Sign in to follow this  
Followers 0
rogerd2u

Remove Users from a Group

5 posts in this topic

I'm trying to use the ADFunctions Script (in the Example scripts area) to remove a specified user from all domain groups. I was able to get my script to display the groups a user belongs to, but when I try to use the same variable to remove them from all the groups listed, it fails. I'm sure it has to do with the array, but I'm not sure how I can extract the data from the array to use it...please help!!! :-)

#include <ADFunctions.au3>

#include <array.au3>

$sInputBoxAnswer = "JohnDoe"

$UserFQDN = _ADSamAccountNameToFQDN($sInputBoxAnswer)

Global $avGroups = ""

;Global $avGroups = ""

_ADSamAccountNameToFQDN($UserFQDN)

_ADRecursiveGetMemberOf($avGroups, $UserFQDN)

_ArrayDisplay($avGroups, "Debug: $avGroups")

_ADRemoveUserFromGroup($avGroups, $UserFQDN)


Roger O."When people show you who they are, believe them.” --Mark Twain

Share this post


Link to post
Share on other sites



From what you wrote I believe you are trying to remove a single user from every group they are a member of in AD. Here is a script I started as part of a end user termination script that might be helpful.

#include-once
#include "includes\adfunctions.au3"
#include <GUIConstantsEx.au3>

Opt("GUIOnEventMode", 1)

$mainwindow = GUICreate("Find Users Groups", 200, 80)
GUISetOnEvent($GUI_EVENT_CLOSE, "CLOSEClicked")

GUICtrlCreateLabel("Username: ", 15, 10, 100, 20)
$sUser = GUICtrlCreateInput("", 70, 10, 100, 18)
$sGoBut = GUICtrlCreateButton("Get List",40, 40, 100)
GUICtrlSetOnEvent($sGoBut, "_List_Groups")
GUISetState(@SW_SHOW)

While 1
  Sleep(1000) ; Idle around
WEnd


Func _List_Groups()
    If Not _ADObjectExists(GUICtrlRead($sUser)) Then 
        MsgBox (0, "Invalid", "The username: " & GUICtrlRead($sUser) & " is not valid.")
    Else
        _ADGetUserGroups($loggedonusergroups, GUICtrlRead($sUser) )

        Run("notepad")
        For $CompanyADGroup IN $loggedonusergroups
            $sADAttributes = StringSplit($CompanyADGroup, ",")
            $sGroupName = StringSplit($sADAttributes[1], "=")
            $sGroup = $sGroupName[2]
            
            WinWait("[TITLE:Untitled - Notepad]", "")
            If Not WinActive("[TITLE:Untitled - Notepad]", "") Then WinActivate("[TITLE:Untitled - Notepad]", "")
            WinWaitActive("[TITLE:Untitled - Notepad]", "")
            
            ControlSend("Untitled - Notepad", "", "[CLASS:Edit; INSTANCE:1]", $sGroup)
            ControlSend("Untitled - Notepad", "", "[CLASS:Edit; INSTANCE:1]", "{ENTER}")
            If $sGroup <> "Domain Users" Then _ADRemoveUserFromGroup($CompanyADGroup, _ADSamAccountNameToFQDN(GUICtrlRead($sUser)))
            
        Next
        
            ControlSend("Untitled - Notepad", "", "[CLASS:Edit; INSTANCE:1]", "{ENTER}")
    EndIf

EndFunc

Func CLOSEClicked()
  Exit
EndFunc

It asks for a username, then if it can find it in AD, opens notepad and types in the group, and removes the user from it. Primitive I know, but I got pushed to other projects so the overall script is on hold. Hope this helps.


"Human kind cannot gain anything without first giving something in return, to obtain; something of equal value must be lost."The Help File is truly your friend.

Share this post


Link to post
Share on other sites

Thank you very much for the reply. I have a semi-working function I hacked together. It works at times, but it's not perfect...

Maybe someone will be able to tell me why it works at times, but other times I get a COM error....?

$UserFQDN = _ADSamAccountNameToFQDN($sInputBoxAnswer)

;Removes the user from all AD Groups

Func _RemoveADUserFromAllGroups()

_ADRecursiveGetMemberOf($avGroups, $UserFQDN)

;_ArrayDisplay($avGroups, "User is currently a member of the following groups:")

$rows = UBound($avGroups)

$rows = $rows -1

While $rows > 1

$rows = $rows -1

_ADRemoveUserFromGroup($avGroups[$rows], $UserFQDN)

WEnd

MsgBox(0,"AD User Account Update", "User has been removed from all Active Directory groups.")

EndFunc ;<---_RemoveADUserFromAllGroups()

From what you wrote I believe you are trying to remove a single user from every group they are a member of in AD. Here is a script I started as part of a end user termination script that might be helpful.

#include-once
#include "includes\adfunctions.au3"
#include <GUIConstantsEx.au3>

Opt("GUIOnEventMode", 1)

$mainwindow = GUICreate("Find Users Groups", 200, 80)
GUISetOnEvent($GUI_EVENT_CLOSE, "CLOSEClicked")

GUICtrlCreateLabel("Username: ", 15, 10, 100, 20)
$sUser = GUICtrlCreateInput("", 70, 10, 100, 18)
$sGoBut = GUICtrlCreateButton("Get List",40, 40, 100)
GUICtrlSetOnEvent($sGoBut, "_List_Groups")
GUISetState(@SW_SHOW)

While 1
  Sleep(1000); Idle around
WEnd


Func _List_Groups()
    If Not _ADObjectExists(GUICtrlRead($sUser)) Then 
        MsgBox (0, "Invalid", "The username: " & GUICtrlRead($sUser) & " is not valid.")
    Else
        _ADGetUserGroups($loggedonusergroups, GUICtrlRead($sUser) )

        Run("notepad")
        For $CompanyADGroup IN $loggedonusergroups
            $sADAttributes = StringSplit($CompanyADGroup, ",")
            $sGroupName = StringSplit($sADAttributes[1], "=")
            $sGroup = $sGroupName[2]
            
            WinWait("[TITLE:Untitled - Notepad]", "")
            If Not WinActive("[TITLE:Untitled - Notepad]", "") Then WinActivate("[TITLE:Untitled - Notepad]", "")
            WinWaitActive("[TITLE:Untitled - Notepad]", "")
            
            ControlSend("Untitled - Notepad", "", "[CLASS:Edit; INSTANCE:1]", $sGroup)
            ControlSend("Untitled - Notepad", "", "[CLASS:Edit; INSTANCE:1]", "{ENTER}")
            If $sGroup <> "Domain Users" Then _ADRemoveUserFromGroup($CompanyADGroup, _ADSamAccountNameToFQDN(GUICtrlRead($sUser)))
            
        Next
        
            ControlSend("Untitled - Notepad", "", "[CLASS:Edit; INSTANCE:1]", "{ENTER}")
    EndIf

EndFunc

Func CLOSEClicked()
  Exit
EndFunc

It asks for a username, then if it can find it in AD, opens notepad and types in the group, and removes the user from it. Primitive I know, but I got pushed to other projects so the overall script is on hold. Hope this helps.


Roger O."When people show you who they are, believe them.” --Mark Twain

Share this post


Link to post
Share on other sites

I don't think you should use the _ADRecursiveGetMemberOf function to get all groups where your user is a member of.

Let's say user X is member of group A. Group A is member of group B. _ADRecursiveGetMemberOf will list group A and B.

I think you'll only have to remove user X from group A. When you try to remove user X from group B you'll get an error.

This is how I understand AD. I haven't done it myself so I could be wrong.

For groups that are inherited, the return is the DN of the group, and the DN of the first group it was inherited from, seperated by '|'

So in your code you'll get an error when there are inherited groups.

I would try _ADGetUserGroups and see if that helps.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

I don't think you should use the _ADRecursiveGetMemberOf function to get all groups where your user is a member of.

Let's say user X is member of group A. Group A is member of group B. _ADRecursiveGetMemberOf will list group A and B.

I think you'll only have to remove user X from group A. When you try to remove user X from group B you'll get an error.

This is how I understand AD. I haven't done it myself so I could be wrong.

So in your code you'll get an error when there are inherited groups.

I would try _ADGetUserGroups and see if that helps.

I believe he is right about the COM error coming from the use of the Recursive group finding. You can also get COM errors however if you do not have rights to remove people from the group. In the script I use it would give the error, but continue trying to remove the user from the other groups.


"Human kind cannot gain anything without first giving something in return, to obtain; something of equal value must be lost."The Help File is truly your friend.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0