bsharath
asked on
Remove a user from all the groups in the file
Hi,
I have a user who is a member of 30 groups.I just want to remove 15 groups in which he is a member.Is there a script from which i can do this.
regards
Sharath
I have a user who is a member of 30 groups.I just want to remove 15 groups in which he is a member.Is there a script from which i can do this.
regards
Sharath
ASKER
What i want is remove some groups which are in the file from the user....
Trying to better understand you, Your trying to remove the permissions of one user from file security's that are set by groups to which the user is a member? Or remove 15 groups from file security?
sorry I do not understand this part "remove some groups which are in the file from the user"
could you explain differently please.
thanks
zf
sorry I do not understand this part "remove some groups which are in the file from the user"
could you explain differently please.
thanks
zf
ASKER
Every user is a member of some groups.
When we go to outlook and type a mail id and go to properties.In members of property we can see all the groups a user is a member.Now i have a user who is a member of many mailing groups.I want to remove some groups he is a member.I have all the group names in a file.
Need a scrip to search a user gor all the groups he is a member and remove those groups.
THX
Sharath
When we go to outlook and type a mail id and go to properties.In members of property we can see all the groups a user is a member.Now i have a user who is a member of many mailing groups.I want to remove some groups he is a member.I have all the group names in a file.
Need a scrip to search a user gor all the groups he is a member and remove those groups.
THX
Sharath
Gotcha,
I can try to script that for you but would need a sample of the file.
zf
I can try to script that for you but would need a sample of the file.
zf
ASKER
The txt file where i have the groups would look like this.
India_ Group1
India-group2
indiagroup3
India_ Group1
India-group2
indiagroup3
Can you copy and paste a portion of the file please?
zf
zf
ASKER
this is what is there in the file.
l2.1_build
l2.2_build
le2_build
1_support
2.5_Galaxy
PMO_P1W
Priority List
Release
India_ Group1
India-group2
indiagroup3
l2.1_build
l2.2_build
le2_build
1_support
2.5_Galaxy
PMO_P1W
Priority List
Release
India_ Group1
India-group2
indiagroup3
Well.. Umm.. Ok and this is a list of group names or user names both? Realize your looking at these knowing what they are, I will be very hard pressed to create a script that will scan a file and edit it without knowing what Im looking at and what Im looking for.
ex:
User1,group1,group2,group3 ,group4,gr oup5
User2,group1,group2,group3 ,group4,gr oup5
User3,group1,group2,group3 ,group4,gr oup5
User4,group1,group2,group3 ,group4,gr oup5
or
User1:
group1
group2
group3
group4
group5
User2:
group1
group2
group3
group4
group5
The structure of the file is vital to being capable of scripting an editor for it.
zf
ex:
User1,group1,group2,group3
User2,group1,group2,group3
User3,group1,group2,group3
User4,group1,group2,group3
or
User1:
group1
group2
group3
group4
group5
User2:
group1
group2
group3
group4
group5
The structure of the file is vital to being capable of scripting an editor for it.
zf
Every chachter in the file makes a difference, like importing a comma delimited txt file into excell, excell knows to break the parts up by the delimitter, the coma. Line spacing, tab spacing, delimitter etc it all matters.
zf
zf
ASKER
The script has to give me a option of entering the user name
Say when script asks me to enter the name i shall enter "Sharath"
So what should ha[ppen is all the groups that are there in the txt file should be removed from the user "Sharath"
Say when script asks me to enter the name i shall enter "Sharath"
So what should ha[ppen is all the groups that are there in the txt file should be removed from the user "Sharath"
ASKER
The script has to query with the Active directory and remove the groups from the users member of
Yes, I agree as well as what group names you want to remove the user from. But once given that information the script must know how the file is laid out in order to search and edit it.
zf
zf
ASKER
I think we have both been confused.
I want to remove all the groups for which a user is a member from the ADS...
I want to remove all the groups for which a user is a member from the ADS...
I see this now!! lol
zf
zf
Give me some time, Ill see what I can do.
Just so I (I think I do now)understand you have a text file with a list of groups, you need to enter a username, scan AD for the user retrive a list of groups that they are a member of and remove membership from the groups in the list?
zf
Just so I (I think I do now)understand you have a text file with a list of groups, you need to enter a username, scan AD for the user retrive a list of groups that they are a member of and remove membership from the groups in the list?
zf
Are these security groups or distrobution lists?
zf
zf
ASKER
They are Distribution groups...
ASKER
Yes you are corect...
ok, sorry for the mix up, give me some time Ill work on it.
zf
zf
Hi bsharath,
Having misunderstood you intially and now realizing what you need, I belive this to be a bit outside what i feel I could do with the utmost confidence. Scripting this in AD changes the senerio completly as you need to deal with nested group membership,
IE
user1 is a member of grp1 grp2 grp grp4
grp4 is a member of grp6 grp9 grp12
grp9 is a member of grp5 grp8
and grp8 is where the user needs to be removed from.
this would need to be tested all the way thru to find every group the user is a member of and every group that group is a member of etc etc(group inheritence) until all the possablities where exausted.
I would not feel comfortable doing this as one slip could easily corrupt your ADdb as well as possiably create havoc with your domain share permissions and security. I appologize for not being able to help after all this but hope that you respect and understand my position.
My appologize,
zf
Having misunderstood you intially and now realizing what you need, I belive this to be a bit outside what i feel I could do with the utmost confidence. Scripting this in AD changes the senerio completly as you need to deal with nested group membership,
IE
user1 is a member of grp1 grp2 grp grp4
grp4 is a member of grp6 grp9 grp12
grp9 is a member of grp5 grp8
and grp8 is where the user needs to be removed from.
this would need to be tested all the way thru to find every group the user is a member of and every group that group is a member of etc etc(group inheritence) until all the possablities where exausted.
I would not feel comfortable doing this as one slip could easily corrupt your ADdb as well as possiably create havoc with your domain share permissions and security. I appologize for not being able to help after all this but hope that you respect and understand my position.
My appologize,
zf
ASKER
No problem thanks for the help...
I think this should work but I dont have access to AD to test it.
Dim objFSO:Set objFSO=CreateObject("Scrip ting.FileS ystemObjec t")
arrFile=Split(objFSO.OpenT extFile("C :\Groups.t xt").ReadA ll,vbCrLf)
dim groupPath
dim userPath
StrUsr = InputBox "Please input username"
userPath = "LDAP://cn=" & StrUsr & ",cn=users,dc=%YOURDOMAIM% ,dc=co,dc= uk"
For each Grp in arrFile
groupPath = "LDAP://cn=" & Grp & ",cn=users,dc=%YOURDOMAIM% ,dc=co,dc= uk"
removeFromGroup userPath,groupPath
Next
sub removeFromGroup(userPath, groupPath)
dim objGroup
set objGroup = getobject(groupPath)
objGroup.PutEx ADS_PROPERTY_DELETE, _
"member",Array(UserPath)
objGroup.SetInfo
end sub
obviously change the container names and Domain
Dim objFSO:Set objFSO=CreateObject("Scrip
arrFile=Split(objFSO.OpenT
dim groupPath
dim userPath
StrUsr = InputBox "Please input username"
userPath = "LDAP://cn=" & StrUsr & ",cn=users,dc=%YOURDOMAIM%
For each Grp in arrFile
groupPath = "LDAP://cn=" & Grp & ",cn=users,dc=%YOURDOMAIM%
removeFromGroup userPath,groupPath
Next
sub removeFromGroup(userPath, groupPath)
dim objGroup
set objGroup = getobject(groupPath)
objGroup.PutEx ADS_PROPERTY_DELETE, _
"member",Array(UserPath)
objGroup.SetInfo
end sub
obviously change the container names and Domain
:: * This script require "Groups.txt" file on C: drive root from where it will pick group names.
:: * You need to set 'UserNTID' variables value to the users NT Login ID.
:: Like:
:: SET UserNTID=FKazi
::
:: * Successful run will generate "GroupsReport.txt" file on C: drive root.
:: * Copy and paste following script in notepad and save it with any name having .cmd extension.
:: *** SCRIPT START ***
@Echo Off
SETLOCAL EnableDelayedExpansion
SET UserNTID=FKazi
IF NOT EXIST C:\Groups.txt Goto ShowErr
FOR %%R IN (C:\Groups.txt) Do IF %%~zR EQU 0 Goto ShowErr
IF EXIST C:\GroupReport.txt DEL /F /Q C:\GroupReport.txt
DSQuery User -SAMID "%UserNTID%*" | Find /I "CN=">C:\TmpUID.txt
IF ERRORLEVEL 1 Echo User '%UserNTID%' Not Found. && Goto :EndScript
SET /P UserCN=<C:\TmpUID.txt
FOR /F "delims=#" %%g IN ('Type C:\Groups.txt') Do (
Echo Processing: %%g
DSQuery Group -Name "%%g*" | DSMod Group -RmMbr %UserCN% >>C:\GroupReport.txt 2>NUL
)
Goto EndScript
:ShowErr
Echo "C:\Groups.txt" file does not exist or file is empty!
:EndScript
IF EXIST C:\TmpUID.txt DEL /F /Q C:\TmpUID.txt
ENDLOCAL
:: *** SCRIPT END ***
:: * You need to set 'UserNTID' variables value to the users NT Login ID.
:: Like:
:: SET UserNTID=FKazi
::
:: * Successful run will generate "GroupsReport.txt" file on C: drive root.
:: * Copy and paste following script in notepad and save it with any name having .cmd extension.
:: *** SCRIPT START ***
@Echo Off
SETLOCAL EnableDelayedExpansion
SET UserNTID=FKazi
IF NOT EXIST C:\Groups.txt Goto ShowErr
FOR %%R IN (C:\Groups.txt) Do IF %%~zR EQU 0 Goto ShowErr
IF EXIST C:\GroupReport.txt DEL /F /Q C:\GroupReport.txt
DSQuery User -SAMID "%UserNTID%*" | Find /I "CN=">C:\TmpUID.txt
IF ERRORLEVEL 1 Echo User '%UserNTID%' Not Found. && Goto :EndScript
SET /P UserCN=<C:\TmpUID.txt
FOR /F "delims=#" %%g IN ('Type C:\Groups.txt') Do (
Echo Processing: %%g
DSQuery Group -Name "%%g*" | DSMod Group -RmMbr %UserCN% >>C:\GroupReport.txt 2>NUL
)
Goto EndScript
:ShowErr
Echo "C:\Groups.txt" file does not exist or file is empty!
:EndScript
IF EXIST C:\TmpUID.txt DEL /F /Q C:\TmpUID.txt
ENDLOCAL
:: *** SCRIPT END ***
ASKER
Thanks this worked.Can we specify the CN and OU's in this script.As some of the groups are in a different trusted domain.
Its removing all groups from the DC but not from the Main Dc.
Its removing all groups from the DC but not from the Main Dc.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
farhankazi
Thanks a lot.Here after please add this OU structure in all ADS script i post.
Thanks a lot again...
Thanks a lot.Here after please add this OU structure in all ADS script i post.
Thanks a lot again...
http://www.cruto.com/resources/vbscript/vbscript-examples/ds/local/groups/Delete-a-User-from-a-Local-Group.asp
and two
http://msdn2.microsoft.com/en-us/library/aa772133.aspx
If you need help getting them to work let me know.
zf