Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Remove a users name from all groups

Posted on 2007-03-30
23
248 Views
Last Modified: 2012-05-05
hi,

When a user regins after disabling the account i manually go tom each group where ever he is a member and and remove his name from the group is it possible to run a script or is there a tool which can do this automatically.

Please help.

regards
Sharath
0
Comment
Question by:bsharath
  • 11
  • 10
  • 2
23 Comments
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18822805
The following VBScript will accomplish what you're looking for:

Const ADS_PROPERTY_DELETE = 4
Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D
 
Set objUser = GetObject("LDAP://<UserDN>")
arrMemberOf = objUser.GetEx("memberOf")
 
If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
    WScript.Echo "No group memberships found."
    WScript.Quit
End If
 
For Each Group in arrMemberOf
    Set objGroup = GetObject("LDAP://" & Group)
    objGroup.PutEx ADS_PROPERTY_DELETE, _
        "member", Array("<UserDN>")
    objGroup.SetInfo
Next

This is from the Active Directory Cookbook, 2nd Edition (of which I am a co-author, shameless plug.  ;-))

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
 
LVL 11

Author Comment

by:bsharath
ID: 18822944
Will this script ask me for the username or just delete any disable users in any group.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18822951
In this script you manually specify the target username in this line:

Set objUser = GetObject("LDAP://<UserDN>"), where you will replace <UserDN> with the actual distinguished name of the user.  So it might look like:

Set objUser = GetObject("LDAP://cn=DisabledUser,ou=DisabledUsersOU,dc=mycompany,dc=com")
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 11

Author Comment

by:bsharath
ID: 18822988
Can it search and remove without giving the Cn,OU,Dc as there ae different ou's in which the users are.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18823006
No, you need to provide the fully Distinguished Name of the user in order for the script to know which object to modify.
0
 
LVL 11

Author Comment

by:bsharath
ID: 18823040
The cronical name of the object id

Development.plc.co.uk/Countries/IND/User Accounts/Former Colleagues/Sujatha Anbumani

How do i put this in place

Domain is development.plc.co.uk

User name is sujatha anbumani
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18823056
This DN would be expressed as

"cn=Sujatha Anbumani,ou=Former Colleagues,ou=User Accounts,ou=IND,ou=Countries,dc=development,dc=plc,dc=co,dc=uk"
0
 
LVL 11

Author Comment

by:bsharath
ID: 18823112
Hi put it like this and execute i get this error.

Const ADS_PROPERTY_DELETE = 4
Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D
 
Set objUser = GetObject("LDAP://"cn=Sujatha Anbumani,ou=Former Colleagues,ou=User Accounts,ou=IND,ou=Countries,dc=development,dc=plc,dc=co,dc=uk"")
arrMemberOf = objUser.GetEx("memberOf")
 
If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
    WScript.Echo "No group memberships found."
    WScript.Quit
End If
 
For Each Group in arrMemberOf
    Set objGroup = GetObject("LDAP://" & Group)
    objGroup.PutEx ADS_PROPERTY_DELETE, _
        "member", Array("<UserDN>")
    objGroup.SetInfo
Next



Error



C:\>cscript s.vbs
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

C:\s.vbs(4, 34) Microsoft VBScript compilation error: Expected ')'
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18823419
It compiles using a test user on my domain.  Be sure that the "Set objUser=" line is not wrapping across multiple lines.  There should also be only one set of quotes, just ("LDAP://cn=....dc=uk")
0
 
LVL 11

Author Comment

by:bsharath
ID: 18823460
Now i get this


C:\>cscript s.vbs
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

C:\s.vbs(4, 1) (null): A referral was returned from the server.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18823543
This means that you have specified the DN of the user incorrectly.  

You can open the user object in ADSI Edit (in the Microsoft Support Tools) to retrieve the DN of the user object in question.

If you are unfamiliar with Active Directory scripting, I recommend the tutorials at the following site: http://www.activexperts.com/activmonitor/windowsmanagement/adminscripts/usersgroups/users/
0
 
LVL 15

Expert Comment

by:czcdct
ID: 18823614
OK, I might be speaking out of turn here but unless you are making a script to disable the account, move the user account to the other OU and then remove the membership, can't you just go to his account and into the Member Of tab and remove everything there.

Sorry. I'll run away now.
0
 
LVL 11

Author Comment

by:bsharath
ID: 18824543
czcdct:

As we add the user to the member the group does not display in the users properties
0
 
LVL 11

Author Comment

by:bsharath
ID: 18840981
LauraEHunterMVP:

Any help on this....
0
 
LVL 15

Expert Comment

by:czcdct
ID: 18841599
Ah, so the question is completely different then, isn't it. Your problem is that adding a user to a group does not result in that group appearing in the "Member Of" box on the user account. I'm certainly not that much of an expert to troubleshoot that one too deeply. Perhaps Laura will give you the solution. She's good like that.
0
 
LVL 11

Author Comment

by:bsharath
ID: 18841767
When i disable a user need to automatically remove the user from all groups where he is a member.

0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18842740
I don't understand what further help you are requesting.  If your goal is to strip a user of all of its group memberships, the best solution is the script that I've already provided.
0
 
LVL 11

Author Comment

by:bsharath
ID: 18883081
LauraEHunterMVP:

Can you please post the whole script with all the changes.I shall try now
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18883137
The script is fine as-written.  Place the user object's distinguished name where you see the <UserDN> placeholder, being careful not to add quotes around the DN and ensuring that each line of the script appears on one continuous line.  
0
 
LVL 11

Author Comment

by:bsharath
ID: 18915594
I get this error.If you sort this error.I think i can sole the issue
---------------------------
Windows Script Host
---------------------------
Script:      C:\Gr.vbs
Line:      4
Char:      34
Error:      Expected ')'
Code:      800A03EE
Source:       Microsoft VBScript compilation error

---------------------------
OK  
---------------------------
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18916285
You are specifying the DN of the user incorrectly. Be sure that it is written on a single line in the format listed in previous comments.
0
 
LVL 11

Author Comment

by:bsharath
ID: 18916344
This is the code what i am using

Const ADS_PROPERTY_DELETE = 4
Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D
 
Set objUser = GetObject("LDAP://"cn=Sujatha Anbumani,ou=Former Colleagues,ou=User Accounts,ou=IND,ou=Countries,dc=development,dc=plc,dc=co,dc=uk"")
arrMemberOf = objUser.GetEx("memberOf")
 
If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
    WScript.Echo "No group memberships found."
    WScript.Quit
End If
 
For Each Group in arrMemberOf
    Set objGroup = GetObject("LDAP://" & Group)
    objGroup.PutEx ADS_PROPERTY_DELETE, _
        "member", Array("<UserDN>")
    objGroup.SetInfo
Next
Error

Please suggect where i am going wrong

I have checked the cronical name of object which show as this.

Development.plc.co.uk/Countries/IND/User Accounts/Former Colleagues/Sujatha Anbumani
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 500 total points
ID: 18916673
As I have stated previously, the user DN needs to appear on a single line.

As I have -also- stated previously, there should also be only one set of quotes, just ("LDAP://cn=....dc=uk")

To circumvent your next "It's still not working" request: you also need to replace the text (<User DN>) with the actual DN of the user in question.

Understand that we can only provide you with example scripts - you need to be sufficiently capable of modifying these scripts to fit your own environment.  If you follow the recommendations that I have already made in this thread, this script will perform the task you are requesting. It is now up to you to configure the example script properly for your own environment; as I cannot do your job for you, I cannot assist you any further.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question