Remove a User from All RBAC Groups
In another script located in this warehouse ( Unassign an RBAC Role ) we show you how to unassign a Role-Based Access Control (RBAC) role that has been assigned to a user. That’s a pretty useful script, and it works great, as long as you know which RBAC role that user has been assigned.
Note. And as long as you know what RBAC is. For more information, see A Brief Introduction to RBAC .
There might be times, however, when you don’t know which RBAC role a user holds; you just know that they need to be removed from any RBAC role. (For example, maybe the user was temporarily serving as a junior administrator, but is now returning to his or her previous position.) Likewise, it’s conceivable that a user has been assigned multiple roles, and now needs to be unassigned from all of those roles. Can you do this by using Active Directory Users and Computers and methodically going through the membership list of each security group associated with an RBAC role? You bet you can. It’ll take a while, but it’ll work like a charm.
Or at least we assume it’ll work like a charm; to tell you the truth, we’ve never tried it. Instead, we always use this approach:
$userDN = (Get-CsUser -Identity $args[0]).DistinguishedName
$user = [ADSI] "LDAP://$userDN"
$rbacGroups = Get-CsAdminRole | Select-Object Identity
foreach ($group in $rbacGroups)
{
$strFilter = "(&(objectCategory=Group)(SamAccountName=" + $group.identity +"))"
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Subtree"
$colProplist = "distinguishedName"
foreach ($i in $colPropList)
{[void] $objSearcher.PropertiesToLoad.Add($i)}
$colResults = $objSearcher.FindAll()
foreach ($objResult in $colResults)
{$groupDN = $objResult.Path}
$group = [ADSI] $groupDN
$members = $group.member
foreach ($member in $members)
{
if ($member -match $user.distinguishedName)
{
$group.Remove($user.PsBase.Path)
}
}
}
What we have here is a little script that methodically connects to each of the security groups associated with an RBAC role, checks the membership list for each group, and then, if necessary, removes the designated user from the group. To do that, the script first takes its one required command-line parameter (the identity of the user about to lose his or her RBAC roles) and then binds to that person’s Active Directory user account. After that, the script uses Get-CsAdminRole to retrieve a collection of all the RBAC roles currently in use in the organization. As soon as it retrieves that collection, the script then does a quick search of Active Directory in order to locate – and bind to – each of the security groups associated with a role. When that’s done, the script then looks at the value of the Member attribute, which lists the distinguished name of each person who happens to be a member of the group. The script cycles through the membership list and, if it finds the designated user, proceeds to remove that user from the group. Removing the user from the group effectively strips him or her of the corresponding RBAC role as well.
That’s all you have to do. Any questions?
Ah, good point: we probably should tell you how to run the script, shouldn’t we? Well, for starters, copy the code, paste it into your favorite text editor (or even into your least favorite text editor; it doesn’t matter as long as it’s a text editor) and save the script as a .ps1 file (for example, C:\Scripts\Remove-AllRoles.ps1). From there all you have to do is call the script from within the Lync Server Command Shell, passing along the Identity of the user to be unassigned from his or her RBAC roles. For example, this command removes all the RBAC roles that were assigned to Ken Myer:
C:\Scripts\Remove-AllRoles.ps1 "Ken Myer"
And that’s all you have to do. (Although, just to be on the safe side, we won’t ask for any more questions.)