Solved

Remove users from Doain Users group

Posted on 2009-03-31
9
1,200 Views
Last Modified: 2012-05-06
We have a body of users that we'd like to remove from the "Domain Users" group. Using the script below, I get the this result:

The user cannot be removed from a group because the group is currently the user's primary group.

I was thinking about creating a group and adding all the users under the "DealerPack Customers" OU to that group and, somehow, making it primary. Then go back a run this script against those users to delete them out of Doamin Users.  Is this scenario possible?

Thanks!
dsquery user "OU=DealerPack Customers,OU=Trading Partners,OU=HNIC Users,OU=rmbu,DC=ofcwic,DC=com" -samid * -limit 0 | dsmod group "CN=Domain Users,CN=Users,DC=ofcwic,DC=com" -rmmbr

Open in new window

0
Comment
Question by:IATexpert
  • 4
  • 3
  • 2
9 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 24028155
You cannot remove users from Domain Users - its a system group that all users must belong to
0
 

Author Comment

by:IATexpert
ID: 24028180
as long as I set another group as primary, yes I can. I just need to be able to script it for about 800 users.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24028408
If you really really want to :) - use dsget to get the members of the group, pipe to dsmod to remove them from it:
dsget group "DN of group" -members | dsmod group "DN of group" -rmmbr
While it is physically possible to remove the users from this group, I wouldn't recommend it. Domain users get their 'user' status on local machines through their membership to Domain Users (same as how domain admins get local admin access through membership of the local Administrators group).
You would have to ensure that your new group is a member of the 'Users' group on all local machines - GPO I think. Not that I've done this before. There may be other knock on effects as well.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 24028437
You CANT REMOVE USERS FROM DOMAIN USERS even it its not their primary group, its a system group with automatic access - all users are members of domain users and there is nothing you can do about this.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:IATexpert
ID: 24028475
These are external users and are used for web site authentication, and are not actual users of any of our other network resources. It was decided that they should not be members of "Domain Users"
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24028510
Sorry, KCTS, have to respectfully disagree - you can physically remove from Domain Users as long as you set another group as primary. It's not a built in principal like Authenticated Users is.
That said - I really really wouldn't recommend it as it could cause major issues.

Snap1.jpg
0
 

Author Comment

by:IATexpert
ID: 24028513
KCTS: I appreciate your enthusiasm, but I'm looking @ several existing accounts where I have manually changed their primary group to something else, and have successfully removed them from the Domain users group. At least it's not listed in their group membership.
0
 
LVL 27

Accepted Solution

by:
bluntTony earned 250 total points
ID: 24086833
So was your question answered OK then?
0
 

Author Closing Comment

by:IATexpert
ID: 31564780
We figured it out
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now