Remove user from all groups via command line

Posted on 2008-11-07
Medium Priority
Last Modified: 2012-05-05
I'm trying to automate a delete user script and I am stuck on trying to remove a user from all his group memberships.

We have several hundred different groups and a user may be a member of any number of them.

For almost every other function, I'm using the "net user" command. I've looked at the "dsmod" command and the "net group" command, but I don't see any way to automate finding which groups the user is a member of.

Here's the reasoning behind it - When we receive a delete request, we disable the user and keep the account around for 7 days in case they need anything from it or change their mind. In the meantime, we want to remove the user from all distribution groups so that people don't assume the user is still a member of the group. We also want the user account removed from security groups.

Any help would be appreciated! Thanks!
Question by:liqwidgrant
LVL 35

Expert Comment

by:Joseph Daly
ID: 22906986
Well so far the following will retrieve all the groups the member is a part of.
dsquery user -samid "acctname" | dsget user -memberof

Open in new window

LVL 18

Expert Comment

ID: 22908963
What you are doing is actually a good practice especailly if a user got terminated and later rehire with a differnt role. Removing their membership is definitely good practice for security reason.

We used this script to remove user's all security groups. The username and OU as well as domain names were replaced and no way of testing it after the two lines replacement. So you may want to do verify with a test account first.

On Error Resume Next
Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D
Set objUser = GetObject _
arrMemberOf = objUser.GetEx("memberOf")
    WScript.Echo "This account is not a member of any security groups."
End If
For Each Group in arrMemberOf
    Set objGroup = GetObject("LDAP://" & Group) 
    objGroup.PutEx ADS_PROPERTY_DELETE, _
        "member", Array("cn=TheUserName,ou=WhereUserIsIn,dc=SubDomainName,dc=fabrikam,dc=com")

Open in new window


Accepted Solution

liqwidgrant earned 0 total points
ID: 22909291
Americom - Great script. Unfortunately becuase of the limitations of our automation software that is built in to our ticketing system, we need to run this command in one command line.

I figured it out myself - The command is below.

It goes through all the groups in the domain and tries to remove the user from it. The "-C" switch specifies that the command should continue on errors instead of stopping when it gets to the first problem.

It's not the most elegant of solutions, but sometimes brute force works. :)
DSQUERY GROUP | DSMOD GROUP -C -RMMBR "CN=Smith\, John,OU=SalesDepartment,OU=Users,DC=MyDomain,DC=com"

Open in new window


Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Here's a look at newsworthy articles and community happenings during the last month.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question