Script that will remove all Managed by from all groups in the Domain.Active directory.
Hi,
Script that will remove all Managed by from all groups in the Domain.Active directory.
Below is the script that removes the managed by for all Computers can the same be changed for the groups. Just though this might help.
Regards
Sharath
Script that will remove all Managed by from all groups in the Domain.Active directory.
Below is the script that removes the managed by for all Computers can the same be changed for the groups. Just though this might help.
Regards
Sharath
:: ===============
:: READ THIS FIRST
:: ===============
:: * This script require "Computers.txt" file from where it will pick computer names.
:: * Copy and paste following script in notepad and save it with any name having .cmd extension.
:: *** SCRIPT START ***
@ECHO OFF
SETLOCAL EnableDelayedExpansion
IF NOT EXIST Computers.txt GOTO ShowErr
FOR %%R IN (Computers.txt) DO IF %%~zR EQU 0 GOTO ShowErr
IF EXIST CompMgr.ldf DEL /F /Q CompMgr.ldf
FOR /F %%c IN ('TYPE Computers.txt') Do (
ECHO Processing: %%c
DSQuery Computer -Name %%c |FIND /I "CN=">NUL
IF NOT ERRORLEVEL 1 (
FOR /F "delims=*" %%d IN ('DSQuery Computer -Name %%c') DO ((
ECHO DN: %%~d
ECHO changetype: modify
ECHO replace: managedBy
ECHO managedBy: %%~d
ECHO -
ECHO.
ECHO DN: %%~d
ECHO changetype: modify
ECHO delete: managedBy
ECHO -
ECHO.)>>CompMgr.ldf)
) ELSE (ECHO *** ERROR *** %%c: System NOT Found in AD.)
)
ECHO.
IF EXIST CompMgr.ldf LDIFDE -I -K -F CompMgr.ldf
GOTO EndScript
:ShowErr
ECHO "Computers.txt" file does not exist or file is empty!
:EndScript
IF EXIST CompMgr.ldf DEL /F /Q CompMgr.ldf
ENDLOCAL
:: *** SCRIPT END ***
Oops, forgot to replace a token! Try this:
-Matt
:: ===============
:: READ THIS FIRST
:: ===============
:: * This script require "Groups.txt" file from where it will pick group names.
:: * Copy and paste following script in notepad and save it with any name having .cmd extension.
:: *** SCRIPT START ***
@ECHO OFF
SETLOCAL EnableDelayedExpansion
IF NOT EXIST Groups.txt GOTO ShowErr
FOR %%R IN (Groups.txt) DO IF %%~zR EQU 0 GOTO ShowErr
IF EXIST GroupMgr.ldf DEL /F /Q GroupMgr.ldf
FOR /F %%c IN ('TYPE Groups.txt') Do (
ECHO Processing: %%c
DSQuery Group -Name %%c |FIND /I "CN=">NUL
IF NOT ERRORLEVEL 1 (
FOR /F "delims=*" %%d IN ('DSQuery Group -Name %%c') DO ((
ECHO DN: %%~d
ECHO changetype: modify
ECHO replace: managedBy
ECHO managedBy: %%~d
ECHO -
ECHO.
ECHO DN: %%~d
ECHO changetype: modify
ECHO delete: managedBy
ECHO -
ECHO.)>>GroupMgr.ldf)
) ELSE (ECHO *** ERROR *** %%c: Group NOT Found in AD.)
)
ECHO.
IF EXIST GroupMgr.ldf LDIFDE -I -K -F GroupMgr.ldf
GOTO EndScript
:ShowErr
ECHO "Groups.txt" file does not exist or file is empty!
:EndScript
IF EXIST GroupMgr.ldf DEL /F /Q GroupMgr.ldf
ENDLOCAL
:: *** SCRIPT END ***
This will loop through all domains in the forest and remove the managed by field from any group.
'http://www.experts-exchange.com/Programming/Languages/Q_23866168.html
Const adVarChar = 200
Const VarCharMaxCharacters = 255
Const adFldIsNullable = 32
Dim arrDomainNames
'Uncomment the next line to input your own domain names
'arrDomainNames = array("DOMAIN","DC=subdomain1,DC=domain,DC=com")
if NOT IsArray(arrDomainNames) then
GetDomainNames
End If
Sub GetDomainNames
Const ADS_SCOPE_ONELEVEL = 1
Const ADS_SCOPE_SUBTREE = 2
set objRootDSE = GetObject("LDAP://RootDSE")
Set objCommand = CreateObject("ADODB.Command")
set objConn = CreateObject("ADODB.Connection")
objConn.Provider = "ADsDSOObject"
objConn.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConn
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_ONELEVEL
objCommand.CommandText = "SELECT name,trustParent,nCName,dnsRoot,distinguishedName FROM 'LDAP://cn=Partitions," & objRootDSE.Get("ConfigurationNamingContext") & "' WHERE objectcategory='crossRef' AND systemFlags=3"
Set objRS = objCommand.Execute
objRS.MoveFirst
set arrDomainNames = CreateObject("Scripting.Dictionary")
set dicDomainHierarchy = CreateObject("Scripting.Dictionary")
set dicDomainRoot = CreateObject("Scripting.Dictionary")
while not objRS.EOF
dicDomainRoot.Add objRS.Fields("name").Value, objRS.Fields("nCName").Value
if objRS.Fields("trustParent").Value <> "" then
arrDomainNames.Add objRS.Fields("name").Value, 0
set objDomainParent = GetObject("LDAP://" & objRS.Fields("trustParent").Value)
dicDomainHierarchy.Add objRS.Fields("name").Value,objDomainParent.Get("name")
else
arrDomainNames.Add objRS.Fields("name").Value, 1
end if
objRS.MoveNext
wend
for each strDomain in arrDomainNames
'msgbox strDomain
next
End Sub
Set GroupMembershipDB = CreateObject("ADOR.Recordset")
GroupMembershipDB.Fields.Append "SAMAccountName", adVarChar, VarCharMaxCharacters, adFldIsNullable
GroupMembershipDB.Fields.Append "PrimaryGroupToken", adVarChar, VarCharMaxCharacters, adFldIsNullable
GroupMembershipDB.Fields.Append "DistinguishedName", adVarChar, VarCharMaxCharacters, adFldIsNullable
GroupMembershipDB.Fields.Append "Type", adVarChar, VarCharMaxCharacters, adFldIsNullable
GroupMembershipDB.Open
'Run sub to populate the group members db
FillGroupList
RemoveManagedBy
Sub FillGroupList
Set adoCommandGL = CreateObject("ADODB.Command")
Set adoConnectionGL = CreateObject("ADODB.Connection")
adoConnectionGL.Provider = "ADsDSOObject"
adoConnectionGL.Open "Active Directory Provider"
adoCommandGL.ActiveConnection = adoConnectionGL
adoCommandGL.Properties("Page Size") = 1000
for each strDomain in arrDomainNames
strBase = "<LDAP://" & strDomain & ">"
strFilter = "(objectCategory=group)"
strAttributes = "sAMAccountName,primaryGroupToken,distinguishedName,samaccounttype,member,managedby,mail"
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
Set adoRecordsetGL = CreateObject("ADODB.Recordset")
adoRecordsetGL.CursorLocation = 3
adoRecordsetGL.Sort = "distinguishedname"
adoRecordsetGL.Open strQuery, adoConnectionGL, , , 1
Do Until adoRecordsetGL.EOF
strNTName = adoRecordsetGL.Fields("sAMAccountName").Value
strPrimary = adoRecordsetGL.Fields("primaryGroupToken").Value
strdistinguishedName = adoRecordsetGL.Fields("distinguishedName").Value
strType = GroupType(adoRecordsetGL.Fields("samaccounttype").Value)
GroupMembershipDB.AddNew
GroupMembershipDB("sAMAccountName") = strNTName
GroupMembershipDB("primaryGroupToken") = strPrimary
GroupMembershipDB("distinguishedName") = strdistinguishedName
GroupMembershipDB("Type") = strType
GroupMembershipDB.Update
adoRecordsetGL.MoveNext
Loop
next
End Sub
Function GroupType(strType)
Select Case strType
Case 2,268435457,4,536870913,8,268435457 'Distribution Groups
GroupType = "Distribution Group"
Case -2147483646,268435456,-2147483644,536870912,-2147483640,268435456 'Security Groups
GroupType = "Security Group"
Case Else
GroupType = "Security Group"
End Select
End Function
Sub RemoveManagedBy
GroupMembershipDB.Filter = ""
GroupMembershipDB.MoveFirst
Do While Not GroupMembershipDB.EOF
strDN = GroupMembershipDB.Fields.Item("distinguishedName").Value
Set objGroup = GetObject("LDAP://" & strDN)
objGroup.PutEx 1, "managedby", vbNullString
objGroup.SetInfo
GroupMembershipDB.MoveNext
Loop
End Sub
wscript.echo "Done"
ASKER
Will i get in the results on what was removed Matthew & Rejoinder in both the scripts?
ASKER
Will i get in the results on what was removed Matthew & Rejoinder in both the scripts?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sharath,
Apologies- I've not been in the office for days.
The script I posted is a copy of the original one you posted in the question, except I obviously changed it to search and process groups, instead of computers. If the original script shows results, my script will; it looks like it does.
-Matthew
ASKER
Matthew the script does not query if the group name has spaces...
Rejoinder your script also does not remove managers if groups have spaces...
Rejoinder your script also does not remove managers if groups have spaces...
ASKER
Matthew the script does not query if the group name has spaces...
Rejoinder your script also does not remove managers if groups have spaces...
Rejoinder your script also does not remove managers if groups have spaces...
Sharath,
Try this.
-Matt
:: ===============
:: READ THIS FIRST
:: ===============
:: * This script require "Groups.txt" file from where it will pick group names.
:: * Copy and paste following script in notepad and save it with any name having .cmd extension.
:: *** SCRIPT START ***
@ECHO OFF
SETLOCAL EnableDelayedExpansion
IF NOT EXIST Groups.txt GOTO ShowErr
FOR %%R IN (Groups.txt) DO IF %%~zR EQU 0 GOTO ShowErr
IF EXIST GroupMgr.ldf DEL /F /Q GroupMgr.ldf
FOR /F %%c IN ('TYPE Groups.txt') Do (
ECHO Processing: %%c
DSQuery Group -Name "%%c" |FIND /I "CN=">NUL
IF NOT ERRORLEVEL 1 (
FOR /F "delims=*" %%d IN ('DSQuery Group -Name "%%c"') DO ((
ECHO DN: %%~d
ECHO changetype: modify
ECHO replace: managedBy
ECHO managedBy: %%~d
ECHO -
ECHO.
ECHO DN: %%~d
ECHO changetype: modify
ECHO delete: managedBy
ECHO -
ECHO.)>>GroupMgr.ldf)
) ELSE (ECHO *** ERROR *** %%c: Group NOT Found in AD.)
)
ECHO.
IF EXIST GroupMgr.ldf LDIFDE -I -K -F GroupMgr.ldf
GOTO EndScript
:ShowErr
ECHO "Groups.txt" file does not exist or file is empty!
:EndScript
IF EXIST GroupMgr.ldf DEL /F /Q GroupMgr.ldf
ENDLOCAL
:: *** SCRIPT END ***ASKER
Still says cannot be found
Processing: LC
*** ERROR *** LC: Group NOT Found in AD.
Processing: LC
*** ERROR *** LC: Group NOT Found in AD.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank U Both
ASKER
Thank U Both
Well, that should be quite simple by just changing what DSQuery is looking up. I've also changed the input file so it now accepts groups.txt as the input file.
-Matt
Open in new window