We help IT Professionals succeed at work.

Command line Remove computer from AD Security Group

Justin Collins
on
What's a command line to remove a computer from an AD Security Group?  I'm looking to do this from a login script.
Comment
Watch Question

Steve KnightIT Consultancy
CERTIFIED EXPERT

Commented:
A login script is very unlikely to work here... The login script is going to run as the user, and the user unless a domain admin, or someone specifically given rights to the computer groups is not going to be able to do it.

And having done it... any computer groups wouldn't be relevant until after the computer is rebooted.

So a little unclear as to why / what you are after exactly?

Steve
Steve KnightIT Consultancy
CERTIFIED EXPERT

Commented:
You should be able to use something like this if you do want to do it with suitable rights from cmd prompt:

dsmod group "groupname" -rmmbr "member name"

Justin CollinsIT Manager

Author

Commented:
I have attached part of my currrent login script.  It looks to see if the computer is part of a specific group(SpecialGroup) and if it is, run the commands.  I would like to add a command line in there to delete the computer from the group.  That way, it only gets run once and not every time it reboots or someone logs in.
net group "SpecialGroup" /domain|find /i "%computername%$"
if not errorlevel 1 (
	"\\server\Install\Test\setup.exe" -silent
	cacls "c:\Program Files\Install" /t /e /g "Users":f >nul
)

Open in new window

Steve KnightIT Consultancy
CERTIFIED EXPERT

Commented:
You can ... but like I said does the user have the rights to AD to do this?

Aside from using group policy to assign this to computers through GPO.... I would suggest a better way would be to drop a file and check for that instead, i.e.

net group "SpecialGroup" /domain|find /i "%computername%$" && (
  if not exist "c:\program files\install\Installed.txt" (
    "\\server\Install\Test\setup.exe" -silent
    cacls "c:\Program Files\Install" /t /e /g "Users":f
    echo Installed %date% %time% by %username%> "c:\program files\install\Installed.txt"
  )
)
IT Manager
Commented:
Finally got it to work:

net group "SpecialGroup" /domain|find /i "%computername%$"
if not errorlevel 1 (
      "\\server\Install\Test\setup.exe" -silent
      cacls "c:\Program Files\Install" /t /e /g "Users":f >nul
                 dsquery computer -name %computername% > tmpfile1
                 set /p computer= < tmpfile1

                 dsquery group -name specialgroup > tmpfile2
                 set /p group= < tmpfile2

                 dsmod group %group% -rmmbr %computer%

                 del tmpfile1
                 del tmpfile2
)
Justin CollinsIT Manager

Author

Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for puter_geek's comment #37723002

for the following reason:

Queries the group and computername for the full name needed and the puts it into the dsmod command to remove it from the group.
Steve KnightIT Consultancy
CERTIFIED EXPERT

Commented:
Well I still think it is an odd way of doing it. The user will need full Domain Admin rights or specific rights to the relevant computer and group objects.

Also if the users logs off and back on before rebooting it is quite likely it will run again unless the change happens to have taken effect - is this one domain controller or dozens?

I did suggest basic syntax for dsmod in http:#37083998 and got no feedback.

But if that is way you want to go so be it...

It is customary though to give feedback in less than 4 months and then we could have followed it through...


Steve
Steve KnightIT Consultancy
CERTIFIED EXPERT

Commented:
"thanks"