Vista - Remove All Group Memberships for all User Accounts in an OU?

permalink · 09-16-2008

I've seen the examples with

LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com

but it's only one account, I have a whole OU full of accounts whose group
memberships I need to clear (Domain Users excepted of course). I know I
can't modify the user account I have to modify the group, because memberof
is backlinked, but is there a way to essentially loop through the actions of
the one account and its group memberships, then move to the next user
account and repeat?

Any help appreciated

permalink · 09-16-2008

<-> wrote in message news:uA53hwFGJHA.5064@xxxxxx

Quote:

> I've seen the examples with
>
> LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com
>
> but it's only one account, I have a whole OU full of accounts whose group
> memberships I need to clear (Domain Users excepted of course). I know I
> can't modify the user account I have to modify the group, because memberof
> is backlinked, but is there a way to essentially loop through the actions
> of the one account and its group memberships, then move to the next user
> account and repeat?
>
> Any help appreciated

You can enumerate all users in the OU, and for each user enumerate all
direct group memberships, which will not include the "primary" group (which
should be "Domain Users"). You can use the Remove method of each group
object to remove the user from the group. To save binding to each group
repeatedly for many users, I would track the groups in a dictionary object.
For example (not tested):
============
Option Explicit

Dim objOU, objUser, arrGroups, strGroup, objGroup
Dim objGroupList

' Bind to OU object.
Set objOU = GetObject("LDAP://ou=West,dc=MyDomain,dc=com")

' Filter on objects of class user.
objOU.Filter = Array("user")

' Create dictionary object of group objects.
Set objGroupList = CreateObject("Scripting.Dictionary")
objGroupList.CompareMode = vbTextCompare

' Enumerate users in OU.
For Each objUser In objOU
' Enumerate direct group memberships.
' Trap error if there are no groups.
' Primary group is not included.
On Error Resume Next
arrGroups = objUser.GetEx("memberOf")
If (Err.Number = 0) Then
On Error GoTo 0
For Each strGroup In arrGroups
' Check if group already bound.
If (objGroupList.Exists(strGroup) = False) Then
' Add group object to the dictionary object.
Set objGroupList(strGroup) = GetObject("LDAP://" & strGroup)
End If
' Remove user from the group.
objGroupList(strGroup).Remove(objUser.AdsPath)
Next
End If
On Error GoTo 0
Next

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

09-16-2008	#1 (permalink)
n/a posts	Remove All Group Memberships for all User Accounts in an OU? I've seen the examples with LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com but it's only one account, I have a whole OU full of accounts whose group memberships I need to clear (Domain Users excepted of course). I know I can't modify the user account I have to modify the group, because memberof is backlinked, but is there a way to essentially loop through the actions of the one account and its group memberships, then move to the next user account and repeat? Any help appreciated
My System Specs

09-16-2008	#2 (permalink)
Richard Mueller [MVP] n/a posts	Re: Remove All Group Memberships for all User Accounts in an OU? <-> wrote in message news:uA53hwFGJHA.5064@xxxxxx Quote: > I've seen the examples with > > LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com > > but it's only one account, I have a whole OU full of accounts whose group > memberships I need to clear (Domain Users excepted of course). I know I > can't modify the user account I have to modify the group, because memberof > is backlinked, but is there a way to essentially loop through the actions > of the one account and its group memberships, then move to the next user > account and repeat? > > Any help appreciated You can enumerate all users in the OU, and for each user enumerate all direct group memberships, which will not include the "primary" group (which should be "Domain Users"). You can use the Remove method of each group object to remove the user from the group. To save binding to each group repeatedly for many users, I would track the groups in a dictionary object. For example (not tested): ============ Option Explicit Dim objOU, objUser, arrGroups, strGroup, objGroup Dim objGroupList ' Bind to OU object. Set objOU = GetObject("LDAP://ou=West,dc=MyDomain,dc=com") ' Filter on objects of class user. objOU.Filter = Array("user") ' Create dictionary object of group objects. Set objGroupList = CreateObject("Scripting.Dictionary") objGroupList.CompareMode = vbTextCompare ' Enumerate users in OU. For Each objUser In objOU ' Enumerate direct group memberships. ' Trap error if there are no groups. ' Primary group is not included. On Error Resume Next arrGroups = objUser.GetEx("memberOf") If (Err.Number = 0) Then On Error GoTo 0 For Each strGroup In arrGroups ' Check if group already bound. If (objGroupList.Exists(strGroup) = False) Then ' Add group object to the dictionary object. Set objGroupList(strGroup) = GetObject("LDAP://" & strGroup) End If ' Remove user from the group. objGroupList(strGroup).Remove(objUser.AdsPath) Next End If On Error GoTo 0 Next -- Richard Mueller MVP Directory Services Hilltop Lab - http://www.rlmueller.net --
My System Specs

Similar Threads
Thread	Forum
Group Memberships	PowerShell
Enumerate and COMPARE user group memberships	VB Script
how to add add/remove a user to Administrator group?	PowerShell
Remove user from administrators group	PowerShell
User Accounts Don't Populate To Remove	Vista account administration