Bulk group membership removal.

[Dan Sheehan]

Greetings,
I have a Windows 2003 domain that I am trying to clean up the group
membership of.

Imagine the existence of "GroupA", "GroupB", and "GroupC". GroupC is a
member of GroupB. GroupB is in turn a member of GroupA. Standard group
nesting.
What isn't standard (IMHO) is that user accounts are often explicit
members of all three groups which is redundant and unorganized. I have
management's permission to remove user accounts from the higher up
groups as long as the person is a member of a nested group.

So I came up with the LDAP query in ADUC:
(&(objectclass=user)(memberof=GroupA....)(memberof=GroupC...)). This
causes ADUC to show me who is currently a member of both groups.
The ironic thing is I could then use ADUC to bulk add the results of
the query to a new group, but not bulk remove anyone from a specific
group.

Does anyone know if a quick utility or tool I could use to accomplish
the last step of a builk remove of a single group?

I would prefer not to purchase anything, and am hoping to avoid
excessive amounts of scripting and/or LDIFDE dumps just to perform the
single last step.

Thanks!!!

 

[Paul Bergson]

I would pose this question in the ADSI scripting group
microsoft.public.adsi.general.

I have included them in my response, but you may have to report there.

--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Dan Sheehan]

I thought about posting there, but honestly was trying to avoid doing
this with custome scripting as I would like to hand my customer an easy
to use solution to reproduce my clean up efforts later.

If everyone agrees this is pretty much an ADSI only option, I will
persue it there.

Thanks!
Dan Sheehan
MCSE 2003 + Messaging

 

[JRB]

Your original message didn't get transferred across to
microsoft.public.adsi.general and there is no indication where you
originally posted - can you explain your requirements here?

John

 

[Paul Bergson]

Here is his original

I have a Windows 2003 domain that I am trying to clean up the group
membership of.

Imagine the existence of "GroupA", "GroupB", and "GroupC". GroupC is a
member of GroupB. GroupB is in turn a member of GroupA. Standard group
nesting.
What isn't standard (IMHO) is that user accounts are often explicit
members of all three groups which is redundant and unorganized. I have
management's permission to remove user accounts from the higher up
groups as long as the person is a member of a nested group.

So I came up with the LDAP query in ADUC:
(&(objectclass=user)(memberof=GroupA....)(memberof=GroupC...)). This
causes ADUC to show me who is currently a member of both groups.
The ironic thing is I could then use ADUC to bulk add the results of
the query to a new group, but not bulk remove anyone from a specific
group.

Does anyone know if a quick utility or tool I could use to accomplish
the last step of a builk remove of a single group?

I would prefer not to purchase anything, and am hoping to avoid
excessive amounts of scripting and/or LDIFDE dumps just to perform the
single last step.

Thanks!!!

--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Dan Sheehan]

Thanks guys for helping to coordinate not only getting me in the right
spot, but getting the information there.

 

[Dan Sheehan]

Well since no one had a suggestion, I had to go through about 8000
accounts by hand and remove them from the DLs. I really should know
more VBScripting, but honestly at this point will hold off until
PowerShell becomes a viable administration feature because I understand
command line scripting better.