{"id":63493,"date":"2007-11-30T00:55:00","date_gmt":"2007-11-30T00:55:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2007\/11\/30\/hey-scripting-guy-how-can-i-remove-everything-from-an-active-directory-group-except-other-groups\/"},"modified":"2007-11-30T00:55:00","modified_gmt":"2007-11-30T00:55:00","slug":"hey-scripting-guy-how-can-i-remove-everything-from-an-active-directory-group-except-other-groups","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/hey-scripting-guy-how-can-i-remove-everything-from-an-active-directory-group-except-other-groups\/","title":{"rendered":"Hey, Scripting Guy! How Can I Remove Everything From an Active Directory Group Except Other Groups?"},"content":{"rendered":"

\"Hey, <\/H2>\n

Hey, Scripting Guy! How can I remove all the members of a group unless that member is another group? I need a group that has only other groups as members, no individual users, computers, contacts, etc.

— TH<\/P>\"Spacer\"\"Hey,\"Script<\/A> \n

Hey, TH. You\u2019ll have to be patient with us this morning; after all, we\u2019re sending this column over the Internet and, well, you know how long that<\/I> can take.<\/P>\n

What\u2019s that? Well, to be honest, we were also under the mistaken impression that things transmitted over the Internet arrive almost instantly. Yesterday, however, the Scripting Guy who writes this column had to arrange for the Scripting Son\u2019s SAT scores (which, while good, were nowhere near as good as his Dad\u2019s<\/I> SAT scores) to be sent to the University of Idaho. After filling out the online form, he was given a choice of shipping options: Regular Shipping, or Over the Internet. What the heck, he thought. Let\u2019s send the scores over the Internet and get this wrapped up as quickly as possible.<\/P>\n

You\u2019d think that, by now, the Scripting Guy who writes this column would be used to being wrong. Nevertheless, he was still surprised by the estimated delivery time to send SAT scores over the Internet: 1 to 2 weeks. Of course, for $26.50 he could request Rush Shipping; in that case, the scores would be sent by courier within two business days. <\/P>\n

In other words, it\u2019s way faster to print out SAT scores, have a courier pick them up, have those scores flown across the country to Idaho, and then have another courier hand-deliver the scores to the University of Idaho than it is to simply send those scores electronically over the Internet.<\/P>\n

Hey, who said, \u201cThe SAT people must be using Microsoft software\u201d? Come on, be nice; as hard as it might be to remember, the Scripting Guys do<\/I> work for Microsoft, you know.<\/P>\n

Speaking of which, we probably should actually do a little work for Microsoft rather than spend all day trying to send SAT scores over the Internet. In other words, we should probably see if we can figure out how to write a script that removes everyone except other groups from an Active Directory group. And, hopefully, take less than 1 to 2 weeks to figure it out.<\/P>\n

Never mind; turns out it only took 1 to 2 minutes<\/I> to figure that out:<\/P>

Set objGroup = GetObject _\n    (“LDAP:\/\/CN=Finance Department,OU=Finance,DC=fabrikam,DC=com”)<\/p>\n
For Each strUser in objGroup.Member\n    Set objMember = GetObject(“LDAP:\/\/” & strUser)\n    If objMember.Class <> “group” Then\n        objGroup.Remove(objMember.ADsPath)\n    End If\nNext\n<\/PRE>\n
We hope you weren\u2019t expecting a really complicated script, TH; as you can see, this is actually a pretty simple little task to achieve. For example, to kick things off all we have to do is bind to the group in question; in this case, that\u2019s a group named Finance Department that\u2019s located in the Finance OU of fabrikam.com:<\/P>
Set objGroup = GetObject _\n    (“LDAP:\/\/CN=Finance Department,OU=Finance,DC=fabrikam,DC=com”)\n<\/PRE>\n
As you probably know, it\u2019s a simple enough matter to enumerate all the members of an Active Directory group; all you have to do is bind to the group (which we just did) and then loop through all the values stored in the Member<\/B> attribute. And yes, that attribute really should be named Members<\/I>, with an s<\/I> on the end; after all, groups typically have more than one member. But for some reason, it\u2019s the Member attribute (no s<\/I> on the end) instead. Go figure.<\/P>\n
Regardless, we can enumerate all the members of our group simply by setting up a For Each loop that looks like this:<\/P>
For Each strUser in objGroup.Member\n<\/PRE>\n
Now it gets just a little bit tricky. As we noted, all the members of a group are stored in the Member attribute; to be more specific, the distinguished name of each group member is stored in the Member attribute. In other words, the values stored in the Member attribute look something like this:<\/P>
CN=Ken Myer,OU=Finance,DC=fabrikam,DC=com \nCN=Jonathan Haas,OU=Finance,DC=fabrikam,DC=com\nCN=Pilar Ackerman,OU=Human Resources,DC=fabrikam,DC=com\n<\/PRE>\n
Is that a problem? Well, for us it is; needless to say, it can be pretty tough (especially for a script) to just look at a distinguished name and determine whether or not we\u2019re dealing with a user, a computer, a group, or whatever. That\u2019s why the first thing we do inside our For Each loop is this:<\/P>
Set objMember = GetObject(“LDAP:\/\/” & strUser)\n<\/PRE>\n
What we\u2019re doing here is using the GetObject<\/B> function and the user\u2019s distinguished name (which is stored in the variable strUser) to bind to the Active Directory account for the first member in the group. Why do we want to do that? Well, as it turns out, all Active Directory objects have a Class<\/B> attribute that indicates the class the object belongs to: a user account has a Class attribute equal to user<\/I>, a computer account has a Class attribute equal to computer<\/I>, and so on. How do we know if a particular group member is (or isn\u2019t) another group? By using this line of code:<\/P>
If objMember.Class <> “group” Then\n<\/PRE>\n
Suppose the Class attribute is<\/I> equal to group<\/I>. Well, that\u2019s no big deal; in that case we simply zip back to the top of the loop and repeat this process with the next group member. <\/P>\n
Now, suppose that the Class attribute is not<\/I> equal to group<\/I> (that is, we\u2019re dealing with a user or computer or whatever). That can mean only one thing: this member needs to be removed from the group. (Remember, we\u2019re deleting everyone and everything that isn\u2019t another group.) Therefore, we simply grab the ADsPath<\/B> property for this particular object and pass the value to the Remove<\/B> method:<\/P>
objGroup.Remove(objMember.ADsPath)\n<\/PRE>\n
Just like that, the member will be removed from the group. And then we once again zip back around to the top of the loop and try this all over again with the next group member. When all is said and done, the only members left in our group will be other groups.<\/P>\n
Which is just exactly what we wanted to happen.<\/P>\n
By the way, we have a postscript to today\u2019s column. After entering his credit card number (yes, it costs money to have scores electronically sent over the Internet) the Scripting Guy hit the Submit button and asked that the scores be sent. At that point it wasn\u2019t clear what happened, if anything. The process seemed<\/I> to work, but the University of Idaho did not appear in the list of schools that the Scripting Son\u2019s SAT scores had been sent to. The Scripting Guy who writes this column wasn\u2019t sure what to make of that; after all, if it takes up to 2 weeks to send scores over the Internet who knows how long it might take to update a Web page. <\/P>\n
Nevertheless, the Scripting Guy who writes this column decided to contact the help desk and ask about that. Once again he filled out the online form and clicked Submit. Here\u2019s the message he got back:<\/P>\n\n<\/THEAD>\n\n\n
\n
Thank you!
Your information has been successfully submitted.<\/P>\n
Forms which have not been completed in their entirety cannot be processed. Please allow 2\u20144 weeks for requests to be processed.<\/P><\/TD><\/TR><\/TBODY><\/TABLE>\n
<\/DIV>\n
If we\u2019re reading that correctly, in a month or so he can expect to get a reply to his question. <\/P>\n
Isn\u2019t technology a wonderful thing? Imagine how long this process would take if we had to do what our ancestors did and pick up the phone and ask a real person a question?<\/P>\n
Oh, well. Tune in tomorrow \u2013 er, tune in next summer<\/I> and we\u2019ll let you know how this all turned out.<\/P><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! How can I remove all the members of a group unless that member is another group? I need a group that has only other groups as members, no individual users, computers, contacts, etc.— TH Hey, TH. You\u2019ll have to be patient with us this morning; after all, we\u2019re sending this column over […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[7,44,3,5],"class_list":["post-63493","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-active-directory","tag-groups","tag-scripting-guy","tag-vbscript"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! How can I remove all the members of a group unless that member is another group? I need a group that has only other groups as members, no individual users, computers, contacts, etc.— TH Hey, TH. You\u2019ll have to be patient with us this morning; after all, we\u2019re sending this column over […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/63493","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=63493"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/63493\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=63493"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=63493"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=63493"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}