Question

Remove groups from disabled user's in AD

Asked by: karlpearson

Hi all,
Just wondering if I am going down the right lines with this batch file that I am working on at the moment. I have been asked by our security team to write a script that will remove all of the groups that a user is a member of based upon the account being disabled. We currently have hundreds of disabled accounts and these users are still members of many groups in AD. it would be nice if we could leave the account being a member of domain users but every other group membership can be removed from the user account. This is what I have so far:-
dsquery user -disabled -limit 0 > dis.txt

FOR /F "skip=0 delims=  tokens=1,2,3,4,5" %%A IN (dis.txt) DO set user=%%A
Set User=%user:~1%

DSQUERY GROUP | DSMOD GROUP -C -RMMBR "%user%"

It looks too simple to me to work and it's a little hard to test something like this so I'm really hoping someone out there can help if you have maybe done something similar.
Thanks in advance.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-11-04 at 08:16:05ID24871341
Topics

Windows Batch Scripting

,

VB Script

,

MS DOS

Participating Experts
2
Points
500
Comments
8

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. dsmod for multiple workstations
    Hello, I'm trying to use the dsmod feature to enable multiple computers in a specific OU. Here's my syntax and the error return code. What am I missing? Can dsmod do what i"m asking? thanks. -new subscriber C:\>dsquery computer "OU=quarantine wks,OU=qa-test,OU=...
  2. Dsquery / Dsmod Help - Users in group / change profile …
    I could use some help please I need to change everyone that belongs to group "Blah" over to a different profile path If I run this, I get all of my members (bonus) but when I try and dsmod this, it isnt flying. dsquery group "CN=BLAH,OU=Sites,OU=Security Gro...
  3. How to add users to a group using a "for" loop with dsqu…
    Almost every user in our company is assigned a floor space id like this: 2003, 1041, 3091. The first digit is the floor they sit on, the rest of the digits are irrelevant to what I want to do. We also have a distribution group setup for each floor (we only have three floors)....
  4. Using DSQUERY and DSMOD to update active directory (…
    I would like to use DSquery and DSmod to update certain attributes in user properties. I would like to use dsquery user to search for their username (auser1) and dsmod to update something simple like say description (currently blank) under the general tab of the user properti...
  5. dsquery script
    Pls help me to create a following vbscript. - I have a text file which has name list of domain users e.g. user1 user2 user3 ... - I want to read this user name list one by one and need to run following command as a scheduled task. dsquery user -samid %username%| dsmod user...
  6. DSMOD User Script
    I need a script to make some changes to all my users titles within the Organization tab of the user properities in Active Directory. I need to get the title "CIV" from the display field of the user properities in Active Directory and place it in the title field on ...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: bluntTonyPosted on 2009-11-04 at 08:43:25ID: 25741191

The problem with that batch is that you have to type all the disabled accounts into the txt file before running it.

The below VBScript will search your entire domain for all disbaled accounts, and remove any groups it is a member of. Bear in mind this will NOT remove the primary group (Domain Users) by default as the user needs to have at least one primary group. If your primary group is not Domain Users and you want to switch it to this then this will require further coding.

Run the script via cscript, e.g.

cscript myscript.vbs

...to output a list of the users and groups which will be affected. When you're happy, run it with the following switch:

cscript myscript.vbs /forreal:Y

...this will actually remove the group memberships.

Something as potentially destructive as this I always test first!

Tony

If UCase(WScript.Arguments.Named("forreal")) = "Y" Then forReal = True Else forReal = False
 
Const ADS_PROPERTY_DELETE = 4
 
Set oRootDSE = GetObject("LDAP://RootDSE")
Set objConn = CreateObject("ADODB.Connection")
Set objComm =   CreateObject("ADODB.Command")
objConn.Provider = "ADsDSOObject"
objConn.Open "Active Directory Provider"
Set objComm.ActiveConnection = objConn
objComm.Properties("Page Size") = 1000
 
strBase   =  "<LDAP://" & oRootDSE.get("defaultNamingContext") & ">;"
strFilter = "(&(objectclass=user)(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=2));" 
strAttrs  = "distinguishedName;"
strScope  = "subtree"
 
objComm.CommandText = strBase & strFilter & strAttrs & strScope
Set objRS = objComm.Execute
 
If objRS.RecordCount> 0 Then
objRS.MoveFirst
	Do Until objRS.EOF
		Set objUser = GetObject("LDAP://" & Replace(objRS.Fields("distinguishedName").Value,"/","\/"))
		If Not (IsEmpty(objUser.memberof)) Then
			For Each memberof In ObjUser.GetEx("memberof")
				Set objGroup = GetObject("LDAP://" & Replace(memberof,"/","\/"))
				If forReal Then
					WScript.Echo "FOR REAL!!: REMOVING USER: " & objUser.sAMAccountName & " FROM GROUP: " & objGroup.sAMAccountName
					objGroup.PutEx ADS_PROPERTY_DELETE, "member", Array(objUser.Get("distinguishedName"))
					objGroup.SetInfo
				Else
					WScript.Echo "DRY RUN: REMOVE USER: " & objUser.sAMAccountName & " FROM GROUP: " & objGroup.sAMAccountName
				End If
			Next
		End If
		objRS.MoveNext
	Loop
End If
 
Set oRootDSE = Nothing
Set objConn = Nothing
Set objComm = Nothing
Set objUser = Nothing

                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:

Select allOpen in new window

 

by: karlpearsonPosted on 2009-11-04 at 09:10:23ID: 25741510

Thanks for the quick reply bluntTony, but the  command "dsquery user -disabled -limit 0 > dis.txt" at the top of the batch file should output all disabled user's to the text file that is used by the next line down and so I should not need to enter the user's manually as far as I am aware.  My only reason for looking at DOS rather than VB was because my VB skills are quite limited and whilst I would expect your script to work fine making changes to it if needed will not be as easy for me. I will however try it out on some of the older OU's that we have setup for accounts that have been disabled for a couple of years and hence don't matter too much.

 

by: Psy053Posted on 2009-11-04 at 16:51:22ID: 25745829

I think you would need the script to be more like that in the code snippet below.

However, I still think that it's a bit clunky in the way that it checks every group for the particular user, before removing them.

@Echo Off
FOR /F "delims= tokens=1,2,3,4,5*" %%A IN (disabled.txt) DO call :Function %%A
Goto :EOF
 
:Function
Set User=%1
Set User=%User:~1,-1%
DSQUERY GROUP | DSMOD GROUP -C -RMMBR "%User%"
Goto :EOF

                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:

Select allOpen in new window

 

by: bluntTonyPosted on 2009-11-05 at 01:24:06ID: 25747819

Sorry I missed the first line in your original post.

I do agree with psy053 that this is a bit inefficient, especially if you have a large domain. The VBS script is more efficient as it targets only those groups in the users' memberof lists.

The equivalent of this using batch would be to use a generic dsquery with an LDAP filter which targets only those groups that it needs to. I have plugged this into psy053's batch above. I have also added an argument so you can target a specific OU. The default search scope is subtree so it will look in sub-OUs too. Call it like:

remove.bat "OU=User,DC=domain,DC=local"

(to search the whole domain, just use 'DC=domain,DC=local')

@echo off
dsquery user "%1" -disabled -limit 0 > disabled.txt
FOR /F "delims= tokens=1,2,3,4,5*" %%A IN (disabled.txt) DO call :Function %%A
Goto :EOF
 
:Function
Set User=%1
Set User=%User:~1,-1%
dsquery * domainroot -filter "(&(objectClass=group)(member=%user%))" | DSMOD GROUP -C -RMMBR "%user%"
Goto :EOF 

                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:

Select allOpen in new window

 

by: karlpearsonPosted on 2009-11-06 at 03:37:21ID: 25758254

Cheers guys for the replies, sorry it's been a while in replying. "bluntTONY" should  line 2 have the "%1" in there as I cannot get it to run like this?

 

by: Psy053Posted on 2009-11-06 at 04:32:24ID: 25758531

Just get rid of it and you should be good to go.

 

by: Psy053Posted on 2009-11-06 at 04:42:50ID: 25758595

Just for reference, bluntTONY put in the option to search specific OU's - which is very handy - especially if you have a large environment.

The reason the script was failing was because probably didn't run the batch file with the minimum required paramater, which as bluntTONY said is:
remove.bat "DC=domain,DC=local"

 

by: karlpearsonPosted on 2009-11-06 at 04:48:09ID: 31650042

Thanks a lot for your help guys

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...