Solved

Remove a users name from all groups

Posted on 2007-03-30
23
244 Views
Last Modified: 2012-05-05
hi,

When a user regins after disabling the account i manually go tom each group where ever he is a member and and remove his name from the group is it possible to run a script or is there a tool which can do this automatically.

Please help.

regards
Sharath
0
Comment
Question by:bsharath
  • 11
  • 10
  • 2
23 Comments
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18822805
The following VBScript will accomplish what you're looking for:

Const ADS_PROPERTY_DELETE = 4
Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D
 
Set objUser = GetObject("LDAP://<UserDN>")
arrMemberOf = objUser.GetEx("memberOf")
 
If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
    WScript.Echo "No group memberships found."
    WScript.Quit
End If
 
For Each Group in arrMemberOf
    Set objGroup = GetObject("LDAP://" & Group)
    objGroup.PutEx ADS_PROPERTY_DELETE, _
        "member", Array("<UserDN>")
    objGroup.SetInfo
Next

This is from the Active Directory Cookbook, 2nd Edition (of which I am a co-author, shameless plug.  ;-))

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
 
LVL 11

Author Comment

by:bsharath
ID: 18822944
Will this script ask me for the username or just delete any disable users in any group.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18822951
In this script you manually specify the target username in this line:

Set objUser = GetObject("LDAP://<UserDN>"), where you will replace <UserDN> with the actual distinguished name of the user.  So it might look like:

Set objUser = GetObject("LDAP://cn=DisabledUser,ou=DisabledUsersOU,dc=mycompany,dc=com")
0
 
LVL 11

Author Comment

by:bsharath
ID: 18822988
Can it search and remove without giving the Cn,OU,Dc as there ae different ou's in which the users are.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18823006
No, you need to provide the fully Distinguished Name of the user in order for the script to know which object to modify.
0
 
LVL 11

Author Comment

by:bsharath
ID: 18823040
The cronical name of the object id

Development.plc.co.uk/Countries/IND/User Accounts/Former Colleagues/Sujatha Anbumani

How do i put this in place

Domain is development.plc.co.uk

User name is sujatha anbumani
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18823056
This DN would be expressed as

"cn=Sujatha Anbumani,ou=Former Colleagues,ou=User Accounts,ou=IND,ou=Countries,dc=development,dc=plc,dc=co,dc=uk"
0
 
LVL 11

Author Comment

by:bsharath
ID: 18823112
Hi put it like this and execute i get this error.

Const ADS_PROPERTY_DELETE = 4
Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D
 
Set objUser = GetObject("LDAP://"cn=Sujatha Anbumani,ou=Former Colleagues,ou=User Accounts,ou=IND,ou=Countries,dc=development,dc=plc,dc=co,dc=uk"")
arrMemberOf = objUser.GetEx("memberOf")
 
If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
    WScript.Echo "No group memberships found."
    WScript.Quit
End If
 
For Each Group in arrMemberOf
    Set objGroup = GetObject("LDAP://" & Group)
    objGroup.PutEx ADS_PROPERTY_DELETE, _
        "member", Array("<UserDN>")
    objGroup.SetInfo
Next



Error



C:\>cscript s.vbs
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

C:\s.vbs(4, 34) Microsoft VBScript compilation error: Expected ')'
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18823419
It compiles using a test user on my domain.  Be sure that the "Set objUser=" line is not wrapping across multiple lines.  There should also be only one set of quotes, just ("LDAP://cn=....dc=uk")
0
 
LVL 11

Author Comment

by:bsharath
ID: 18823460
Now i get this


C:\>cscript s.vbs
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

C:\s.vbs(4, 1) (null): A referral was returned from the server.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18823543
This means that you have specified the DN of the user incorrectly.  

You can open the user object in ADSI Edit (in the Microsoft Support Tools) to retrieve the DN of the user object in question.

If you are unfamiliar with Active Directory scripting, I recommend the tutorials at the following site: http://www.activexperts.com/activmonitor/windowsmanagement/adminscripts/usersgroups/users/
0
 
LVL 15

Expert Comment

by:czcdct
ID: 18823614
OK, I might be speaking out of turn here but unless you are making a script to disable the account, move the user account to the other OU and then remove the membership, can't you just go to his account and into the Member Of tab and remove everything there.

Sorry. I'll run away now.
0
 
LVL 11

Author Comment

by:bsharath
ID: 18824543
czcdct:

As we add the user to the member the group does not display in the users properties
0
 
LVL 11

Author Comment

by:bsharath
ID: 18840981
LauraEHunterMVP:

Any help on this....
0
 
LVL 15

Expert Comment

by:czcdct
ID: 18841599
Ah, so the question is completely different then, isn't it. Your problem is that adding a user to a group does not result in that group appearing in the "Member Of" box on the user account. I'm certainly not that much of an expert to troubleshoot that one too deeply. Perhaps Laura will give you the solution. She's good like that.
0
 
LVL 11

Author Comment

by:bsharath
ID: 18841767
When i disable a user need to automatically remove the user from all groups where he is a member.

0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18842740
I don't understand what further help you are requesting.  If your goal is to strip a user of all of its group memberships, the best solution is the script that I've already provided.
0
 
LVL 11

Author Comment

by:bsharath
ID: 18883081
LauraEHunterMVP:

Can you please post the whole script with all the changes.I shall try now
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18883137
The script is fine as-written.  Place the user object's distinguished name where you see the <UserDN> placeholder, being careful not to add quotes around the DN and ensuring that each line of the script appears on one continuous line.  
0
 
LVL 11

Author Comment

by:bsharath
ID: 18915594
I get this error.If you sort this error.I think i can sole the issue
---------------------------
Windows Script Host
---------------------------
Script:      C:\Gr.vbs
Line:      4
Char:      34
Error:      Expected ')'
Code:      800A03EE
Source:       Microsoft VBScript compilation error

---------------------------
OK  
---------------------------
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18916285
You are specifying the DN of the user incorrectly. Be sure that it is written on a single line in the format listed in previous comments.
0
 
LVL 11

Author Comment

by:bsharath
ID: 18916344
This is the code what i am using

Const ADS_PROPERTY_DELETE = 4
Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D
 
Set objUser = GetObject("LDAP://"cn=Sujatha Anbumani,ou=Former Colleagues,ou=User Accounts,ou=IND,ou=Countries,dc=development,dc=plc,dc=co,dc=uk"")
arrMemberOf = objUser.GetEx("memberOf")
 
If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
    WScript.Echo "No group memberships found."
    WScript.Quit
End If
 
For Each Group in arrMemberOf
    Set objGroup = GetObject("LDAP://" & Group)
    objGroup.PutEx ADS_PROPERTY_DELETE, _
        "member", Array("<UserDN>")
    objGroup.SetInfo
Next
Error

Please suggect where i am going wrong

I have checked the cronical name of object which show as this.

Development.plc.co.uk/Countries/IND/User Accounts/Former Colleagues/Sujatha Anbumani
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 500 total points
ID: 18916673
As I have stated previously, the user DN needs to appear on a single line.

As I have -also- stated previously, there should also be only one set of quotes, just ("LDAP://cn=....dc=uk")

To circumvent your next "It's still not working" request: you also need to replace the text (<User DN>) with the actual DN of the user in question.

Understand that we can only provide you with example scripts - you need to be sufficiently capable of modifying these scripts to fit your own environment.  If you follow the recommendations that I have already made in this thread, this script will perform the task you are requesting. It is now up to you to configure the example script properly for your own environment; as I cannot do your job for you, I cannot assist you any further.
0

Join & Write a Comment

Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found listed in my profile here: http:…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now