Re: Script the removal of the group memberships of all disabled users in AD?
- From: "Spin" <Spin@xxxxxxxx>
- Date: Sun, 5 Feb 2006 21:12:29 -0500
Joe, things might actually be easy for me though not straight-forward. I
only have a single Windows 2000 Domain with only one domain controller. All
users are in the default "Users" container.
Basically someone lumped all the disabled users into a global group called
"Disabled" but left the original group memberships of these accounts intact.
So I need to remove the extra group memberships of these users. Does this
make it clearer? What would be my command line to do this.
--
Spin
"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message
news:ecLb2RqKGHA.2064@xxxxxxxxxxxxxxxxxxxxxxx
Yes you can script this. I would recommend returning all disabled users
with the standard get disabled users query
(&(sAMAccountType=805306368)(useraccountcontrol1.2.840.113556.1.4.803:=2))
and returning the memberof attribute at the same time.
Then tear through the groups listed in the memberof and remove the user
from them.
If you have but a single domain you can stop, if you have multiple
continue on...
Query a DC for every domain with a query for every user like
(&(objectcategory=group)(member=userdn))
You could also OR several member=userdn pieces into a single query, just
make sure you don't make the query too big.
Remove the users' DNs from each of the groups.
If you have a GC in every domain, then query one GC in every domain with
the first query mentioned and then it will return the members in each of
the domains the user is a part of, you won't need to do all of the queries
you would have to if checking the groups for every userdn. If you had say
1000 disabled users, this GC "trick" will save you considerably. The more
domains you have the more it would save you, for instance, if you have 5
domains, if you have a GC in only one domain, then you would have to send
4001 queries. If you have a GC in all domains you would only need 5
queries.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Spin wrote:
Is there a way that I can script the removal of the group memberships of
all disabled users in AD? In other words, given an AD of 1,000 users,
and there are many of them disabled, but still belonging to their
original groups, I want to programmatically remove them from all groups
except for their original primary group of Domain Users.
.
- Follow-Ups:
- Re: Script the removal of the group memberships of all disabled users in AD?
- From: Richard Mueller
- Re: Script the removal of the group memberships of all disabled users in AD?
- References:
- Script the removal of the group memberships of all disabled users in AD?
- From: Spin
- Re: Script the removal of the group memberships of all disabled users in AD?
- From: Joe Richards [MVP]
- Script the removal of the group memberships of all disabled users in AD?
- Prev by Date: Re: dcdiag - Starting test: KnowsOfRoleHolders - DsBindWithSpnEx() failed with error 1722
- Next by Date: Re: Add users to local admin via login script
- Previous by thread: Re: Script the removal of the group memberships of all disabled users in AD?
- Next by thread: Re: Script the removal of the group memberships of all disabled users in AD?
- Index(es):
Relevant Pages
|
