Remove user from groups with Admodify

Posted on 2007-07-30
Last Modified: 2008-05-31
Is there a way with Admodify to remove a group of users from all groups excluding domain user in bulk?
There is no consistency with what users are associated to what groups for reference
Question by:GRV001
    LVL 30

    Accepted Solution

    The reason this is trickier than you think is because group memberships are not stored as a property of the -user-, but of the -group-.  So to remove a user from every group that it is a member of, you need to:

    [1] Enumerate the user's current group memberships
    [2] Connect to each group that the user is a member of
    [3] Delete the user from that group's 'member' attribute

    As you can see, you need to modify each group in turn, it's not actually a function of modifying the user object.

    Something like the following VBScript will accomplish what you're looking for on a single user object:

    Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D
    Set objUser = GetObject("LDAP://<UserDN>")
    arrMemberOf = objUser.GetEx("memberOf")
    If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
        WScript.Echo "No group memberships found."
    End If
    For Each Group in arrMemberOf
        Set objGroup = GetObject("LDAP://" & Group)
        objGroup.PutEx ADS_PROPERTY_DELETE, _
            "member", Array("<UserDN>")

    Hope this helps.

    Laura E. Hunter - Microsoft MVP: Windows Server - Networking
    LVL 1

    Expert Comment

    Forced accept.

    EE Admin

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    I'm sure that every Windows systems administrator has written, or at least used, a batch or VBS login script at some point in their career, whether it is to map network drives, install printers, or set some user preferences.  No more! With Window…
    Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now