Remove users from Doain Users group

We have a body of users that we'd like to remove from the "Domain Users" group. Using the script below, I get the this result:

The user cannot be removed from a group because the group is currently the user's primary group.

I was thinking about creating a group and adding all the users under the "DealerPack Customers" OU to that group and, somehow, making it primary. Then go back a run this script against those users to delete them out of Doamin Users.  Is this scenario possible?

Thanks!
dsquery user "OU=DealerPack Customers,OU=Trading Partners,OU=HNIC Users,OU=rmbu,DC=ofcwic,DC=com" -samid * -limit 0 | dsmod group "CN=Domain Users,CN=Users,DC=ofcwic,DC=com" -rmmbr

Open in new window

IATexpertAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
bluntTonyConnect With a Mentor Commented:
So was your question answered OK then?
0
 
KCTSCommented:
You cannot remove users from Domain Users - its a system group that all users must belong to
0
 
IATexpertAuthor Commented:
as long as I set another group as primary, yes I can. I just need to be able to script it for about 800 users.
0
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

 
bluntTonyCommented:
If you really really want to :) - use dsget to get the members of the group, pipe to dsmod to remove them from it:
dsget group "DN of group" -members | dsmod group "DN of group" -rmmbr
While it is physically possible to remove the users from this group, I wouldn't recommend it. Domain users get their 'user' status on local machines through their membership to Domain Users (same as how domain admins get local admin access through membership of the local Administrators group).
You would have to ensure that your new group is a member of the 'Users' group on all local machines - GPO I think. Not that I've done this before. There may be other knock on effects as well.
0
 
KCTSCommented:
You CANT REMOVE USERS FROM DOMAIN USERS even it its not their primary group, its a system group with automatic access - all users are members of domain users and there is nothing you can do about this.
0
 
IATexpertAuthor Commented:
These are external users and are used for web site authentication, and are not actual users of any of our other network resources. It was decided that they should not be members of "Domain Users"
0
 
bluntTonyCommented:
Sorry, KCTS, have to respectfully disagree - you can physically remove from Domain Users as long as you set another group as primary. It's not a built in principal like Authenticated Users is.
That said - I really really wouldn't recommend it as it could cause major issues.

Snap1.jpg
0
 
IATexpertAuthor Commented:
KCTS: I appreciate your enthusiasm, but I'm looking @ several existing accounts where I have manually changed their primary group to something else, and have successfully removed them from the Domain users group. At least it's not listed in their group membership.
0
 
IATexpertAuthor Commented:
We figured it out
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.