Remove user from all groups via command line

I'm trying to automate a delete user script and I am stuck on trying to remove a user from all his group memberships.

We have several hundred different groups and a user may be a member of any number of them.

For almost every other function, I'm using the "net user" command. I've looked at the "dsmod" command and the "net group" command, but I don't see any way to automate finding which groups the user is a member of.

Here's the reasoning behind it - When we receive a delete request, we disable the user and keep the account around for 7 days in case they need anything from it or change their mind. In the meantime, we want to remove the user from all distribution groups so that people don't assume the user is still a member of the group. We also want the user account removed from security groups.

Any help would be appreciated! Thanks!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joseph DalyCommented:
Well so far the following will retrieve all the groups the member is a part of.
dsquery user -samid "acctname" | dsget user -memberof

Open in new window

What you are doing is actually a good practice especailly if a user got terminated and later rehire with a differnt role. Removing their membership is definitely good practice for security reason.

We used this script to remove user's all security groups. The username and OU as well as domain names were replaced and no way of testing it after the two lines replacement. So you may want to do verify with a test account first.

On Error Resume Next
Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D
Set objUser = GetObject _
arrMemberOf = objUser.GetEx("memberOf")
    WScript.Echo "This account is not a member of any security groups."
End If
For Each Group in arrMemberOf
    Set objGroup = GetObject("LDAP://" & Group) 
    objGroup.PutEx ADS_PROPERTY_DELETE, _
        "member", Array("cn=TheUserName,ou=WhereUserIsIn,dc=SubDomainName,dc=fabrikam,dc=com")

Open in new window

liqwidgrantAuthor Commented:
Americom - Great script. Unfortunately becuase of the limitations of our automation software that is built in to our ticketing system, we need to run this command in one command line.

I figured it out myself - The command is below.

It goes through all the groups in the domain and tries to remove the user from it. The "-C" switch specifies that the command should continue on errors instead of stopping when it gets to the first problem.

It's not the most elegant of solutions, but sometimes brute force works. :)
DSQUERY GROUP | DSMOD GROUP -C -RMMBR "CN=Smith\, John,OU=SalesDepartment,OU=Users,DC=MyDomain,DC=com"

Open in new window

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.