Remove Security Groups

  • Thread starter Thread starter D-a-n_L
  • Start date Start date
D

D-a-n_L

How can I, or what would be an efficient method to remove all but the
default security groups from a 1000+ user accounts. Can I just move all of
the accounts to a specific container and apply a policy that will do this or
is there another method that is recommended?
 
If you delete the 'custom' security groups, they will no longer be members
of the groups.... but you'll also lose the groups.

Ken
 
I could just delete the user an accomplish the same thing, but seriously,
what I want to do is leave all the user accts intact and remove the groups
from the accounts either by putting the accts into an AD container and
applying a GPO against it or some other method...
 
It appears you want 1000+ users to loose their group membership and only be
a member of the "domain users" group.
The easiest way to do this is to write a VBS script.
There is no way to accomplish this using group policies.

You might consider a less popular method (al-be-it more scary), if you don't
know scripting.
This requires at least two domain controllers.
Move all the users to an isolated OU, and replicate this change around.
Perform a system state backup on one of the DCs.
Delete the users OU (obviously do this off hours)
Replicate this deletion. This will cause the groups forward links to the
users to be broken.
Then perform a system state restore, and mark the deleted OU as
authoritative.
This brings the users back, but will not recreate the links on the groups.
The end result is all the users will have only the domain users as their
group.

The following two articles describe this phenomenon.
http://support.microsoft.com/kb/q280079/
http://support.microsoft.com/kb/840001
 
Exactly, that was what I was looking for. Since GPO's can't do it, now I
need to find a script that will loop through multiple users with error
control to accomplish this. The scary recommendations is slick but your
right to drastic for this scenario albeit clever.

Can you apply a security template to multiple users or a container or is
this just for a computer object? Thanks.
 
Or, you could get Hyena. It's a cool program that allows you to do batch
operations like what you're talking about from a nice GUI interface. Very
easy to use, and pretty cheap, too. They also have a fully functional eval.

http://www.systemtools.com/hyena/
 
Glenn L said:
It appears you want 1000+ users to loose their group membership and only be
a member of the "domain users" group.
The easiest way to do this is to write a VBS script.
There is no way to accomplish this using group policies.

You might consider a less popular method (al-be-it more scary), if you don't
know scripting.
This requires at least two domain controllers.
Move all the users to an isolated OU, and replicate this change around.
Perform a system state backup on one of the DCs.
Delete the users OU (obviously do this off hours)
Replicate this deletion. This will cause the groups forward links to the
users to be broken.
Then perform a system state restore, and mark the deleted OU as
authoritative.
This brings the users back, but will not recreate the links on the groups.
The end result is all the users will have only the domain users as their
group.
Click to expand...

OUCH!! Seems a bit drastic, even more so than the most obvious script, which
would likely be time-consuming.


/Al
 
Back
Top