Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Remove a users name from all groups

Posted on 2007-03-30
23
Medium Priority
?
253 Views
Last Modified: 2012-05-05
hi,

When a user regins after disabling the account i manually go tom each group where ever he is a member and and remove his name from the group is it possible to run a script or is there a tool which can do this automatically.

Please help.

regards
Sharath
0
Comment
Question by:bsharath
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 10
  • 2
23 Comments
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18822805
The following VBScript will accomplish what you're looking for:

Const ADS_PROPERTY_DELETE = 4
Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D
 
Set objUser = GetObject("LDAP://<UserDN>")
arrMemberOf = objUser.GetEx("memberOf")
 
If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
    WScript.Echo "No group memberships found."
    WScript.Quit
End If
 
For Each Group in arrMemberOf
    Set objGroup = GetObject("LDAP://" & Group)
    objGroup.PutEx ADS_PROPERTY_DELETE, _
        "member", Array("<UserDN>")
    objGroup.SetInfo
Next

This is from the Active Directory Cookbook, 2nd Edition (of which I am a co-author, shameless plug.  ;-))

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
 
LVL 11

Author Comment

by:bsharath
ID: 18822944
Will this script ask me for the username or just delete any disable users in any group.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18822951
In this script you manually specify the target username in this line:

Set objUser = GetObject("LDAP://<UserDN>"), where you will replace <UserDN> with the actual distinguished name of the user.  So it might look like:

Set objUser = GetObject("LDAP://cn=DisabledUser,ou=DisabledUsersOU,dc=mycompany,dc=com")
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 11

Author Comment

by:bsharath
ID: 18822988
Can it search and remove without giving the Cn,OU,Dc as there ae different ou's in which the users are.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18823006
No, you need to provide the fully Distinguished Name of the user in order for the script to know which object to modify.
0
 
LVL 11

Author Comment

by:bsharath
ID: 18823040
The cronical name of the object id

Development.plc.co.uk/Countries/IND/User Accounts/Former Colleagues/Sujatha Anbumani

How do i put this in place

Domain is development.plc.co.uk

User name is sujatha anbumani
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18823056
This DN would be expressed as

"cn=Sujatha Anbumani,ou=Former Colleagues,ou=User Accounts,ou=IND,ou=Countries,dc=development,dc=plc,dc=co,dc=uk"
0
 
LVL 11

Author Comment

by:bsharath
ID: 18823112
Hi put it like this and execute i get this error.

Const ADS_PROPERTY_DELETE = 4
Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D
 
Set objUser = GetObject("LDAP://"cn=Sujatha Anbumani,ou=Former Colleagues,ou=User Accounts,ou=IND,ou=Countries,dc=development,dc=plc,dc=co,dc=uk"")
arrMemberOf = objUser.GetEx("memberOf")
 
If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
    WScript.Echo "No group memberships found."
    WScript.Quit
End If
 
For Each Group in arrMemberOf
    Set objGroup = GetObject("LDAP://" & Group)
    objGroup.PutEx ADS_PROPERTY_DELETE, _
        "member", Array("<UserDN>")
    objGroup.SetInfo
Next



Error



C:\>cscript s.vbs
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

C:\s.vbs(4, 34) Microsoft VBScript compilation error: Expected ')'
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18823419
It compiles using a test user on my domain.  Be sure that the "Set objUser=" line is not wrapping across multiple lines.  There should also be only one set of quotes, just ("LDAP://cn=....dc=uk")
0
 
LVL 11

Author Comment

by:bsharath
ID: 18823460
Now i get this


C:\>cscript s.vbs
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

C:\s.vbs(4, 1) (null): A referral was returned from the server.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18823543
This means that you have specified the DN of the user incorrectly.  

You can open the user object in ADSI Edit (in the Microsoft Support Tools) to retrieve the DN of the user object in question.

If you are unfamiliar with Active Directory scripting, I recommend the tutorials at the following site: http://www.activexperts.com/activmonitor/windowsmanagement/adminscripts/usersgroups/users/
0
 
LVL 15

Expert Comment

by:czcdct
ID: 18823614
OK, I might be speaking out of turn here but unless you are making a script to disable the account, move the user account to the other OU and then remove the membership, can't you just go to his account and into the Member Of tab and remove everything there.

Sorry. I'll run away now.
0
 
LVL 11

Author Comment

by:bsharath
ID: 18824543
czcdct:

As we add the user to the member the group does not display in the users properties
0
 
LVL 11

Author Comment

by:bsharath
ID: 18840981
LauraEHunterMVP:

Any help on this....
0
 
LVL 15

Expert Comment

by:czcdct
ID: 18841599
Ah, so the question is completely different then, isn't it. Your problem is that adding a user to a group does not result in that group appearing in the "Member Of" box on the user account. I'm certainly not that much of an expert to troubleshoot that one too deeply. Perhaps Laura will give you the solution. She's good like that.
0
 
LVL 11

Author Comment

by:bsharath
ID: 18841767
When i disable a user need to automatically remove the user from all groups where he is a member.

0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18842740
I don't understand what further help you are requesting.  If your goal is to strip a user of all of its group memberships, the best solution is the script that I've already provided.
0
 
LVL 11

Author Comment

by:bsharath
ID: 18883081
LauraEHunterMVP:

Can you please post the whole script with all the changes.I shall try now
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18883137
The script is fine as-written.  Place the user object's distinguished name where you see the <UserDN> placeholder, being careful not to add quotes around the DN and ensuring that each line of the script appears on one continuous line.  
0
 
LVL 11

Author Comment

by:bsharath
ID: 18915594
I get this error.If you sort this error.I think i can sole the issue
---------------------------
Windows Script Host
---------------------------
Script:      C:\Gr.vbs
Line:      4
Char:      34
Error:      Expected ')'
Code:      800A03EE
Source:       Microsoft VBScript compilation error

---------------------------
OK  
---------------------------
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18916285
You are specifying the DN of the user incorrectly. Be sure that it is written on a single line in the format listed in previous comments.
0
 
LVL 11

Author Comment

by:bsharath
ID: 18916344
This is the code what i am using

Const ADS_PROPERTY_DELETE = 4
Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D
 
Set objUser = GetObject("LDAP://"cn=Sujatha Anbumani,ou=Former Colleagues,ou=User Accounts,ou=IND,ou=Countries,dc=development,dc=plc,dc=co,dc=uk"")
arrMemberOf = objUser.GetEx("memberOf")
 
If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
    WScript.Echo "No group memberships found."
    WScript.Quit
End If
 
For Each Group in arrMemberOf
    Set objGroup = GetObject("LDAP://" & Group)
    objGroup.PutEx ADS_PROPERTY_DELETE, _
        "member", Array("<UserDN>")
    objGroup.SetInfo
Next
Error

Please suggect where i am going wrong

I have checked the cronical name of object which show as this.

Development.plc.co.uk/Countries/IND/User Accounts/Former Colleagues/Sujatha Anbumani
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 2000 total points
ID: 18916673
As I have stated previously, the user DN needs to appear on a single line.

As I have -also- stated previously, there should also be only one set of quotes, just ("LDAP://cn=....dc=uk")

To circumvent your next "It's still not working" request: you also need to replace the text (<User DN>) with the actual DN of the user in question.

Understand that we can only provide you with example scripts - you need to be sufficiently capable of modifying these scripts to fit your own environment.  If you follow the recommendations that I have already made in this thread, this script will perform the task you are requesting. It is now up to you to configure the example script properly for your own environment; as I cannot do your job for you, I cannot assist you any further.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question