How Can I Delete All the Users in an Active Directory Group?

ScriptingGuy1

Hey, Scripting Guy! Question

Hey, Scripting Guy! How can I delete all the users in an Active Directory group?

— AA

SpacerHey, Scripting Guy! AnswerScript Center

Hey, AA. You know, that’s something we Scripting Guys never thought about: a script that could eliminate all the users in a particular group. The only problem we have with that is: where do we start? For example, maybe we start with the teenagers a few houses down, the same group that occasionally gets the uncontrollable urge to go outside and skateboard at 3:00 in the morning. (Although, to be fair, who among us doesn’t occasionally get the uncontrollable urge to skateboard at 3:00 in the morning?) Or maybe we start with that group of baseball players, the ones who clapped their hands, waved their arms, and yelled at the pitcher as he prepared to pitch. (Too bad the Scripting Son didn’t pitch that game; he would have known exactly what to do with that group.)

And then there’s all those groups here at work, like the one where all the people – What’s that? All you want to do is remove the group memberships for all the users in a specified Active Directory group? Oh, sure, no problem; we can do that.

What were we thinking about? Um, pretty much the same thing, deleting the group memberships for all the users in a specified Active Directory group.

Pretty much.

As it turns out, if all you want to do is delete a few Active Directory group memberships, well, that can be done using a script no more complicated than this:

Const ADS_PROPERTY_CLEAR = 1 

Set objGroup = GetObject(“LDAP://cn=Finance Users,ou=Finance,dc=fabrikam,dc=com”)

objGroup.PutEx ADS_PROPERTY_CLEAR, “member”, 0 objGroup.SetInfo

We agree: if only deleting other kinds of groups was that easy! As you can see, we start out by defining a constant named ADS_PROPERTY_CLEAR and setting the value to 1; we’ll use this constant to tell the script that we want to clear all the values of the group’s Member attribute. (Needless to say, the Member attribute is a multi-valued attribute that contains the list of group members.) After defining the constant we then use this line of code to connect to the group in question, in this case the Finance Users group located in fabrikam.com’s Finance OU:

Set objGroup = GetObject(“LDAP://cn=Finance Users,ou=Finance,dc=fabrikam,dc=com”) 

Amazingly enough, we’re halfway done at this point. After binding to the group account we use the PutEx method to actually clear the group membership. (The PutEx method is an ADSI method designed to work with multi-valued attributes, attributes that can contain multiple values, like multiple user names.) We need to pass PutEx three parameters:

ADS_PROPERTY_CLEAR, the constant that tells PutEx we want to delete all the values in the specified attribute. Other constants – and their corresponding values – would enable us to do things like add new members to the group or delete specified members from the group.

Member, the multi-valued attribute we want to clear.

0, the new value being assigned to the attribute. Technically it doesn’t matter what value we specify here: when you perform an operation using ADS_PROPERTY_CLEAR ADSI ignores this third parameter. However, if you leave the parameter out you’ll get a “Wrong number of arguments” error. We put a 0 here simply as a reminder that, when the script finishes, the Finance Users group will have 0 members.

After calling the PutEx method we’re left with just one final task: we need to call the SetInfo method to write these changes (i.e., delete all the group memberships) back to Active Directory. That’s what we do with this line of code:

objGroup.SetInfo

Execute that last line and, just like that, all the members of the Finance Users group will be deleted.

Now, if we could just remove all the members of the people-who-honk-their-horns-before-the-light-even-turns-green group, well, then we’d really be on to something, wouldn’t we?

0 comments

Discussion is closed.

Feedback usabilla icon