\n| \n Note<\/strong>. Have the Scripting Guys implemented some sort of quality control procedures to ensure that a mistake like that never happens again? No, we have not. But don’t worry; the Scripting Guys make so many new mistakes each day that the chances of them ever repeating a mistake are quite slim.<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n Today’s column was an easy one to write, too, and not because we’d already written it. Why was it so easy? Well, shortly after we received AD’s question, AD sent a second email stating that he had solved the problem himself. Because this was a good question, because AD really had<\/i> solved the problem, and because the Scripting Guy who writes this column is having trouble getting back into the swing of things after being off work for nearly three weeks, well, because of all that we decided to go ahead and answer AD’s question, using the very same approach AD came up with. Here’s how you can delete all the members of a group whose user account resides in a specified OU:<\/p>\nConst ADS_PROPERTY_DELETE = 4\n\nSet objGroup = GetObject(\"LDAP:\/\/CN=Finance Users,OU=Finance,DC=fabrikam,DC=com\") \n\nFor Each strUser in objGroup.Member \n If InStr(strUser,\"OU=Kentucky Office,DC=fabrikam,DC=com\") Then \n objGroup.PutEx ADS_PROPERTY_DELETE, \"member\", Array(strUser) \n objGroup.SetInfo \n End If\nNext<\/pre>\n
\n<\/thead>\n\n\n| \n Note to AD<\/strong>.<\/span> We really appreciate the fact that you sent in a script that answered your own question; it would make our
lives so much easier if everyone<\/i> did that. Speaking of which, any chance that, next time, you could send in an entire
Hey, Scripting Guy!<\/i> column as well? That would really<\/i> make our lives easier.<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n Seeing as how AD wasn’t able to send us an entire column (at least not this time), let’s see if we can figure out for
ourselves how the script works. As you can see, we start out by defining a constant named ADS_PROPERTY_DELETE
and setting the value of this constant to 4; we’ll explain why we need this constant in just a moment. After defining the
constant, we then use this line of code to connect to the group in question; for our purposes, that’s a group named Finance
Users, a group that resides in the Finance OU in the fabrikam.com domain:<\/span><\/p>\nSet objGroup = GetObject(\"LDAP:\/\/CN=Finance Users,OU=Finance,DC=fabrikam,DC=com\")<\/pre>\nAs you probably know, each group object in Active Directory includes an attribute named Member<\/strong>. To be honest, that’s
not an especially good name; a much better name would have been Members<\/i>, seeing as how this multi-valued
attribute contains a collection of all the members of the group. Regardless of the name, however, we can cycle through
the entire group membership simply by setting up a For Each loop that loops through all the values in the Member
attribute:<\/span><\/p>\nFor Each strUser in objGroup.Member<\/pre>\nWhat are we going to do<\/i> inside this loop? Well, as you might recall, what we want to do is delete any user whose user
account resides in a particular OU; in this case, that’s the Kentucky Office OU in fabrikam.com. How are we supposed
to know<\/i> if a user account resides in the Kentucky Office OU? Good question. As it turns out, what’s actually stored in
the Member attribute are the distinguished names of each group member; that means an individual group member
is listed like this:<\/span><\/p>\nCN=Ken Myer,OU=Kentucky Office,DC=fabrikam,DC=com<\/pre>\nSo how do we know if this user account resides in the Kentucky Office OU? You got it: all we have to do is check to see
if the string value OU=<\/i>Kentucky<\/i> Office,DC=fabrikam,DC=com<\/i> can be found anywhere in the user’s distinguished
name.<\/span><\/p>\nAnd how do we do that<\/i>? Why, by using VBScript’s InStr<\/strong> function, of course:<\/span><\/p>\nIf InStr(strUser,\"OU=Kentucky Office,DC=fabrikam,DC=com\") Then<\/pre>\nIf InStr returns False (0), we simply zip back to the top of the loop and repeat the check with the next group member.
If InStr returns True, however, (or, to be more precise, if InStr returns any value other than 0) then we execute these
two lines of code:<\/span><\/p>\nobjGroup.PutEx ADS_PROPERTY_DELETE, \"member\", Array(strUser) \nobjGroup.SetInfo<\/pre>\nYet another good question: what is<\/i> going on in these two lines of code? Well, in line one we’re using the PutEx<\/strong> method
to remove the designated user from the group. (That is, a user whose user account resides in the Kentucky
Office OU.) As you can see, we need to pass PutEx three parameters:<\/span><\/p>\n\n- \n
ADS_PROPERTY_DELETE<\/strong>. <\/span>This, of course, is the constant we defined at the very beginning of the script. It’s also the
constant that tells the PutEx method that we want to delete a value from a specified attribute of the group
account.<\/span><\/p>\n<\/li>\n- \n
\"member\"<\/strong>. <\/span>What’s that? Which<\/i> attribute do we want to delete a value from? Needless to say, we want to delete a value
from the Member attribute. It’s no coincidence, then, that the second parameter passed to the PutEx method
is the name of the attribute we want to work with: “member”<\/i>.<\/span><\/p>\n<\/li>\n- \n
Array(strUser)<\/strong>. <\/span>Last, but surely not least, the third parameter specifies the value to be deleted. (Remember, as a
multi-valued attribute Member can – and typically does – contain many values.) In the case of a group, we remove a
user from group membership by passing the distinguished name of that user. That’s easy to do in this case,
because group members are already listed by distinguished name. Note, too that we need to pass this value as an
array, even though we’re only passing a single value here. Why? Because the rules state that values passed to PutEx
must always<\/i> be passed as arrays. And far be it from the Scripting Guys to ever break the rules.<\/span><\/p>\n<\/li>\n<\/ul>\nFinally, in line two, we call the SetInfo<\/strong> method, which officially removes the specified user from the group membership.
Don’t leave out the SetInfo method. If you leave this out, it will appear<\/i> as though the user’s group membership was
deleted; that’s because the change takes place in the local cache, the “virtual” version of the group account that resides in
your computer’s memory. However, calling PutEx only affects the virtual group account; to affect the actual Active
Directory account you need to call SetInfo.<\/span><\/p>\nThat should do it, AD. (Although, seeing as how you wrote pretty much the exact same script yourself, well, you probably
already knew<\/i> that that would do it.) As for the rest of you, you can look forward to another full year of <\/span>Hey
Scripting Guy!<\/i> That means more stories about the Scripting Son, more true facts about the Scripting Editor, and even
more amazing anecdotes about the Scripting Guy who writes this column. (Coming this week: how he managed to hide
a Christmas present from himself<\/i>.) <\/span><\/p>\nAnd who knows? If we have time this year, maybe we’ll throw in a little information about scripting from time-to-time.
We’ll see.<\/span> <\/span><\/p>\n","protected":false},"excerpt":{"rendered":"Hey, Scripting Guy! I have a problem and I haven’t quite figured out how to solve it. I have an Active Directory group, and I’d like to remove some users from that group; in particular, I’d like to remove all the users whose user accounts reside in a specified OU. How do I do that? […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[7,43,3,20,5],"class_list":["post-63373","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-active-directory","tag-ous","tag-scripting-guy","tag-user-accounts","tag-vbscript"],"acf":[],"blog_post_summary":" Hey, Scripting Guy! I have a problem and I haven’t quite figured out how to solve it. I have an Active Directory group, and I’d like to remove some users from that group; in particular, I’d like to remove all the users whose user accounts reside in a specified OU. How do I do that? […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/63373","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=63373"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/63373\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=63373"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=63373"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=63373"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
| |
![\"Hey,](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/q-for-powertip.jpg\" "\\"Hey,")
<\/h2>\n![\"Spacer\"](\"https:\/\/devblogs.microsoft.com\/scripting\/wp-content\/uploads\/sites\/29\/2019\/05\/spacer.gif\")
![\"Hey,](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/a-for-powertip.jpg\" "\\"Hey,")
![\"Script](\"http:\/\/img.microsoft.com\/library\/media\/1033\/technet\/images\/scriptcenter\/ad.jpg\" "\\"Script")
<\/a><\/p>\n