Remove a users name from all groups

The following VBScript will accomplish what you're looking for:

Const ADS_PROPERTY_DELETE = 4
Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D
 
Set objUser = GetObject("LDAP://<UserDN>")
arrMemberOf = objUser.GetEx("memberOf")
 
If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
    WScript.Echo "No group memberships found."
    WScript.Quit
End If
 
For Each Group in arrMemberOf
    Set objGroup = GetObject("LDAP://" & Group)
    objGroup.PutEx ADS_PROPERTY_DELETE, _
        "member", Array("<UserDN>")
    objGroup.SetInfo
Next

This is from the Active Directory Cookbook, 2nd Edition (of which I am a co-author, shameless plug.  ;-))

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking

Will this script ask me for the username or just delete any disable users in any group.

In this script you manually specify the target username in this line:

Set objUser = GetObject("LDAP://<UserDN>"), where you will replace <UserDN> with the actual distinguished name of the user.  So it might look like:

Set objUser = GetObject("LDAP://cn=DisabledUser,ou=DisabledUsersOU,dc=mycompany,dc=com")

Can it search and remove without giving the Cn,OU,Dc as there ae different ou's in which the users are.

No, you need to provide the fully Distinguished Name of the user in order for the script to know which object to modify.

The cronical name of the object id

Development.plc.co.uk/Countries/IND/User Accounts/Former Colleagues/Sujatha Anbumani

How do i put this in place

Domain is development.plc.co.uk

User name is sujatha anbumani

This DN would be expressed as

"cn=Sujatha Anbumani,ou=Former Colleagues,ou=User Accounts,ou=IND,ou=Countries,dc=development,dc=plc,dc=co,dc=uk"

Hi put it like this and execute i get this error.

Const ADS_PROPERTY_DELETE = 4
Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D
 
Set objUser = GetObject("LDAP://"cn=Sujatha Anbumani,ou=Former Colleagues,ou=User Accounts,ou=IND,ou=Countries,dc=development,dc=plc,dc=co,dc=uk"")
arrMemberOf = objUser.GetEx("memberOf")
 
If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
    WScript.Echo "No group memberships found."
    WScript.Quit
End If
 
For Each Group in arrMemberOf
    Set objGroup = GetObject("LDAP://" & Group)
    objGroup.PutEx ADS_PROPERTY_DELETE, _
        "member", Array("<UserDN>")
    objGroup.SetInfo
Next



Error



C:\>cscript s.vbs
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

C:\s.vbs(4, 34) Microsoft VBScript compilation error: Expected ')'

It compiles using a test user on my domain.  Be sure that the "Set objUser=" line is not wrapping across multiple lines.  There should also be only one set of quotes, just ("LDAP://cn=....dc=uk")

Now i get this


C:\>cscript s.vbs
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

C:\s.vbs(4, 1) (null): A referral was returned from the server.

This means that you have specified the DN of the user incorrectly.  

You can open the user object in ADSI Edit (in the Microsoft Support Tools) to retrieve the DN of the user object in question.

If you are unfamiliar with Active Directory scripting, I recommend the tutorials at the following site: http://www.activexperts.com/activmonitor/windowsmanagement/adminscripts/usersgroups/users/

OK, I might be speaking out of turn here but unless you are making a script to disable the account, move the user account to the other OU and then remove the membership, can't you just go to his account and into the Member Of tab and remove everything there.

Sorry. I'll run away now.

czcdct:

As we add the user to the member the group does not display in the users properties

LauraEHunterMVP:

Any help on this....

Ah, so the question is completely different then, isn't it. Your problem is that adding a user to a group does not result in that group appearing in the "Member Of" box on the user account. I'm certainly not that much of an expert to troubleshoot that one too deeply. Perhaps Laura will give you the solution. She's good like that.

When i disable a user need to automatically remove the user from all groups where he is a member.

I don't understand what further help you are requesting.  If your goal is to strip a user of all of its group memberships, the best solution is the script that I've already provided.

LauraEHunterMVP:

Can you please post the whole script with all the changes.I shall try now

The script is fine as-written.  Place the user object's distinguished name where you see the <UserDN> placeholder, being careful not to add quotes around the DN and ensuring that each line of the script appears on one continuous line.  

I get this error.If you sort this error.I think i can sole the issue
---------------------------
Windows Script Host
---------------------------
Script:      C:\Gr.vbs
Line:      4
Char:      34
Error:      Expected ')'
Code:      800A03EE
Source:       Microsoft VBScript compilation error

---------------------------
OK  
---------------------------

You are specifying the DN of the user incorrectly. Be sure that it is written on a single line in the format listed in previous comments.

This is the code what i am using

Const ADS_PROPERTY_DELETE = 4
Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D
 
Set objUser = GetObject("LDAP://"cn=Sujatha Anbumani,ou=Former Colleagues,ou=User Accounts,ou=IND,ou=Countries,dc=development,dc=plc,dc=co,dc=uk"")
arrMemberOf = objUser.GetEx("memberOf")
 
If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
    WScript.Echo "No group memberships found."
    WScript.Quit
End If
 
For Each Group in arrMemberOf
    Set objGroup = GetObject("LDAP://" & Group)
    objGroup.PutEx ADS_PROPERTY_DELETE, _
        "member", Array("<UserDN>")
    objGroup.SetInfo
Next
Error

Please suggect where i am going wrong

I have checked the cronical name of object which show as this.

Development.plc.co.uk/Countries/IND/User Accounts/Former Colleagues/Sujatha Anbumani