Re: Query disabled users and delete their memberof associations

Tech-Archive recommends: Fix windows errors by optimizing your registry

Hi

Ok - I have a .VBS that does what I want on an individual user obj (I have
tested in my test env [just leaves the primary group [[in my case, Domain
Users]]]).

What I need to work out now, is how to query the disabled users OU and put
the user DNs as an array (thanks Paul) into this vbscript.

==================================================

Const ADS_PROPERTY_DELETE = 4
Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D

Set objUser = GetObject("LDAP://CN=USER1,OU=Disabled User Accounts
Test,DC=MyDomain, DC=com")
arrMemberOf = objUser.GetEx("MemberOf")

If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
WScript.Echo "No Group Memberships Found"
WScript.Quit

End If

For each group in arrMemberOf
Set objGroup = GetObject("LDAP://"; & Group)
objGroup.PutEx ADS_PROPERTY_DELETE, _
"member", Array("CN=USER1,OU=Disabled User Accounts Test,DC=MyDomain,
DC=com")

objGroup.SetInfo
Next


==================================================


Any ideas? - I am still researching this as well.

Many thanks
Bry



"Paul Williams [MVP]" wrote:

I had a similar request for this, but in my case "they" wanted to keep the
membership somewhere so that it could easliy be retained. I took a
developer aside and told him this (this isn't pretty, but we had certain
security requirements and political crap that had to be dealt with):

Write some code that does the following:

-- Takes the user's sAMAccountName as input
-- Grab the memberOf attribute and dump the contents into an array
-- Disable the user object
-- Get the RID of each group in the array, and concatenate into a semi-colon
delimited string value.
-- Write that value to an unused string attribute of the user.
-- If the string is > 1000 characters, split it and use another attribute.
-- Connect to each group in that list and remove the user object.


We had three attributes that would be used for this.

It hasn't been implemented yet.

LOL.


As others have said, you need to code this.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net





.

Relevant Pages

  • Re: Query disabled users and delete their memberof associations
    ... membership somewhere so that it could easliy be retained. ... -- Get the RID of each group in the array, ... -- Write that value to an unused string attribute of the user. ... -- Connect to each group in that list and remove the user object. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Query disabled users and delete their memberof associations
    ... Hey Paul do you have multiple domains and use domain local groups? ... -- Get the RID of each group in the array, and concatenate into a semi-colon delimited string value. ... -- Connect to each group in that list and remove the user object. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Query disabled users and delete their memberof associations
    ... membership somewhere so that it could easliy be retained. ... -- Get the RID of each group in the array, ... -- Write that value to an unused string attribute of the user. ... -- Connect to each group in that list and remove the user object. ...
    (microsoft.public.windows.server.active_directory)
  • Help in French|Spanish|German translation.
    ... I am also an author of User-defined string functions. ... WORDTRANEX (cSearched, cArExpressionSought | cExpressionSough, ... each string of the array is searched ... If the parameter nArStartOccurrence is -1 or omitted, the replacement starts ...
    (microsoft.public.fox.helpwanted)
  • Re: passing a string to a dll
    ... Joe, I really appreciate you taking the time to demonstrate this. ... sure how I would implement indexing it for random alphanumeric codes. ... I might handle the array. ... I actually have been wondering if I could use a second string ...
    (microsoft.public.vc.mfc)