Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 645
  • Last Modified:

Remove user from Domain Guest group

I am not happy at this point. I have a user that I added to the Domain Admins group. He is the president of the company so I did what he asked.
 I knew it was a mistake. He added the Domain Admins to the Domain Guests group. He neglected to tell me this. He just said hmm the CRM just stopped working. Well that was the first symptom of what was going on. I log in I get Access denied errors when I access active directory. I can't even look at any of the accounts. I used the trusty showgrps.exe and low and behold administrator is a member of the Domain admin. Right now I am looking at having to rebuild this server or remove AD from the domain and rebuild it from scratch since I didn't have a back up since I am just getting this server up and running.
My question is this. Is there a script or command that will remove an account from a certain group? Maybe in safe mode or AD restore mode?

The worse case senario is rebuild this server, exchange, SQL, and the CRM. I can say goodbye to my weekend. Can I punch the president in the face? Maybe I should let him do this work. Leave some nice words on the white board for him. :-/
0
Templar_m
Asked:
Templar_m
1 Solution
 
luv2smileCommented:
First off, I want to say I feel your pain because I'm in a similar situation. Luckily..*cross my fingers* I haven't had anything bad happen yet, but I just hate the idea of people who are not system administrators having domain admin rights....

I wonder if you could remove the group membership thru this command:

http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/schmmgmt_remove_member_schemaadmin_group.asp
0
 
ScrptMastaCommented:
You can use this script to remove a User in AD from an AD group. Just place the code into a notepad file and save with a .VBS extension. You will need to change the info in the script to match your users and domain of course. Then run from the command prompt like this,

C:\>CSCRIPT myfile.vbs

Removes user MyerKen from the group Sea-Users.
***********************************************************************
Const ADS_PROPERTY_DELETE = 4
 
Set objGroup = GetObject _
   ("LDAP://cn=Sea-Users,cn=Users,dc=NA,dc=fabrikam,dc=com")
 
objGroup.PutEx ADS_PROPERTY_DELETE, _
    "member",Array("cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
objGroup.SetInfo
***********************************************************************

      
0
 
Templar_mAuthor Commented:
I tried the vbs thing already figured there might have been another way.

Thanks ScrptMasta. That seemed to take the user out of that group but the error still remained. I think he did more damage than I can see.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now