Bulk group membership removal.

  • Thread starter Thread starter Dan Sheehan
  • Start date Start date
D

Dan Sheehan

Greetings,
I have a Windows 2003 domain that I am trying to clean up the group
membership of.

Imagine the existence of "GroupA", "GroupB", and "GroupC". GroupC is a
member of GroupB. GroupB is in turn a member of GroupA. Standard group
nesting. :)
What isn't standard (IMHO) is that user accounts are often explicit
members of all three groups which is redundant and unorganized. I have
management's permission to remove user accounts from the higher up
groups as long as the person is a member of a nested group.

So I came up with the LDAP query in ADUC:
(&(objectclass=user)(memberof=GroupA....)(memberof=GroupC...)). This
causes ADUC to show me who is currently a member of both groups.
The ironic thing is I could then use ADUC to bulk add the results of
the query to a new group, but not bulk remove anyone from a specific
group.

Does anyone know if a quick utility or tool I could use to accomplish
the last step of a builk remove of a single group?

I would prefer not to purchase anything, and am hoping to avoid
excessive amounts of scripting and/or LDIFDE dumps just to perform the
single last step.

Thanks!!!
 
I would pose this question in the ADSI scripting group
microsoft.public.adsi.general.

I have included them in my response, but you may have to report there.

--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.
 
I thought about posting there, but honestly was trying to avoid doing
this with custome scripting as I would like to hand my customer an easy
to use solution to reproduce my clean up efforts later.

If everyone agrees this is pretty much an ADSI only option, I will
persue it there.

Thanks!
Dan Sheehan
MCSE 2003 + Messaging
 
Your original message didn't get transferred across to
microsoft.public.adsi.general and there is no indication where you
originally posted - can you explain your requirements here?

John
 
Here is his original
I have a Windows 2003 domain that I am trying to clean up the group
membership of.

Imagine the existence of "GroupA", "GroupB", and "GroupC". GroupC is a
member of GroupB. GroupB is in turn a member of GroupA. Standard group
nesting. :)
What isn't standard (IMHO) is that user accounts are often explicit
members of all three groups which is redundant and unorganized. I have
management's permission to remove user accounts from the higher up
groups as long as the person is a member of a nested group.

So I came up with the LDAP query in ADUC:
(&(objectclass=user)(memberof=GroupA....)(memberof=GroupC...)). This
causes ADUC to show me who is currently a member of both groups.
The ironic thing is I could then use ADUC to bulk add the results of
the query to a new group, but not bulk remove anyone from a specific
group.

Does anyone know if a quick utility or tool I could use to accomplish
the last step of a builk remove of a single group?

I would prefer not to purchase anything, and am hoping to avoid
excessive amounts of scripting and/or LDIFDE dumps just to perform the
single last step.

Thanks!!!
Click to expand...


--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Thanks guys for helping to coordinate not only getting me in the right
spot, but getting the information there. :)
 
Well since no one had a suggestion, I had to go through about 8000
accounts by hand and remove them from the DLs. I really should know
more VBScripting, but honestly at this point will hold off until
PowerShell becomes a viable administration feature because I understand
command line scripting better.

:(
 
Back
Top