Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

remove a user object from all groups they are a member of except Domain Users

Status
Not open for further replies.
DougInCanada

DougInCanada

Technical User
Feb 1, 2004
98
CA
Hello,

I am trying to purge a user object membership from any groups of which they are a member except Domain Users.

I have the Distinguished Name from an LDAP query that I already executed to disable the account, but I'm stuck on how to go about cycling through the MemberOf property and removing the specific user object from both security and distribution groups with the exception of Domain Users.

Any help on this would be greatly appreciated.

Cheers!
 
Sort by date Sort by votes
Check out
This is what I conjured up. It is mostly untested

Code: 
Const ADS_PROPERTY_DELETE = 4

strUserLDAP = "LDAP://cn=John Doe,ou=,ou=user,dc=nmh,dc=nmrhs,dc=net"
set objUser = GetObject(strUserLDAP)

arrGroups = objUser.GetEx("memberOf")
for each strGroupLDAP in arrGroups
	set objGroup = GetObject("LDAP://" & strGroupLDAP)
	strGroupName = replace(objGroup.Name, "CN=", "")
	if (strGroupName <> "Domain Users") then
		objGroup.PutEx ADS_PROPERTY_DELETE, "member", array(strUserLDAP)
		objGroup.SetInfo
	end if
next

-Geates

"I do not offer answers, only considerations."
- Geates's Disclaimer

 
Upvote 0 Downvote
Thanks, Geates.

Unfortunately, it spits an error message when trying to setinfo:

"The server is unwilling to process the request"

error code: 80072035.

I also tried splitting the process in 2 parts, the first part removing the user object from all AD security groups and the 2nd part to re-add the user object to Domain Users.

The code for the first part was:

Code: 
Const ADS_PROPERTY_DELETE = 4
Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D
 
Set objUser = GetObject (strLDAP) 
arrMemberOf = objUser.GetEx("memberOf")
 
If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
    WScript.Echo "This account is not a member of any security groups."
    WScript.Quit
End If
 
For Each Group in arrMemberOf
    Set objGroup = GetObject("LDAP://" & Group) 
    objGroup.PutEx ADS_PROPERTY_DELETE, _
        "member", Array(strLDAP)
    objGroup.SetInfo
Next

It spat out the same error message on objGroup.SetInfo....

Any ideas?
 
Upvote 0 Downvote
I've seen where this error occurs on a SetInfo with the same error code and supposedly the problem is that I'm trying to enable or 'set' a user account. The problem is that the account must have a password and none is provided. The supposed solution is to add a set password instruction to the script. Even try a complex password.

Any ideas on how to accomplish this?

 
Upvote 0 Downvote
Beat it into submission! (no, don't actually do that).

I see in your code [tt]strLDAP[/tt] is undefined. It needs to equal the user's LDAP string.

Code: 
strLDAP = "CN=My Real Name,OU=in_what,OU=org_unit,OU=is_my_account,DC=[URL unfurl="true"]www,DC=myDomain,DC=com"[/URL]

-Geates

"I do not offer answers, only considerations."
- Geates's Disclaimer

 
Upvote 0 Downvote
It does and it is valid as I'm using the same LDAP string for some successful code that executes just ahead of this segment.
 
Upvote 0 Downvote
I also see that this error can be caused by attempting to delete the user's Primary Group (which in this case is Domain Users - that's why I wanted to make an exception for that group).
 
Upvote 0 Downvote
Geates,

I might have stumbled onto something. Apparently, the MemberOf attribute is a backlink attribute and therefore readonly.

[link]http://directory.toxz.net/topic/2/21/08-re-setinfo-causes-80072035[/url]

You can't modify memberOf because it is a backlink attribute and they are
calculated based on the attribute they link to.
In your case, you need to modify the member attribute of the groups in
question in order to change the value of an object's memberOf attribute.



Rather than removing the group from the MemberOf, is it possible to get the group name from MemberOf, then access the group to remove that user directly from the group object?
 
Upvote 0 Downvote
OK...

So this is where I am now:

I have the follwing code:

[strLDAP is already valid and defined in the code several lines above this segment]

Code: 
Set objUser = GetObject(strLDAP)
 
intPrimaryGroupID = objUser.Get("primaryGroupID")
arrMemberOf = objUser.GetEx("memberOf")
 
     For Each Group in arrMemberOf
		userPath = strLDAP
		groupPath = group
		set objGroup = getobject(""LDAP://" & groupPath)
	
		for each member in objGroup.members
		if lcase(member.adspath) = lcase(userPath) then
			objGroup.Remove(userPath)
		end if
		next
    Next

This manages to properly delete the user from all groups that appear in the Member Of tab, but leaves the primary group.

Thanks for your help Geates,

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

HuronBaloo
  • Locked
  • Question
Outlook Appointment object - yearly recurring (i.e. anniversary)
Replies
0
Views
116
HuronBaloo
HuronBaloo
Z3braa
  • Locked
  • Question
Remove specific computer name in Logon Workstation from from all users in AD, with VBScript
Replies
0
Views
123
Z3braa
Z3braa
Alexvb6
  • Question
Deprecation of VBScript + Classic ASP: How to Ask Microsoft to cancel their planned craziness
Replies
0
Views
75
Alexvb6
Alexvb6
stable-x
  • Locked
  • Question
How to set/define a variable from two variables?
Replies
3
Views
267
stable-x
stable-x
PiotrMP006
  • Locked
  • Question
How to quickly check if a file has 1 or more lines of text?
Replies
1
Views
168
combo
combo

Part and Inventory Search

Sponsor

Back
Top