Testing group membership

Posted on 2011-09-27
Last Modified: 2014-04-25
Hi guys, hope you are all well and can assist.

We want to work on a process of testing group membership scenarios.

Basically, we want to do the following:

1) User Bob is a member of 15 groups > Export all groups to a text file called exportedgroups.txt

2) Remove all groups from User Bob's account, except for domain users.

3) Do testing with User Bob's account.

4) After testing, readd all groups that were removed by step 2) above, back to user Bob's account.


Step 1) is done via:

dsquery user -name <username> -d <domainname> | dsget user -memberof > exportedgroups.txt

Format of exportedgroups.txt is as follows:

"CN=d_AN_Users,OU=domain Groups,DC=ori,DC=domain,DC=net"
"CN=w_ho_cor_hr_services_c,OU=Groups,OU=AN,OU=Migrated Objects,DC=ori,DC=domain,DC=net"
"CN=w_ho_cor_payr_proj_c,OU=Groups,OU=AN,OU=Migrated Objects,DC=ori,DC=domain,DC=net"

Step 2) is not done:
We need a way to remove all groups from his account EXCEPT for domain users.

Step 3) does not need to be done (we will do this).

Step 4) is not done.

Any help on this greatly appreciated.
Question by:Simon336697
  • 4
  • 2
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36715084
I would also use DS Tools as you did it and

dsquery user -name "Bob" | dsget user -memberof c:\exportedgroups.txt

Now, remove "Domain Users" group from that text file

for /f %i in (c:\exportedgroups.txt) do dsquery user -name "Bob" | dsmod group %i -rmmbr

Bob will be removed from all of those groups, except Domain Users (because you deleted it from text file)

as you mentioned :]

for /f %i in (c:\exportedgroups.txt) do dsquery user -name "Bob" | dsmod group %i -addmbr

And re-add Bob into groups from text file :)

If you need more assistance, just let me know

LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36715087
Sorry forget about ">" in this syntax, should be

dsquery user -name "Bob" | dsget user -memberof >c:\exportedgroups.txt

LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36715122
OK, if your groups or OUs have space in names, you need to modify AD2 and AD4

First, in text file add at the end of each line ";" (semicolon)

and use this syntax

for /f %i "tokens=* delims=;" in (c:\exportedgroups.txt) do dsquery user -name "Bob" | dsmod group %i -rmmbr

for /f %i "tokens=* delims=;" in (c:\exportedgroups.txt) do dsquery user -name "Bob" | dsmod group %i -addmbr

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.


Author Comment

ID: 36946264
Thanks so much iSiek. I will test this now. Sorry about the delay.
LVL 39

Accepted Solution

Krzysztof Pytko earned 500 total points
ID: 36947142
you're welcome :) That's no problem. If you need further assistance, please let me know


Author Comment

ID: 37034803
Thanks iSiek sorry about the delay getting back to you.

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question