMAIN%\GroupName"
"%COMPUTERNAME%\GroupName"
"BUILTIN\GroupName"
"NT AUTHORITY\GroupName"

- If you are using "IF ERRORLEVEL" to test the result, remember the result
is true if the value of ERRORLEVEL is equal to *or greater than* the number
you specify. So if ERRORLEVEL is equal to 2, then "IF ERRORLEVEL 1" returns
true. You can get more specific results from "IF %ERRORLEVEL% EQU 1" etc.

- Remember the user's access token is only built when they login. So if a
user is added to a group after they have logged in, then their access token
does not show they are a member until they log out & log in again.



Ben Samuals
M, some groups it will detect a user id and others it won't. We have a group
called na\fla admins, it will detect my userid their. However, it will not
detect my userid in na\fla-eng...

ifmember "na\fla admins" ; this will list
group na\fla admins matches list...


Larry
"Marty List" wrote in message
news:bmpeim$q58r9$1@ID-172409.news.uni-berlin.de...
>
> "Ben Samuals" wrote in message
> news:O2tHwnDlDHA.1808@TK2MSFTNGP09.phx.gbl...
> > Has anyone had trouble using the ifmember utility? I seem to be having
> > trouble with it recognizing group memberships.
> >
> > Thx, L
> >
> >
>
> I've never had any problems with it. Explain your "trouble" in more
detail,
> and give some command-line examples of how you are using it.
>
> Some things to remember:
>
> - You may need to add double quotes around names with spaces:
> C:\>IfMember.exe /verbose MYDOMAIN\Domain Users
> Group BUILTIN\Users matches list.
>
> C:\>IfMember.exe /verbose "MYDOMAIN\Domain Users"
> Group MYDOMAIN\Domain Users matches list.
>
> - You should always specify the source, whether that be:
> "%USERDOMAIN%\GroupName"
> "%COMPUTERNAME%\GroupName"
> "BUILTIN\GroupName"
> "NT AUTHORITY\GroupName"
>
> - If you are using "IF ERRORLEVEL" to test the result, remember the result
> is true if the value of ERRORLEVEL is equal to *or greater than* the
number
> you specify. So if ERRORLEVEL is equal to 2, then "IF ERRORLEVEL 1"
returns
> true. You can get more specific results from "IF %ERRORLEVEL% EQU 1" etc.
>
> - Remember the user's access token is only built when they login. So if a
> user is added to a group after they have logged in, then their access
token
> does not show they are a member until they log out & log in again.
>
>
>


Marty List

"Ben Samuals" wrote in message
news:etUelLOlDHA.1808@TK2MSFTNGP09.phx.gbl...
> M, some groups it will detect a user id and others it won't. We have a
group
> called na\fla admins, it will detect my userid their. However, it will not
> detect my userid in na\fla-eng...
>
> ifmember "na\fla admins" ; this will list
> group na\fla admins matches list...
>
>
> Larry

If you're seeing "group na\fla admins matches list" then I suspect there is
something wrong with the way you are checking for the ERRORLEVEL. If you
want help you need to post more details, including the IF ERRORLEVEL
statements. Copy'n'paste the actual lines, don't retype them.



Ben Samuals
Mar, Here we go.

@echo off

ifmember na\FZRVEW-eng

if not errorlevel 1 goto end

echo Your in!

goto end

:end

echo finished!

I am in the above group but it does not give the correct errorlevel. If I
substitute that group for another ie. fzrvew admins it will work...

Larry
"Marty List" wrote in message
news:bmpfn3$pcqou$1@ID-172409.news.uni-berlin.de...
>
> "Ben Samuals" wrote in message
> news:etUelLOlDHA.1808@TK2MSFTNGP09.phx.gbl...
> > M, some groups it will detect a user id and others it won't. We have a
> group
> > called na\fla admins, it will detect my userid their. However, it will
not
> > detect my userid in na\fla-eng...
> >
> > ifmember "na\fla admins" ; this will list
> > group na\fla admins matches list...
> >
> >
> > Larry
>
> If you're seeing "group na\fla admins matches list" then I suspect there
is
> something wrong with the way you are checking for the ERRORLEVEL. If you
> want help you need to post more details, including the IF ERRORLEVEL
> statements. Copy'n'paste the actual lines, don't retype them.
>
>
>


Marty List

"Ben Samuals" wrote in message
news:ObxzlaOlDHA.3312@tk2msftngp13.phx.gbl...
> Mar, Here we go.
>
> @echo off
>
> ifmember na\FZRVEW-eng
>
> if not errorlevel 1 goto end
>
> echo Your in!
>
> goto end
>
> :end
>
> echo finished!
>
> I am in the above group but it does not give the correct errorlevel. If I
> substitute that group for another ie. fzrvew admins it will work...
>
> Larry
> "Marty List" wrote in message
> news:bmpfn3$pcqou$1@ID-172409.news.uni-berlin.de...
> >
> > "Ben Samuals" wrote in message
> > news:etUelLOlDHA.1808@TK2MSFTNGP09.phx.gbl...
> > > M, some groups it will detect a user id and others it won't. We have a
> > group
> > > called na\fla admins, it will detect my userid their. However, it will
> not
> > > detect my userid in na\fla-eng...
> > >
> > > ifmember "na\fla admins" ; this will list
> > > group na\fla admins matches list...
> > >
> > >
> > > Larry
> >
> > If you're seeing "group na\fla admins matches list" then I suspect there
> is
> > something wrong with the way you are checking for the ERRORLEVEL. If
you
> > want help you need to post more details, including the IF ERRORLEVEL
> > statements. Copy'n'paste the actual lines, don't retype them.
> >
> >
> >


Do some basic troubleshooting, like this:

Ver>NUL
Echo ERRORLEVEL: [%ERRORLEVEL%]
ifmember.exe na\FZRVEW-eng

Echo ERRORLEVEL: [%ERRORLEVEL%]
if %errorlevel% NEQ 1 goto end



Joe Richards [MVP]
Is your membership direct or is it nested, I don't believe ifmember will handle nested memberships. With that you can
check the whomami /groups dump which will give you your token or you can try memberof from the free win32 tools page of
www.joeware.net.

--
Joe Richards
www.joeware.net

--

"Ben Samuals" wrote in message news:etUelLOlDHA.1808@TK2MSFTNGP09.phx.gbl...
> M, some groups it will detect a user id and others it won't. We have a group
> called na\fla admins, it will detect my userid their. However, it will not
> detect my userid in na\fla-eng...
>
> ifmember "na\fla admins" ; this will list
> group na\fla admins matches list...
>
>
> Larry
> "Marty List" wrote in message
> news:bmpeim$q58r9$1@ID-172409.news.uni-berlin.de...
> >
> > "Ben Samuals" wrote in message
> > news:O2tHwnDlDHA.1808@TK2MSFTNGP09.phx.gbl...
> > > Has anyone had trouble using the ifmember utility? I seem to be having
> > > trouble with it recognizing group memberships.
> > >
> > > Thx, L
> > >
> > >
> >
> > I've never had any problems with it. Explain your "trouble" in more
> detail,
> > and give some command-line examples of how you are using it.
> >
> > Some things to remember:
> >
> > - You may need to add double quotes around names with spaces:
> > C:\>IfMember.exe /verbose MYDOMAIN\Domain Users
> > Group BUILTIN\Users matches list.
> >
> > C:\>IfMember.exe /verbose "MYDOMAIN\Domain Users"
> > Group MYDOMAIN\Domain Users matches list.
> >
> > - You should always specify the source, whether that be:
> > "%USERDOMAIN%\GroupName"
> > "%COMPUTERNAME%\GroupName"
> > "BUILTIN\GroupName"
> > "NT AUTHORITY\GroupName"
> >
> > - If you are using "IF ERRORLEVEL" to test the result, remember the result
> > is true if the value of ERRORLEVEL is equal to *or greater than* the
> number
> > you specify. So if ERRORLEVEL is equal to 2, then "IF ERRORLEVEL 1"
> returns
> > true. You can get more specific results from "IF %ERRORLEVEL% EQU 1" etc.
> >
> > - Remember the user's access token is only built when they login. So if a
> > user is added to a group after they have logged in, then their access
> token
> > does not show they are a member until they log out & log in again.
> >
> >
> >
>
>


Al Dunbar [MS-MVP]
We use IFMEMBER and find it acceptable. It correctly deduces the membership
of a user in Active Directory whose membership is inherited through nesting,
BUT ONLY when the groups being tested are all Active Directory groups.

When we test for membership in one of our (untrusted) NT4 resource domains,
I believe it works if the user is a direct member. It fails for sure if the
user is a member of an AD group that is in turn a member of a local NT4
group.

I would guess that, when IFMEMBER sees that a group is a WinNT group, it
enquires membership of a WinNT domain controller, which lacks the ability to
process nested AD groups.

One final point: make sure you are using the most recent version.


/Al


"Joe Richards [MVP]" wrote in message
news:e2vYXIklDHA.744@tk2msftngp13.phx.gbl...
> Is your membership direct or is it nested, I don't believe ifmember will
handle nested memberships. With that you can
> check the whomami /groups dump which will give you your token or you can
try memberof from the free win32 tools page of
> www.joeware.net.
>
> --
> Joe Richards
> www.joeware.net
>
> --
>
> "Ben Samuals" wrote in message
news:etUelLOlDHA.1808@TK2MSFTNGP09.phx.gbl...
> > M, some groups it will detect a user id and others it won't. We have a
group
> > called na\fla admins, it will detect my userid their. However, it will
not
> > detect my userid in na\fla-eng...
> >
> > ifmember "na\fla admins" ; this will list
> > group na\fla admins matches list...
> >
> >
> > Larry
> > "Marty List" wrote in message
> > news:bmpeim$q58r9$1@ID-172409.news.uni-berlin.de...
> > >
> > > "Ben Samuals" wrote in message
> > > news:O2tHwnDlDHA.1808@TK2MSFTNGP09.phx.gbl...
> > > > Has anyone had trouble using the ifmember utility? I seem to be
having
> > > > trouble with it recognizing group memberships.
> > > >
> > > > Thx, L
> > > >
> > > >
> > >
> > > I've never had any problems with it. Explain your "trouble" in more
> > detail,
> > > and give some command-line examples of how you are using it.
> > >
> > > Some things to remember:
> > >
> > > - You may need to add double quotes around names with spaces:
> > > C:\>IfMember.exe /verbose MYDOMAIN\Domain Users
> > > Group BUILTIN\Users matches list.
> > >
> > > C:\>IfMember.exe /verbose "MYDOMAIN\Domain Users"
> > > Group MYDOMAIN\Domain Users matches list.
> > >
> > > - You should always specify the source, whether that be:
> > > "%USERDOMAIN%\GroupName"
> > > "%COMPUTERNAME%\GroupName"
> > > "BUILTIN\GroupName"
> > > "NT AUTHORITY\GroupName"
> > >
> > > - If you are using "IF ERRORLEVEL" to test the result, remember the
result
> > > is true if the value of ERRORLEVEL is equal to *or greater than* the
> > number
> > > you specify. So if ERRORLEVEL is equal to 2, then "IF ERRORLEVEL 1"
> > returns
> > > true. You can get more specific results from "IF %ERRORLEVEL% EQU 1"
etc.
> > >
> > > - Remember the user's access token is only built when they login. So
if a
> > > user is added to a group after they have logged in, then their access
> > token
> > > does not show they are a member until they log out & log in again.
> > >
> > >
> > >
> >
> >
>
>