rogerd2u Posted December 13, 2008 Share Posted December 13, 2008 I'm trying to use the ADFunctions Script (in the Example scripts area) to remove a specified user from all domain groups. I was able to get my script to display the groups a user belongs to, but when I try to use the same variable to remove them from all the groups listed, it fails. I'm sure it has to do with the array, but I'm not sure how I can extract the data from the array to use it...please help!!! :-) #include <ADFunctions.au3> #include <array.au3> $sInputBoxAnswer = "JohnDoe" $UserFQDN = _ADSamAccountNameToFQDN($sInputBoxAnswer) Global $avGroups = "" ;Global $avGroups = "" _ADSamAccountNameToFQDN($UserFQDN) _ADRecursiveGetMemberOf($avGroups, $UserFQDN) _ArrayDisplay($avGroups, "Debug: $avGroups") _ADRemoveUserFromGroup($avGroups, $UserFQDN) Roger O."When people show you who they are, believe them. --Mark Twain Link to comment Share on other sites More sharing options...
archgriffin Posted December 14, 2008 Share Posted December 14, 2008 From what you wrote I believe you are trying to remove a single user from every group they are a member of in AD. Here is a script I started as part of a end user termination script that might be helpful. expandcollapse popup#include-once #include "includes\adfunctions.au3" #include <GUIConstantsEx.au3> Opt("GUIOnEventMode", 1) $mainwindow = GUICreate("Find Users Groups", 200, 80) GUISetOnEvent($GUI_EVENT_CLOSE, "CLOSEClicked") GUICtrlCreateLabel("Username: ", 15, 10, 100, 20) $sUser = GUICtrlCreateInput("", 70, 10, 100, 18) $sGoBut = GUICtrlCreateButton("Get List",40, 40, 100) GUICtrlSetOnEvent($sGoBut, "_List_Groups") GUISetState(@SW_SHOW) While 1 Sleep(1000) ; Idle around WEnd Func _List_Groups() If Not _ADObjectExists(GUICtrlRead($sUser)) Then MsgBox (0, "Invalid", "The username: " & GUICtrlRead($sUser) & " is not valid.") Else _ADGetUserGroups($loggedonusergroups, GUICtrlRead($sUser) ) Run("notepad") For $CompanyADGroup IN $loggedonusergroups $sADAttributes = StringSplit($CompanyADGroup, ",") $sGroupName = StringSplit($sADAttributes[1], "=") $sGroup = $sGroupName[2] WinWait("[TITLE:Untitled - Notepad]", "") If Not WinActive("[TITLE:Untitled - Notepad]", "") Then WinActivate("[TITLE:Untitled - Notepad]", "") WinWaitActive("[TITLE:Untitled - Notepad]", "") ControlSend("Untitled - Notepad", "", "[CLASS:Edit; INSTANCE:1]", $sGroup) ControlSend("Untitled - Notepad", "", "[CLASS:Edit; INSTANCE:1]", "{ENTER}") If $sGroup <> "Domain Users" Then _ADRemoveUserFromGroup($CompanyADGroup, _ADSamAccountNameToFQDN(GUICtrlRead($sUser))) Next ControlSend("Untitled - Notepad", "", "[CLASS:Edit; INSTANCE:1]", "{ENTER}") EndIf EndFunc Func CLOSEClicked() Exit EndFunc It asks for a username, then if it can find it in AD, opens notepad and types in the group, and removes the user from it. Primitive I know, but I got pushed to other projects so the overall script is on hold. Hope this helps. "Human kind cannot gain anything without first giving something in return, to obtain; something of equal value must be lost."The Help File is truly your friend. Link to comment Share on other sites More sharing options...
rogerd2u Posted December 17, 2008 Author Share Posted December 17, 2008 Thank you very much for the reply. I have a semi-working function I hacked together. It works at times, but it's not perfect... Maybe someone will be able to tell me why it works at times, but other times I get a COM error....? $UserFQDN = _ADSamAccountNameToFQDN($sInputBoxAnswer) ;Removes the user from all AD Groups Func _RemoveADUserFromAllGroups() _ADRecursiveGetMemberOf($avGroups, $UserFQDN) ;_ArrayDisplay($avGroups, "User is currently a member of the following groups:") $rows = UBound($avGroups) $rows = $rows -1 While $rows > 1 $rows = $rows -1 _ADRemoveUserFromGroup($avGroups[$rows], $UserFQDN) WEnd MsgBox(0,"AD User Account Update", "User has been removed from all Active Directory groups.") EndFunc ;<---_RemoveADUserFromAllGroups() From what you wrote I believe you are trying to remove a single user from every group they are a member of in AD. Here is a script I started as part of a end user termination script that might be helpful. expandcollapse popup#include-once #include "includes\adfunctions.au3" #include <GUIConstantsEx.au3> Opt("GUIOnEventMode", 1) $mainwindow = GUICreate("Find Users Groups", 200, 80) GUISetOnEvent($GUI_EVENT_CLOSE, "CLOSEClicked") GUICtrlCreateLabel("Username: ", 15, 10, 100, 20) $sUser = GUICtrlCreateInput("", 70, 10, 100, 18) $sGoBut = GUICtrlCreateButton("Get List",40, 40, 100) GUICtrlSetOnEvent($sGoBut, "_List_Groups") GUISetState(@SW_SHOW) While 1 Sleep(1000); Idle around WEnd Func _List_Groups() If Not _ADObjectExists(GUICtrlRead($sUser)) Then MsgBox (0, "Invalid", "The username: " & GUICtrlRead($sUser) & " is not valid.") Else _ADGetUserGroups($loggedonusergroups, GUICtrlRead($sUser) ) Run("notepad") For $CompanyADGroup IN $loggedonusergroups $sADAttributes = StringSplit($CompanyADGroup, ",") $sGroupName = StringSplit($sADAttributes[1], "=") $sGroup = $sGroupName[2] WinWait("[TITLE:Untitled - Notepad]", "") If Not WinActive("[TITLE:Untitled - Notepad]", "") Then WinActivate("[TITLE:Untitled - Notepad]", "") WinWaitActive("[TITLE:Untitled - Notepad]", "") ControlSend("Untitled - Notepad", "", "[CLASS:Edit; INSTANCE:1]", $sGroup) ControlSend("Untitled - Notepad", "", "[CLASS:Edit; INSTANCE:1]", "{ENTER}") If $sGroup <> "Domain Users" Then _ADRemoveUserFromGroup($CompanyADGroup, _ADSamAccountNameToFQDN(GUICtrlRead($sUser))) Next ControlSend("Untitled - Notepad", "", "[CLASS:Edit; INSTANCE:1]", "{ENTER}") EndIf EndFunc Func CLOSEClicked() Exit EndFunc It asks for a username, then if it can find it in AD, opens notepad and types in the group, and removes the user from it. Primitive I know, but I got pushed to other projects so the overall script is on hold. Hope this helps. Roger O."When people show you who they are, believe them. --Mark Twain Link to comment Share on other sites More sharing options...
water Posted December 18, 2008 Share Posted December 18, 2008 I don't think you should use the _ADRecursiveGetMemberOf function to get all groups where your user is a member of.Let's say user X is member of group A. Group A is member of group B. _ADRecursiveGetMemberOf will list group A and B.I think you'll only have to remove user X from group A. When you try to remove user X from group B you'll get an error.This is how I understand AD. I haven't done it myself so I could be wrong.For groups that are inherited, the return is the DN of the group, and the DN of the first group it was inherited from, seperated by '|' So in your code you'll get an error when there are inherited groups.I would try _ADGetUserGroups and see if that helps. My UDFs and Tutorials: Spoiler UDFs:Active Directory (NEW 2022-02-19 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - WikiExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example ScriptsOutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - WikiOutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - DownloadOutlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - WikiPowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - WikiTask Scheduler (NEW 2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki Standard UDFs:Excel - Example Scripts - WikiWord - Wiki Tutorials:ADO - WikiWebDriver - Wiki Link to comment Share on other sites More sharing options...
archgriffin Posted December 18, 2008 Share Posted December 18, 2008 I don't think you should use the _ADRecursiveGetMemberOf function to get all groups where your user is a member of.Let's say user X is member of group A. Group A is member of group B. _ADRecursiveGetMemberOf will list group A and B.I think you'll only have to remove user X from group A. When you try to remove user X from group B you'll get an error.This is how I understand AD. I haven't done it myself so I could be wrong. So in your code you'll get an error when there are inherited groups.I would try _ADGetUserGroups and see if that helps.I believe he is right about the COM error coming from the use of the Recursive group finding. You can also get COM errors however if you do not have rights to remove people from the group. In the script I use it would give the error, but continue trying to remove the user from the other groups. "Human kind cannot gain anything without first giving something in return, to obtain; something of equal value must be lost."The Help File is truly your friend. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now