Link to home
Start Free TrialLog in
Avatar of bsharath
bsharathFlag for India

asked on

Remove a user from all the groups in the file

Hi,

I have a user who is a member of 30 groups.I just want to remove 15 groups in which he is a member.Is there a script from which i can do this.

regards
Sharath
Avatar of zoofan
zoofan
Flag of United States of America image

Avatar of bsharath

ASKER

What i want is remove some groups which are in the file from the user....
Trying to better understand you,  Your trying to remove the permissions of one user from file security's that are set by groups to which the user is a member?  Or remove 15 groups from file security?

sorry I do not understand this part "remove some groups which are in the file from the user"

could you explain differently please.

thanks
zf
Every user is a member of some groups.
When we go to outlook and type a mail id and go to properties.In members of property we can see all the groups a user is a member.Now i have a user who is a member of many mailing groups.I want to remove some groups he is a member.I have all the group names in a file.
Need a scrip to search a user gor all the groups he is a member and remove those groups.

THX
Sharath
Gotcha,

I can try to script that for you but would need a sample of the file.


zf
The txt file where i have the groups would look like this.

India_ Group1
India-group2
indiagroup3
Can you copy and paste a portion of the file please?

zf
this is what is there in the file.
l2.1_build
l2.2_build
le2_build
1_support
2.5_Galaxy
PMO_P1W
Priority List
Release
India_ Group1
India-group2
indiagroup3
Well.. Umm..  Ok and this is a list of group names or user names both? Realize your looking at these knowing what they are,  I will be very hard pressed to create a script that will scan a file and edit it without knowing what Im looking at and what Im looking for.


ex:

User1,group1,group2,group3,group4,group5
User2,group1,group2,group3,group4,group5
User3,group1,group2,group3,group4,group5
User4,group1,group2,group3,group4,group5

or

User1:
group1
group2
group3
group4
group5

User2:
group1
group2
group3
group4
group5


The structure of the file is vital to being capable of scripting an editor for it.

zf
Every chachter in the file makes a difference, like importing a comma delimited txt file into excell,  excell knows to break the parts up by the delimitter, the coma.  Line spacing, tab spacing, delimitter etc it all matters.

zf
The script has to give me a option of entering the user name
Say when script asks me to enter the name i shall enter "Sharath"
So what should ha[ppen is all the groups that are there in the txt file should be removed from the user "Sharath"
The script has to query with the Active directory and remove the groups from the users member of
Yes, I agree  as well as what group names you want to remove the user from.  But once given that information the script must know how the file is laid out in order to search and edit it.

zf
I think we have both been confused.

I want to remove all the groups for which a user is a member from the ADS...
I see this now!!  lol

zf
Give me some time, Ill see what I can do.

Just so I (I think I do now)understand you have a text file with a list of groups, you need to enter a username, scan AD for the user retrive a list of groups that they are a member of and remove membership from the groups in the list?


zf
Are these security groups or distrobution lists?

zf
They are Distribution groups...
Yes you are corect...
ok,  sorry for the mix up,  give me some time Ill work on it.

zf
Hi bsharath,

Having misunderstood you intially and now realizing what you need, I belive this to be a bit outside what i feel I could do with the utmost confidence.  Scripting this in AD changes the senerio completly as you need to deal with nested group membership,

IE
user1 is a member of grp1 grp2 grp grp4

grp4 is a member of grp6 grp9 grp12

grp9 is a member of grp5 grp8

and grp8 is where the user needs to be removed from.

this would need to be tested all the way thru to find every group the user is a member of and every group that group is a member of etc etc(group inheritence) until all the possablities where exausted.

I would not feel comfortable doing this as one slip could easily corrupt your ADdb as well as possiably create havoc with your domain share permissions and security.  I appologize for not being able to help after all this but hope that you respect and understand my position.


My appologize,

zf
No problem thanks for the help...
Avatar of Admin4XP
Admin4XP

I think this should work but I dont have access to AD to test it.

Dim objFSO:Set objFSO=CreateObject("Scripting.FileSystemObject")
arrFile=Split(objFSO.OpenTextFile("C:\Groups.txt").ReadAll,vbCrLf)

dim groupPath
dim userPath
StrUsr = InputBox "Please input username"
userPath = "LDAP://cn=" & StrUsr & ",cn=users,dc=%YOURDOMAIM%,dc=co,dc=uk"

For each Grp in arrFile
      groupPath = "LDAP://cn=" & Grp & ",cn=users,dc=%YOURDOMAIM%,dc=co,dc=uk"
      removeFromGroup userPath,groupPath
Next

sub removeFromGroup(userPath, groupPath)

      dim objGroup
      set objGroup = getobject(groupPath)
      
      objGroup.PutEx ADS_PROPERTY_DELETE, _
      "member",Array(UserPath)
      objGroup.SetInfo
end sub

obviously change the container names and Domain
:: * This script require "Groups.txt" file on C: drive root from where it will pick group names.
:: * You need to set 'UserNTID' variables value to the users NT Login ID.
::   Like:
::        SET UserNTID=FKazi
::
:: * Successful run will generate "GroupsReport.txt" file on C: drive root.
:: * Copy and paste following script in notepad and save it with any name having .cmd extension.
:: *** SCRIPT START ***

@Echo Off
SETLOCAL EnableDelayedExpansion

SET UserNTID=FKazi

IF NOT EXIST C:\Groups.txt Goto ShowErr
FOR %%R IN (C:\Groups.txt) Do IF %%~zR EQU 0 Goto ShowErr
IF EXIST C:\GroupReport.txt DEL /F /Q C:\GroupReport.txt

DSQuery User -SAMID "%UserNTID%*" | Find /I "CN=">C:\TmpUID.txt
IF ERRORLEVEL 1 Echo User '%UserNTID%' Not Found. && Goto :EndScript
SET /P UserCN=<C:\TmpUID.txt

FOR /F "delims=#" %%g IN ('Type C:\Groups.txt') Do (
      Echo Processing: %%g
      DSQuery Group -Name "%%g*" | DSMod Group -RmMbr %UserCN% >>C:\GroupReport.txt 2>NUL
)
Goto EndScript
:ShowErr
Echo "C:\Groups.txt" file does not exist or file is empty!
:EndScript
IF EXIST C:\TmpUID.txt DEL /F /Q C:\TmpUID.txt
ENDLOCAL
:: *** SCRIPT END ***
Thanks this worked.Can we specify the CN and OU's in this script.As some of the groups are in a different trusted domain.

Its removing all groups from the DC but not from the Main Dc.
ASKER CERTIFIED SOLUTION
Avatar of Farhan Kazi
Farhan Kazi
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
farhankazi
Thanks a lot.Here after please add this OU structure in all ADS script i post.

Thanks a lot again...