When you create a user in AD and assing a login script to do something based on memberOf attribute and you assign only one group to that user you will run in a strange situation.

User is a member of the group, has all privileges, windows sees them but when you use logon vbs script it seems to not work. When you implement

On Error Resume Next

in your script you won’t get any error output.

But the problem is with memberOf attribute itself:

According to this: http://www.rlmueller.net/MemberOf.htm if memberOf has only one group (apart from primary group) it is stored as String and not as Variant(). VBS “for each” expects an array, and when it finds String it raises an error. When you have on error resume next (like me) in your VBS you won’t get any errors.

My simple fix for this error was assinging every user a second group, thus when you added proper group to the user, vbs scripts saw 2 groups and returned variant() instead of string 🙂

Above link provides deep explanation of that behaviour and some fixes for it.

Very good reading.