Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 238
  • Last Modified:

Testing group membership

Hi guys, hope you are all well and can assist.

We want to work on a process of testing group membership scenarios.

Basically, we want to do the following:

1) User Bob is a member of 15 groups > Export all groups to a text file called exportedgroups.txt

2) Remove all groups from User Bob's account, except for domain users.

3) Do testing with User Bob's account.

4) After testing, readd all groups that were removed by step 2) above, back to user Bob's account.

Status:

Step 1) is done via:

dsquery user -name <username> -d <domainname> | dsget user -memberof > exportedgroups.txt

Format of exportedgroups.txt is as follows:

"CN=d_AN_Users,OU=domain Groups,DC=ori,DC=domain,DC=net"
"CN=w_ho_cor_hr_services_c,OU=Groups,OU=AN,OU=Migrated Objects,DC=ori,DC=domain,DC=net"
"CN=w_ho_cor_payr_proj_c,OU=Groups,OU=AN,OU=Migrated Objects,DC=ori,DC=domain,DC=net"

Step 2) is not done:
We need a way to remove all groups from his account EXCEPT for domain users.

Step 3) does not need to be done (we will do this).

Step 4) is not done.

Any help on this greatly appreciated.
0
Simon336697
Asked:
Simon336697
  • 4
  • 2
1 Solution
 
Krzysztof PytkoActive Directory EngineerCommented:
I would also use DS Tools as you did it and

AD1)
dsquery user -name "Bob" | dsget user -memberof c:\exportedgroups.txt

Now, remove "Domain Users" group from that text file

AD2)
for /f %i in (c:\exportedgroups.txt) do dsquery user -name "Bob" | dsmod group %i -rmmbr

Bob will be removed from all of those groups, except Domain Users (because you deleted it from text file)

AD3)
as you mentioned :]

AD4)
for /f %i in (c:\exportedgroups.txt) do dsquery user -name "Bob" | dsmod group %i -addmbr

And re-add Bob into groups from text file :)

If you need more assistance, just let me know

Regards,
Krzysztof
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Sorry forget about ">" in this syntax, should be

dsquery user -name "Bob" | dsget user -memberof >c:\exportedgroups.txt

Krzysztof
0
 
Krzysztof PytkoActive Directory EngineerCommented:
OK, if your groups or OUs have space in names, you need to modify AD2 and AD4

First, in text file add at the end of each line ";" (semicolon)

and use this syntax

AD2)
for /f %i "tokens=* delims=;" in (c:\exportedgroups.txt) do dsquery user -name "Bob" | dsmod group %i -rmmbr

AD4)
for /f %i "tokens=* delims=;" in (c:\exportedgroups.txt) do dsquery user -name "Bob" | dsmod group %i -addmbr

Krzysztof
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
Simon336697Author Commented:
Thanks so much iSiek. I will test this now. Sorry about the delay.
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Hi,
you're welcome :) That's no problem. If you need further assistance, please let me know

Krzysztof
0
 
Simon336697Author Commented:
Thanks iSiek sorry about the delay getting back to you.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now