Solved

How to remove group membership automatically?

Posted on 2009-07-07
6
1,091 Views
Last Modified: 2012-05-07
Hello,

After disabling certain user accounts, i placed them in an OU called "Decommissioned".  I need to run a script its main function is to remove any group (security or dist.) that these accounts are members. I need the script to run  against a specific OU.

Appreciate your fast response in this.

Thanks

Yassein
0
Comment
Question by:amyassein
  • 4
  • 2
6 Comments
 
LVL 6

Expert Comment

by:Krisdeep
ID: 24793400
This site might help and add this maybe to a schedule task maybe once a day or add a timer in the vbs script.

http://www.phwinfo.com/forum/ms-win-server-scripting/355024-script-ad-remove-all-members-groups-ou.html
0
 
LVL 1

Author Comment

by:amyassein
ID: 24795831
Kris,

Thank you .... However, this forum dicuss a script that removes members from a group that are in a specific OU. For example, users in Marketing OU to be removed from the Marketing group.

What i ask for is the complete opposite, my requirement is a script to remove the groups from the user accounts where they reside in an OU named Decommissioned and each account in this OU is a member in different groups.

The goal from the beginning is that after disabling these user accounts, i want also to remove them from any groups since they are disabled. So i place them in an Decommissioned OU and then remove their groups as well.

Can i do that using a script?

Thanks

0
 
LVL 6

Accepted Solution

by:
Krisdeep earned 250 total points
ID: 24812927
Credit to Richard Mueller [MVP]
I have tested this can you confirm if it works for you. It removes all the group except the default domain users group.

Option Explicit

Dim objOU, objUser, arrGroups, strGroup, objGroup
Dim objGroupList

' Bind to OU object.
Set objOU = GetObject("LDAP://ou=Test,dc=Cisco,dc=com")

' Filter on objects of class user.
objOU.Filter = Array("user")

' Create dictionary object of group objects.
Set objGroupList = CreateObject("Scripting.Dictionary")
objGroupList.CompareMode = vbTextCompare

' Enumerate users in OU.
For Each objUser In objOU
' Enumerate direct group memberships.
' Trap error if there are no groups.
' Primary group is not included.
On Error Resume Next
arrGroups = objUser.GetEx("memberOf")
If (Err.Number = 0) Then
On Error GoTo 0
For Each strGroup In arrGroups
' Check if group already bound.
If (objGroupList.Exists(strGroup) = False) Then
' Add group object to the dictionary object.
Set objGroupList(strGroup) = GetObject("LDAP://" & strGroup)
End If
' Remove user from the group.
objGroupList(strGroup).Remove(objUser.AdsPath)
Next
End If
On Error GoTo 0
Next
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 6

Expert Comment

by:Krisdeep
ID: 24812954
The only settings that you have to change above is
' Bind to OU object.
Set objOU = GetObject("LDAP://ou=Test,dc=Cisco,dc=com")

If your not sure let me know.
0
 
LVL 1

Author Comment

by:amyassein
ID: 24823128
Kris,

Thank you so much for the valuable information. Let me test your script and i will update you.  

By the way, In the "Bind to OU Object", shall i have to put my "Decommissioned" OU?

Thanks
0
 
LVL 6

Expert Comment

by:Krisdeep
ID: 24828447
"By the way, In the "Bind to OU Object", shall i have to put my "Decommissioned" OU?"

Yes that will be your location of your Decommissioned OU.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now