Interesting problem. First, I don't see any way to query directly for groups
that have members that are groups. I see no better method than binding to
each group, then binding to each member in the group to check if the member
is a group, etc. This is a lot of binding, but seems unavoidable. With so
many groups, the task can take awhile.

Next, group nesting can be tricky. For example if I have this situation:

Group Members
------- ---------
Parish School (group)
BFranklin (user)

School TestUser (user)
Grade8 (group)

Grade8 JSmith (user)

If I consider the groups in this order and replace each member that is a
group by it's direct user members, the result is:

Group Members
------- ---------
Parish TestUser (user)
BFranklin (user)

School TestUser (user)
JSmith (user)

Grade8 JSmith (user)

However, this is not equivalent. In the original situation, user JSmith has
all permissions assigned to group Parish (due to nesting). This is not
reflected in the second situation. The program needs to work through the
group nesting to fix this. The result should be:

Group Members
------- ---------
Parish TestUser (user)
JSmith (user)
BFranklin (user)

School TestUser (user)
JSmith (user)

Grade8 JSmith (user)

However, if in the original situation we made group Parish a member of
Grade8, we would have circular nested groups. This can happen (especially if
people are adding groups to groups willy nilly), but can cause an infinite
loop if you don't account for it.

My solution, which worked in my testing, follows. I have commented out the
statements that actually modify group membership, so the script can be run
to see what it will do. In my case (admittedly convoluted to demonstrate the
complications), the script made some users members of groups repeatedly.
However, if the script is run with the Add and Remove statements this will
not happen, because the script first checks if a user is already a member
before adding them to the group.

Finally, you should only run this on selected OU's, as you suggest.
Otherwise, you might remove "Domain Users" from group "Users", and remove
"Domain Guests" from "Guests". Also, this program is blind to "primary"
group membership. If someone has made "Domain Users" a member of a group,
this will be removed, but the members of "Domain Users" will not be added to
the group. You may want to document what happens when this runs so you can
track possible problems that arise. Watch for line wrapping.
===================
Option Explicit

Dim adoCommand, adoConnection
Dim strBase, strFilter, strAttributes, strQuery, adoRecordset
Dim strDN, objGroup

' Use ADO to search Active Directory.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection

' Search selected OU.
strBase = "<LDAP://ou=Groups,ou=South,dc=test,dc=Local>"

' Search for all groups in selected OU.
strFilter = "(objectCategory=group)"

' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName"

' Construct the LDAP query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"

' Run the query.
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
Set adoRecordset = adoCommand.Execute

' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
' Retrieve values.
strDN = adoRecordset.Fields("distinguishedName").Value
' Bind to the group.
Set objGroup = GetObject("LDAP://" & strDN)
' Evaluate membership.
Call RemoveNestedGroups(objGroup)
adoRecordset.MoveNext
Loop

' Clean up.
adoRecordset.Close
adoConnection.Close

Function GetClass(objMember)
' Function to determine class of object.
Dim strClass

strClass = UCase(Left(objMember.objectCategory, 9))
Select Case strClass
Case "CN=PERSON"
GetClass = "PERSON"
Case "CN=GROUP,"
GetClass = "GROUP"
Case Else
GetClass = "OTHER"
End Select
End Function

Sub RemoveNestedGroups(objGroup)
' Subroutine to evaluate members of a group
' and remove nested groups.

Dim objMember, strClass

' Enumerate direct members.
For Each objMember In objGroup.Members
' Check if any direct members are nested groups.
strClass = GetClass(objMember)
If (strClass = "GROUP") Then
' Enumerate members of this nested group and make
' users members of the parent group.
Call GetMembers(objMember, objGroup)
' Remove nested group.
Wscript.Echo "Remove group " & objMember.sAMAccountName _
& " from group " & objGroup.sAMAccountName
' objGroup.Remove(objMember.AdsPath)
End If
Next

End Sub

Sub GetMembers(objGroup, objParent)
' Subroutine to determine nested user members of a group and make
' them members of the parent group.
Dim objNestedMember, strNestedClass

' Exit if circular nested group detected.
If (objGroup.sAMAccountName = objParent.sAMAccountName) Then
Wscript.Echo "Circular nested groups"
Exit Sub
End If

For Each objNestedMember In objGroup.Members
' Check if any members are users.
strNestedClass = GetClass(objNestedMember)
If (strNestedClass = "PERSON") Then
If (objParent.IsMember(objNestedMember.AdsPath) = False) Then
Wscript.Echo "Add User " & objNestedMember.sAMAccountName _
& " to group " & objParent.sAMAccountName
' objParent.Add(objNestedMember.AdsPath)
End If
End If
' Check if any members are groups.
If (strNestedClass = "GROUP") Then
' Enumerate nested members of this group and make them
' members of the parent group.
Wscript.Echo "Call GetMembers(" & objNestedMember.sAMAccountName
_
& ", " & objParent.sAMAccountName & ")"
Call GetMembers(objNestedMember, objParent)
End If
Next
End Sub
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--