Remove Users from a Group

rogerd2u · December 13, 2008

I'm trying to use the ADFunctions Script (in the Example scripts area) to remove a specified user from all domain groups. I was able to get my script to display the groups a user belongs to, but when I try to use the same variable to remove them from all the groups listed, it fails. I'm sure it has to do with the array, but I'm not sure how I can extract the data from the array to use it...please help!!! :-)

#include <ADFunctions.au3>

#include <array.au3>

$sInputBoxAnswer = "JohnDoe"

$UserFQDN = _ADSamAccountNameToFQDN($sInputBoxAnswer)

Global $avGroups = ""

;Global $avGroups = ""

_ADSamAccountNameToFQDN($UserFQDN)

_ADRecursiveGetMemberOf($avGroups, $UserFQDN)

_ArrayDisplay($avGroups, "Debug: $avGroups")

_ADRemoveUserFromGroup($avGroups, $UserFQDN)

archgriffin · December 14, 2008

From what you wrote I believe you are trying to remove a single user from every group they are a member of in AD. Here is a script I started as part of a end user termination script that might be helpful.

#include-once
#include "includes\adfunctions.au3"
#include <GUIConstantsEx.au3>

Opt("GUIOnEventMode", 1)

$mainwindow = GUICreate("Find Users Groups", 200, 80)
GUISetOnEvent($GUI_EVENT_CLOSE, "CLOSEClicked")

GUICtrlCreateLabel("Username: ", 15, 10, 100, 20)
$sUser = GUICtrlCreateInput("", 70, 10, 100, 18)
$sGoBut = GUICtrlCreateButton("Get List",40, 40, 100)
GUICtrlSetOnEvent($sGoBut, "_List_Groups")
GUISetState(@SW_SHOW)

While 1
  Sleep(1000) ; Idle around
WEnd


Func _List_Groups()
    If Not _ADObjectExists(GUICtrlRead($sUser)) Then 
        MsgBox (0, "Invalid", "The username: " & GUICtrlRead($sUser) & " is not valid.")
    Else
        _ADGetUserGroups($loggedonusergroups, GUICtrlRead($sUser) )

        Run("notepad")
        For $CompanyADGroup IN $loggedonusergroups
            $sADAttributes = StringSplit($CompanyADGroup, ",")
            $sGroupName = StringSplit($sADAttributes[1], "=")
            $sGroup = $sGroupName[2]
            
            WinWait("[TITLE:Untitled - Notepad]", "")
            If Not WinActive("[TITLE:Untitled - Notepad]", "") Then WinActivate("[TITLE:Untitled - Notepad]", "")
            WinWaitActive("[TITLE:Untitled - Notepad]", "")
            
            ControlSend("Untitled - Notepad", "", "[CLASS:Edit; INSTANCE:1]", $sGroup)
            ControlSend("Untitled - Notepad", "", "[CLASS:Edit; INSTANCE:1]", "{ENTER}")
            If $sGroup <> "Domain Users" Then _ADRemoveUserFromGroup($CompanyADGroup, _ADSamAccountNameToFQDN(GUICtrlRead($sUser)))
            
        Next
        
            ControlSend("Untitled - Notepad", "", "[CLASS:Edit; INSTANCE:1]", "{ENTER}")
    EndIf

EndFunc

Func CLOSEClicked()
  Exit
EndFunc

It asks for a username, then if it can find it in AD, opens notepad and types in the group, and removes the user from it. Primitive I know, but I got pushed to other projects so the overall script is on hold. Hope this helps.

rogerd2u · December 17, 2008

Thank you very much for the reply. I have a semi-working function I hacked together. It works at times, but it's not perfect...

Maybe someone will be able to tell me why it works at times, but other times I get a COM error....?

$UserFQDN = _ADSamAccountNameToFQDN($sInputBoxAnswer)

;Removes the user from all AD Groups

Func _RemoveADUserFromAllGroups()

_ADRecursiveGetMemberOf($avGroups, $UserFQDN)

;_ArrayDisplay($avGroups, "User is currently a member of the following groups:")

$rows = UBound($avGroups)

$rows = $rows -1

While $rows > 1

$rows = $rows -1

_ADRemoveUserFromGroup($avGroups[$rows], $UserFQDN)

WEnd

MsgBox(0,"AD User Account Update", "User has been removed from all Active Directory groups.")

EndFunc ;<---_RemoveADUserFromAllGroups()

From what you wrote I believe you are trying to remove a single user from every group they are a member of in AD. Here is a script I started as part of a end user termination script that might be helpful.

#include-once
#include "includes\adfunctions.au3"
#include <GUIConstantsEx.au3>

Opt("GUIOnEventMode", 1)

$mainwindow = GUICreate("Find Users Groups", 200, 80)
GUISetOnEvent($GUI_EVENT_CLOSE, "CLOSEClicked")

GUICtrlCreateLabel("Username: ", 15, 10, 100, 20)
$sUser = GUICtrlCreateInput("", 70, 10, 100, 18)
$sGoBut = GUICtrlCreateButton("Get List",40, 40, 100)
GUICtrlSetOnEvent($sGoBut, "_List_Groups")
GUISetState(@SW_SHOW)

While 1
  Sleep(1000); Idle around
WEnd


Func _List_Groups()
    If Not _ADObjectExists(GUICtrlRead($sUser)) Then 
        MsgBox (0, "Invalid", "The username: " & GUICtrlRead($sUser) & " is not valid.")
    Else
        _ADGetUserGroups($loggedonusergroups, GUICtrlRead($sUser) )

        Run("notepad")
        For $CompanyADGroup IN $loggedonusergroups
            $sADAttributes = StringSplit($CompanyADGroup, ",")
            $sGroupName = StringSplit($sADAttributes[1], "=")
            $sGroup = $sGroupName[2]
            
            WinWait("[TITLE:Untitled - Notepad]", "")
            If Not WinActive("[TITLE:Untitled - Notepad]", "") Then WinActivate("[TITLE:Untitled - Notepad]", "")
            WinWaitActive("[TITLE:Untitled - Notepad]", "")
            
            ControlSend("Untitled - Notepad", "", "[CLASS:Edit; INSTANCE:1]", $sGroup)
            ControlSend("Untitled - Notepad", "", "[CLASS:Edit; INSTANCE:1]", "{ENTER}")
            If $sGroup <> "Domain Users" Then _ADRemoveUserFromGroup($CompanyADGroup, _ADSamAccountNameToFQDN(GUICtrlRead($sUser)))
            
        Next
        
            ControlSend("Untitled - Notepad", "", "[CLASS:Edit; INSTANCE:1]", "{ENTER}")
    EndIf

EndFunc

Func CLOSEClicked()
  Exit
EndFunc

It asks for a username, then if it can find it in AD, opens notepad and types in the group, and removes the user from it. Primitive I know, but I got pushed to other projects so the overall script is on hold. Hope this helps.

water · December 18, 2008

I don't think you should use the _ADRecursiveGetMemberOf function to get all groups where your user is a member of.

Let's say user X is member of group A. Group A is member of group B. _ADRecursiveGetMemberOf will list group A and B.

I think you'll only have to remove user X from group A. When you try to remove user X from group B you'll get an error.

This is how I understand AD. I haven't done it myself so I could be wrong.

For groups that are inherited, the return is the DN of the group, and the DN of the first group it was inherited from, seperated by '|'

So in your code you'll get an error when there are inherited groups.

I would try _ADGetUserGroups and see if that helps.

archgriffin · December 18, 2008

I don't think you should use the _ADRecursiveGetMemberOf function to get all groups where your user is a member of.
Let's say user X is member of group A. Group A is member of group B. _ADRecursiveGetMemberOf will list group A and B.
I think you'll only have to remove user X from group A. When you try to remove user X from group B you'll get an error.
This is how I understand AD. I haven't done it myself so I could be wrong.
So in your code you'll get an error when there are inherited groups.
I would try _ADGetUserGroups and see if that helps.

I believe he is right about the COM error coming from the use of the Recursive group finding. You can also get COM errors however if you do not have rights to remove people from the group. In the script I use it would give the error, but continue trying to remove the user from the other groups.

Sign In

Remove Users from a Group

Recommended Posts

rogerd2u

Link to comment

Share on other sites

archgriffin

Link to comment

Share on other sites

rogerd2u

Link to comment

Share on other sites

water

Link to comment

Share on other sites

archgriffin

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Browse

AutoIt Resources

Release

Beta