On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.
Course Of The Month
7 days, 21 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
remove specific users from specific groups
Posted on 2013-01-02
Hey all,
I have a task to remove specific users from specific groups from a list.
the script needs to use sAMAccountName's of the users and groups from a list formatted as follows:
groupname1;username1
groupname2;username2
i have a script that adds the users to the groups, but now i need to reverse it. As a noob to scripting, any help would be appreciated. Thanks all.
I have a task to remove specific users from specific groups from a list.
the script needs to use sAMAccountName's of the users and groups from a list formatted as follows:
groupname1;username1
groupname2;username2
i have a script that adds the users to the groups, but now i need to reverse it. As a noob to scripting, any help would be appreciated. Thanks all.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
9
9-
7
25 Comments
Sure thing,
Here is what i have for adding users:
ON ERROR RESUME NEXT
Dim DisplayEcho
Const ADS_PROPERTY_APPEND = 3
'-------------------------
' User Variables
'-------------------------
'OU where groups are located
strOU="ou=temp,ou=test,dc=
'text file groups & users
'line format: Group Name;User Name1;User Name2;
strTextFilename="C:\Groups
strLogFileName="C:\results
'True to display echos, false to hide
DisplayEcho = True
'-------------------------
Set WshShell=CreateObject("Wsc
Set fso=CreateObject("Scriptin
If DisplayEcho=True then
'Force CSCRIPT
If instr(lcase(wscript.fullna
wshshell.run "cmd /k cscript //nologo " & chr(34) & wscript.scriptfullname & Chr(34),1,false
wscript.quit
End If
End If
Set oLogFile=fso.OpenTextFile(
Set oFile=fso.OpenTextFile(str
text=oFile.ReadAll
oFile.close
arrText=split(text,vbCrLf)
For each line in arrText
arrLine=split(line,";")
strGroup=arrLine(0)
err.Clear
strGroupPath=GetADsPath(st
If strGroupPath = "" then
Output "ERROR: Could not find group: " & strGroup
err.clear
Else
Set objGroup = GetObject(strGroupPath)
For i = 1 to ubound(arrLine)
strUser=arrLine(i)
strADsPath_user=GetADsPath
Set objUser=GetObject(strADsPa
strUserDN=objUser.Distingu
If strUserDN="" then
Output strGroup & "... Could not find user: " & strUser
Else
objGroup.PutEx ADS_PROPERTY_APPEND, _
"member", Array(strUserDN)
objGroup.SetInfo
If err.number <> 0 then
If err.number="-2147019886" then
Output strGroup & " <-- " & strUser & " (Already a member)"
Else
Output "ERROR adding " & strUser & " to " & strGroup & vbCrLf & _
vbTab & err.number & " " & err.description
End If
err.clear
Else
'show successful additions
Output strGroup & " <-- " & strUser
End If
End If
strUser=""
strUserDN=""
strADsPath_user=""
Set objUser=Nothing
Next
End If
Set objGroup=Nothing
arrLine=""
strGroup=""
Next
oLogFile.close
Output ""
Output "Operation complete. See Log: " & strLogFileName
Sub Output(txt)
If DisplayEcho=True then wscript.echo txt
oLogFile.writeLine txt
End Sub
Function GetADsPath(myName,myType)
Const ADS_SCOPE_SUBTREE = 2
strADsPath=""
Set objRootDSE = GetObject("LDAP://rootDSE"
strRootDSE = objRootDSE.Get("defaultNam
Set objConnection = CreateObject("ADODB.Connec
Set objCommand = CreateObject("ADODB.Comman
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnectio
objCommand.Properties("Pag
objCommand.Properties("Sea
objCommand.CommandText = _
"SELECT ADsPath FROM 'LDAP://" & strRootDSE & "' WHERE objectCategory='" & myType & "' " & _
"AND Name ='" & myName & "' "
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
strADsPath = ""
strADsPath= objRecordSet.Fields("ADsPa
GetADsPath=strADsPath
Set objConnection=Nothing
Set objCommand=Nothing
Set objRecordSet=Nothing
End Function
Here is what i have for adding users:
ON ERROR RESUME NEXT
Dim DisplayEcho
Const ADS_PROPERTY_APPEND = 3
'-------------------------
' User Variables
'-------------------------
'OU where groups are located
strOU="ou=temp,ou=test,dc=
'text file groups & users
'line format: Group Name;User Name1;User Name2;
strTextFilename="C:\Groups
strLogFileName="C:\results
'True to display echos, false to hide
DisplayEcho = True
'-------------------------
Set WshShell=CreateObject("Wsc
Set fso=CreateObject("Scriptin
If DisplayEcho=True then
'Force CSCRIPT
If instr(lcase(wscript.fullna
wshshell.run "cmd /k cscript //nologo " & chr(34) & wscript.scriptfullname & Chr(34),1,false
wscript.quit
End If
End If
Set oLogFile=fso.OpenTextFile(
Set oFile=fso.OpenTextFile(str
text=oFile.ReadAll
oFile.close
arrText=split(text,vbCrLf)
For each line in arrText
arrLine=split(line,";")
strGroup=arrLine(0)
err.Clear
strGroupPath=GetADsPath(st
If strGroupPath = "" then
Output "ERROR: Could not find group: " & strGroup
err.clear
Else
Set objGroup = GetObject(strGroupPath)
For i = 1 to ubound(arrLine)
strUser=arrLine(i)
strADsPath_user=GetADsPath
Set objUser=GetObject(strADsPa
strUserDN=objUser.Distingu
If strUserDN="" then
Output strGroup & "... Could not find user: " & strUser
Else
objGroup.PutEx ADS_PROPERTY_APPEND, _
"member", Array(strUserDN)
objGroup.SetInfo
If err.number <> 0 then
If err.number="-2147019886" then
Output strGroup & " <-- " & strUser & " (Already a member)"
Else
Output "ERROR adding " & strUser & " to " & strGroup & vbCrLf & _
vbTab & err.number & " " & err.description
End If
err.clear
Else
'show successful additions
Output strGroup & " <-- " & strUser
End If
End If
strUser=""
strUserDN=""
strADsPath_user=""
Set objUser=Nothing
Next
End If
Set objGroup=Nothing
arrLine=""
strGroup=""
Next
oLogFile.close
Output ""
Output "Operation complete. See Log: " & strLogFileName
Sub Output(txt)
If DisplayEcho=True then wscript.echo txt
oLogFile.writeLine txt
End Sub
Function GetADsPath(myName,myType)
Const ADS_SCOPE_SUBTREE = 2
strADsPath=""
Set objRootDSE = GetObject("LDAP://rootDSE"
strRootDSE = objRootDSE.Get("defaultNam
Set objConnection = CreateObject("ADODB.Connec
Set objCommand = CreateObject("ADODB.Comman
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnectio
objCommand.Properties("Pag
objCommand.Properties("Sea
objCommand.CommandText = _
"SELECT ADsPath FROM 'LDAP://" & strRootDSE & "' WHERE objectCategory='" & myType & "' " & _
"AND Name ='" & myName & "' "
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
strADsPath = ""
strADsPath= objRecordSet.Fields("ADsPa
GetADsPath=strADsPath
Set objConnection=Nothing
Set objCommand=Nothing
Set objRecordSet=Nothing
End Function
Active today
Try this since you have a working Add User script.
Add Const ADS_PROPERTY_DELETE = 4
then replace ADS_PROPERTY_APPEND
I recommend trying this against a test group for confirmation.
Where did you get this script from. Is seems pretty complex for a noob?
Add Const ADS_PROPERTY_DELETE = 4
then replace ADS_PROPERTY_APPEND
I recommend trying this against a test group for confirmation.
Where did you get this script from. Is seems pretty complex for a noob?
Active today
In case you are interested in PowerShell, you can try this script..
#<Sample CSV format
Group,Member
groupname1;username1
groupname2;username2
#>
Import-module activedirectory
Import-Csv c:\test.csv | %{
Remove-ADGroupMember -Identity $_.Group -Members $_.Member -Confirm:$false}
Active today
@Subsun
The PS Import-CSV needs the -Delimiter ";" switch to address his ; format. If that is not there it will not work. I put together a post last night, but must not have pushed submit.
The script was identical to yours accept for the -delimiter switch.
The PS Import-CSV needs the -Delimiter ";" switch to address his ; format. If that is not there it will not work. I put together a post last night, but must not have pushed submit.
The script was identical to yours accept for the -delimiter switch.
Active today
Thanks for pointing out.. I just copy pasted the group name and user name from the user post but forgot change the semicolon to comma.. If you use coma the you don’t require the parameter -Delimiter with import-csv..
Correct CSV format
Correct CSV format
Group,Member
groupname1,username1
groupname2,username2
Active today
I have tested with my PS Script and it worked having th delimter ;
#<Sample CSV format
Group;Member
groupname1;username1
groupname2;username2
#>
import-module activedirectory
$csv = import-csv "FileName.txt" -Delimiter ';'
ForEach ($line in $csv)
{
remove-adgroupmember -Identity $line.Group -member $line.User -Confirm:$false
}
Active today
Spot the difference my friend.. :-)
My script input Group,Member (This will not work with -Delimiter ';', and that's why I posted Correct CSV format)
You modified the script input Group;Member (This will work with -Delimiter ';')
That's what I said in my previous comment "BTB -Delimiter ";" will not work for the sample file mentioned in my post because the header is separated with comma.. "
My script input Group,Member (This will not work with -Delimiter ';', and that's why I posted Correct CSV format)
You modified the script input Group;Member (This will work with -Delimiter ';')
That's what I said in my previous comment "BTB -Delimiter ";" will not work for the sample file mentioned in my post because the header is separated with comma.. "
Thank you both for the work on this, PS is a much more "elegant" solution over VB. Yo_bee, the script was put together by myself, with a lot of help from a former college who has since left my organization. I may go back and change the "add user VB script" to PS.
Can that be done by changing:
Remove-ADGroupMember -Identity $_.Group -Members $_.Member -Confirm:$false}
to:
Add-ADGroupMember -Identity $_.Group -Members $_.Member -Confirm:$false}, looks like that works.
The .csv format may present a problem, as the file is generated by an application as i had posted. I hope not a huge problem for the Apps' guys, but it may make it easier if both the "Add" and "Remove" .csv's are formatted the same way.
Can i include: $results | export-csv C:\results.txt to export the results to a file?
Can that be done by changing:
Remove-ADGroupMember -Identity $_.Group -Members $_.Member -Confirm:$false}
to:
Add-ADGroupMember -Identity $_.Group -Members $_.Member -Confirm:$false}, looks like that works.
The .csv format may present a problem, as the file is generated by an application as i had posted. I hope not a huge problem for the Apps' guys, but it may make it easier if both the "Add" and "Remove" .csv's are formatted the same way.
Can i include: $results | export-csv C:\results.txt to export the results to a file?
Active today
just Add-ADGroupMember -Identity $_.Group -Members $_.Member will work. no need of -Confirm.
You can modify the script based on csv format however if you have a input file as mentioned above, then things will be much easy..
What result you want to export?
You can modify the script based on csv format however if you have a input file as mentioned above, then things will be much easy..
What result you want to export?
Thanks Subsun,
I am hopeful that i can have the input file modified, easy is good :)
As to the results, i would like a file that shows the account that were added and/or removed. Not crucial, but would be helpful for the Apps Guys.
Thanks
I am hopeful that i can have the input file modified, easy is good :)
As to the results, i would like a file that shows the account that were added and/or removed. Not crucial, but would be helpful for the Apps Guys.
Thanks
Active today
I may go back and change the "add user VB script" to PS.Now we are talking about adding.. adding will not prompt..
Active today
@MD
That is what it used to be like, but as you can see PS has many one liners Verb Noun processes that make it easier on everyone.
That is what it used to be like, but as you can see PS has many one liners Verb Noun processes that make it easier on everyone.
Active today
For reporting you can use Try Catch method in PowerShell, do you want to generate a log file or just want to display it in screen?
Active today
Try this..
<#Sample CSV format
Group,Member
groupname1,username1
groupname2,username2
#>
$logfile = "scriptlog.txt"
Import-module activedirectory
Import-Csv c:\test.csv | %{
Try
{Remove-ADGroupMember -Identity $_.Group -Members $_.Member -Confirm:$false
Add-Content -path $logfile -value "Successfully removed $($_.Member) from $($_.Group)"}
Catch
{Add-Content -path $logfile -value "Failed to remove $($_.Member) from $($_.Group)"}
}
Active today
After $logfile = "scriptlog.txt"
Add following line, this line will remove the old log file if it exist..
If (Test-Path $logfile) {Remove-Item $logfile}
Add following line, this line will remove the old log file if it exist..
If (Test-Path $logfile) {Remove-Item $logfile}
Thank you all for the help, errr, doing this for me. I have learned quite a bit and it has helped in understanding why the solutions you both presented work. At the very least, yet another nail in the VB coffin for me.
Again, thank you for the expertise in resolving my issue, Happy New Years!
Again, thank you for the expertise in resolving my issue, Happy New Years!
Featured Post
Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies. Only from Platform Scholar.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
In previous parts of this Nano Server deployment series, we learned how to create, deploy and configure Nano Server as a Hyper-V host. In this part, we will look for a clustering option. We will create a Hyper-V cluster of 3 Nano Server host nodes w…
- Powershell
- Windows 10
- Windows Server 2016
- Veeam
- Hyper-V
- Windows, Azure, *Nano Server
My attempt to use PowerShell and other great resources found online to simplify the deployment of Office 365 ProPlus client components to any workstation that needs it, regardless of existing Office components that may be needing attention.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses
Course of the Month7 days, 21 hours left to enroll
729 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.