liqwidgrant
asked on
Remove user from all groups via command line
I'm trying to automate a delete user script and I am stuck on trying to remove a user from all his group memberships.
We have several hundred different groups and a user may be a member of any number of them.
For almost every other function, I'm using the "net user" command. I've looked at the "dsmod" command and the "net group" command, but I don't see any way to automate finding which groups the user is a member of.
Here's the reasoning behind it - When we receive a delete request, we disable the user and keep the account around for 7 days in case they need anything from it or change their mind. In the meantime, we want to remove the user from all distribution groups so that people don't assume the user is still a member of the group. We also want the user account removed from security groups.
Any help would be appreciated! Thanks!
We have several hundred different groups and a user may be a member of any number of them.
For almost every other function, I'm using the "net user" command. I've looked at the "dsmod" command and the "net group" command, but I don't see any way to automate finding which groups the user is a member of.
Here's the reasoning behind it - When we receive a delete request, we disable the user and keep the account around for 7 days in case they need anything from it or change their mind. In the meantime, we want to remove the user from all distribution groups so that people don't assume the user is still a member of the group. We also want the user account removed from security groups.
Any help would be appreciated! Thanks!
What you are doing is actually a good practice especailly if a user got terminated and later rehire with a differnt role. Removing their membership is definitely good practice for security reason.
We used this script to remove user's all security groups. The username and OU as well as domain names were replaced and no way of testing it after the two lines replacement. So you may want to do verify with a test account first.
We used this script to remove user's all security groups. The username and OU as well as domain names were replaced and no way of testing it after the two lines replacement. So you may want to do verify with a test account first.
On Error Resume Next
Const ADS_PROPERTY_DELETE = 4
Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D
Set objUser = GetObject _
("LDAP://cn=TheUserName,ou=WhereUserIsIn,dc=SubDomainName,dc=yourdomainname,dc=com")
arrMemberOf = objUser.GetEx("memberOf")
If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
WScript.Echo "This account is not a member of any security groups."
WScript.Quit
End If
For Each Group in arrMemberOf
Set objGroup = GetObject("LDAP://" & Group)
objGroup.PutEx ADS_PROPERTY_DELETE, _
"member", Array("cn=TheUserName,ou=WhereUserIsIn,dc=SubDomainName,dc=fabrikam,dc=com")
objGroup.SetInfo
Next
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Open in new window