Remove user from all groups via command line

Posted on 2008-11-07
Last Modified: 2012-05-05
I'm trying to automate a delete user script and I am stuck on trying to remove a user from all his group memberships.

We have several hundred different groups and a user may be a member of any number of them.

For almost every other function, I'm using the "net user" command. I've looked at the "dsmod" command and the "net group" command, but I don't see any way to automate finding which groups the user is a member of.

Here's the reasoning behind it - When we receive a delete request, we disable the user and keep the account around for 7 days in case they need anything from it or change their mind. In the meantime, we want to remove the user from all distribution groups so that people don't assume the user is still a member of the group. We also want the user account removed from security groups.

Any help would be appreciated! Thanks!
Question by:liqwidgrant
    LVL 35

    Expert Comment

    by:Joseph Daly
    Well so far the following will retrieve all the groups the member is a part of.
    dsquery user -samid "acctname" | dsget user -memberof

    Open in new window

    LVL 18

    Expert Comment

    What you are doing is actually a good practice especailly if a user got terminated and later rehire with a differnt role. Removing their membership is definitely good practice for security reason.

    We used this script to remove user's all security groups. The username and OU as well as domain names were replaced and no way of testing it after the two lines replacement. So you may want to do verify with a test account first.

    On Error Resume Next
    Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D
    Set objUser = GetObject _
    arrMemberOf = objUser.GetEx("memberOf")
    If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
        WScript.Echo "This account is not a member of any security groups."
    End If
    For Each Group in arrMemberOf
        Set objGroup = GetObject("LDAP://" & Group) 
        objGroup.PutEx ADS_PROPERTY_DELETE, _
            "member", Array("cn=TheUserName,ou=WhereUserIsIn,dc=SubDomainName,dc=fabrikam,dc=com")

    Open in new window


    Accepted Solution

    Americom - Great script. Unfortunately becuase of the limitations of our automation software that is built in to our ticketing system, we need to run this command in one command line.

    I figured it out myself - The command is below.

    It goes through all the groups in the domain and tries to remove the user from it. The "-C" switch specifies that the command should continue on errors instead of stopping when it gets to the first problem.

    It's not the most elegant of solutions, but sometimes brute force works. :)
    DSQUERY GROUP | DSMOD GROUP -C -RMMBR "CN=Smith\, John,OU=SalesDepartment,OU=Users,DC=MyDomain,DC=com"

    Open in new window


    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    I came across this issue when setting up a two way forest level trust. so here's the scenario: A company wildcards acquired another company, bizworks ( both Fictitious). Wild cards: windows 2003 Domain & forest functional levels - Ad domain na…
    One of the major disadvantages of still running XP in production is its lack of Internet Explorer Favourites directory redirection. If your users frequently roam between computers, the usual workaround is to enable Roaming Profiles to have the favou…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now