How do I remove users from all our group in AD

Hi Dusan

That seems to be near enough what I need except it leaves one group other than the Domain users (That I know of)

That group is our Broadcast all staff Group which is our Distribution list for all staff for mass email.  The Group itselfs is set up as a Security type.  I know group mod can only do a 100 groups unless you set the limit to more, but where abouts would i set this limit on what you have written?

Many thanks

dsmod command in this script removes only one user from one group at each pass. You could hit 100 users limit at "dsquery user" command (and you can fix that with "-limit 1000" ) but in that case you would be left with some users that have intact their group membership.

Is any user successfully removed from that group?
Can you check from AD Users GUI "member of" tab for some of the users, is that group still listed?
Can you run cmd "dsquery user" and "dsget user" commands from script manually and see results?
 

I'm only running it as a test on two users at the moment and neither one got removed....All other groups that I added to them users went and they were just left with Domain Users and Broadcast All Staff.

do you get any errors when you run script?

Only cant remove from group but that is concerning groups they are not a part of so i'd expect that?

Only error should be when trying to remove user from Domain Users. Script first checks what groups is user member of, and then removes user from those groups.

can you paste output here?

See below for the code this happens for most groups.....I'm not convinced its searching all the groups within the domain because of how quick it happens

C:\>(dsmod group "CN=Users,CN=Builtin,DC=colchester,DC=ac,DC=uk" -rmmbr "CN=Fleu
r Soards,OU=Data Has Been Archived,OU=Base,OU=Staff,OU=Accounts - Archive,DC=
Home,DC=ac,DC=uk" )
dsmod failed:CN=Users,CN=Builtin,DC=home,DC=co,DC=uk:The specified account
 name is not a member of the local group.:CN=USER NAME,OU=Data Has Been Archi
ved,OU=Base,OU=Staff,OU=Accounts - Archive,DC=Home,DC=co,DC=uk could no
t be removed from the group.
type dsmod /? for help.

By watching the script go thru, I'd say its trying to pull a list of the groups from the domain and then trying to remove the user, instead of actually searching the user first to see what groups they are in??

For /F "delims=*" %%w IN ('dsquery user -desc Archived* "OU=Data Has Been Archived,OU=Base,OU=Staff,OU=Accounts - Archive,DC=Home,DC=co,DC=uk"') DO (
      For /F "delims=*" %%g IN ('dsget user %%w -memberof -expand') DO (
            dsmod group %%g -rmmbr %%w
      )
)

1. Script uses dsquery user to get list of all users from "OU=Data Has ... ... ,DC=uk" with "Archived*" description (check please if I made any typing errors!).
2. First FOR loop goes through that list and for each user lists groups that one particular user is member of ("dsget user" uses -memberof switch to get that list)
3. Second FOR loop goes through that list of groups and removes user using "dsmod group".

I created OU on my domain and added few test users and joined them into random groups, script did its job with no mistake.

Let's troubleshoot each step. First run at cmd prompt:

dsquery user -desc Archived* "OU=Data Has Been Archived,OU=Base,OU=Staff,OU=Accounts - Archive,DC=Home,DC=co,DC=uk"

Do you get list of users you need to process?
 

OK interestingly I've found that another group that is in the same OU as the broadcast all staff dont get removed either.  

I added a group (Itservices) from the same OU that the Broadcast group is in and then run the script, And the two were there, this lead me to think may its that OU that the groups were based in but I then added a third random one from the OU and the script removed it as it should do but still left me with the Broadcast and ITServices...

I'm a step ahead head of you...I can use dsquery User and and pipe that into dsget user -memberof and that shows the groups each member is a part of and works fine

heres another piece of investing

I have 3 groups (BroadcastALL STAFF,ITService,NIS) all in the same OU and two of them dont remove (BroadcastALLStaff and ITServices) but one does (NIS), so I run

Dsquery user "OU=Blah,OU=Blah,DC=Home,DC=co,DC=UK"|dsget user -memberof

that showed exactly what I expected the the groups the users were part of and theres nothing untoward the out except one thing..theres a \ before the names of BroadcastALLSTAFF and ITservices eg:
"CN=\ IT Services,OU=E-Mail Groups and Users

But theres not for the NIS so that outputs as
CN=NIS Team,OU=E-Mail Groups and Users

So I'm guessing its the \ thats stopping them groups from being removed?? Any ideas on how to get round that?

k

If you pick one member, and try to manually remove him from all groups (one group at a time) using
dsmod group "Group...." -rmmbr "User..."

Does it work?

would what be the syntax for that?

for example:

dsmod group "CN=\ IT Services,OU=Blah,OU=Blah,DC=Home,DC=co,DC=UK" -rmmbr "CN=John Doe,OU=Data Has Been Archived,OU=Base,OU=Staff,OU=Accounts - Archive,DC=Home,DC=co,DC=uk"

i get the following error when run for the IT Services or BroadcasALLStaff

dsmod failed:Value for `Target object for this command' has incorrect format.
type dsmod /? for help.

But its successful for NIS

i dont know where the "CN=\ IT Services" is coming from as I would have thought that that should have been "CN=IT Services"

It probably has something to do with way those groups were created (probably by some software that integrates in AD). I'll think about solution for this, but not before tomorrow, it's time to go home :)

What you cant go home!! HAHA no thank you, you're help is appreciated i'll give it some thought also. I've checked the Groups and theres nothing strange about the names etc, and they, well BroadcastALLStaff will have been around since the damn of time, I'll see if theres other groups dating back to then and see if they have the same effect....its def the \ thats missing it up

its a space before the name of the group, at least thats what i think

Fro example the Canonical name of NIS is
Home.co.uk/E-Mail Groups and Users (Exchange)/NIS

Buts for ITServices its

Home.ac.uk/E-Mail Groups and Users (Exchange)/ IT Services

Thus i dont think it likes the space, but i dont know how to get around that? ad we have a few groups like this

If all 'faulty' groups have that same problem, I'll fix it. Just try "dsmod group" command manually without backslash and see if it works that way.

all faulty groups have that issue...some may have more than one space

and if i try to mod group without the \ i get directory object not found

CN=IT Services

instead of CN=\ IT Services

We need to find what works manually. Try all combinations: removing backslash, removing backslash and space, adding one more backslash, adding two backslashes...

works if a space is placed first so CN= IT Services

OK, can you try this please:

SETLOCAL ENABLEDELAYEDEXPANSION
set u=
set w=
set g=
set qwe=
For /F "delims=*" %%w IN ('dsquery user -desc Archived* "OU=Data Has Been Archived,OU=Base,OU=Staff,OU=Accounts - Archive,DC=Home,DC=co,DC=uk"') DO (
      For /F "delims=*" %%g IN ('dsget user %%w -memberof -expand') DO (
        set qwe=%%g
      set qwe=!qwe:\ = !
      dsmod group "!qwe!" -rmmbr %%w
      )
)

got the following error?

dsquery failed:A referral was returned from the server.

did you add the first line: SETLOCAL ENABLEDELAYEDEXPANSION

Copied and pasted exactly what you have there I get two errors

I get
1) dsmod failed:Value for `Target object for this command' has incorrect format.
2) dsmod failed:`-' is an unknown parameter.

1 refers to the \ broadcastallstaff group

and i think 2 refers to a group that is something like ISA - SET PROXY