Question : Script to Remove Groups from the "Member of" groups in a list of user accounts

OK, I'm going to attempt to describe my request as clearly as possible.  I'm not a scripting expert by any means and need a lot of help to do this.  I've checked all over the internet to find something that will work that I can build on, but was only able to find a small example that I will paste below. Here's my situation:

We have a very large Windows 2003 AD domain with many OU's of which I have administrative rights over a single site (call it OU=A). We have many users moving in to, and out of, our OU. When we move a User "out of" our OU we need to Remove all the groups that exist in the "Member of" tab in ADUC associated with our site (OU=A). While this is a simple process when the move is for 1 to 15 users it gets much more work intensive when we have to move 50 to 100 users.  We often receive these requests with the users listed in an Excel spreadsheet. I would like to script this process by taking advantage of the spreadsheet.  

As always, there are a couple of catches. 1) The user account may have a Security group from another Site OU, which should be ignored because my admin account won't be able to remove it. 2) We need to remove Global, Domain Local, Universal, and Distribution groups that are in our Site OU (OU=A). Any group that exists in my Site OU (call it OU=A) will need to be removed.

The VB code snippet I found is below  It may not be the direction you would go, so I'm open to suggestions

* VBScript

On Error Resume Next

Const ADS_PROPERTY_DELETE = 4
Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D
 
Set objUser = GetObject _
    ("LDAP://cn=cn=username,ou=A,ou=SITES,dc=OURDC,dc=OURDC,dc=COM")
arrMemberOf = objUser.GetEx("memberOf")
 
If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
    WScript.Echo "This account is not a member of any security groups."
    WScript.Quit
End If
 
For Each Group in arrMemberOf
    Set objGroup = GetObject("LDAP://" & Group)
    objGroup.PutEx ADS_PROPERTY_DELETE, _
        "member", Array("cn=username,ou=A,ou=SITES,dc=OURDC,dc=OURDC,dc=COM")
    objGroup.SetInfo
Next

The problem with this code is that it is for a single user and not calling an Excel file with a list of users. Also, I don't think it will handle the Groups that are in a different Site OU, but I'm not positive about this.

In the long term I'd like to make this the core of a larger script that confirms the user name before it removes groups then moves the users Exchange 2007 mailboxes to a staging or holding storage group, which already exists (I can fill in those blanks if I can get the proper commands and syntax).

I hope I explained this clearly enough.  Thanks in advance for your help and advice.  

Answer : Script to Remove Groups from the "Member of" groups in a list of user accounts

i changed the script to log to file instead of output to console.
the file is under c:\temp\shdrv.log
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
Option Explicit

Const ADS_PROPERTY_DELETE = 4 
Const ADS_GROUP_TYPE_GLOBAL_GROUP = &h2
Const ADS_GROUP_TYPE_LOCAL_GROUP = &h4
Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8
Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000

dim parent,intRow,users,user
Dim objDelGroup, objRootLDAP, objGroup, objUser, objOU, objmemberOf
Dim objParent,objWorkbook,objExcel,strValue, strMail,strDescription,strInfo,intgroupType,distinguishedName,strSAMAccountName
dim groupParentLdap,strName, strUser, strDNSDomain, strLDAP, strList,root

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objInputFile = objFSO.CreateTextFile("c:\temp\shdrv.log", 2)

const ROOT_OU = "ou=<ROOT_OU>"

' read users list from excel file
Set objExcel = CreateObject("Excel.Application")
Set objWorkbook = objExcel.Workbooks.Open ("C:\temp\users_list.xls")

intRow = 1
user = objExcel.Cells(intRow,1).Value

Do Until user = ""
        if users = "" then
                users = user
        else 
                users = users & "," & user
        end if
        
    intRow = intRow + 1
        user = objExcel.Cells(intRow,1).Value
Loop


Set objRootLDAP = GetObject("LDAP://RootDSE")
strDNSDomain = objRootLDAP.Get("DefaultNamingContext")
root = "LDAP://" & ROOT_OU & "," & strDNSDomain
objInputFile.WriteLine root

RecurseOUs GetObject(root)

Sub RecurseOUs(objOU)
        Dim objOUObject, strConnString
        For Each objOUObject In objOU
                If UCase(Left(objOUObject.Name, 3)) = "OU=" Then
                        strConnString = objOUObject.DistinguishedName
                        objInputFile.WriteLine strConnString
                        Set ObjUser = GetObject("LDAP://" & strConnString)

                        CheckUser strConnString
                        RecurseOUs ObjUser
                        End If
        Next
End Sub

Sub CheckUser(strConnString)
        On Error Resume Next

        for each user in Split(users, ",")
                objInputFile.WriteLine
                objInputFile.WriteLine "User: " & user
                
                strUser ="cn=" & user & ","
                strLDAP ="LDAP://" & strUser & strConnString
                objInputFile.WriteLine strLDAP
                Set objUser = GetObject(strLDAP)
                If Err.Number = 0 Then
      
                        Set objParent = GetObject(GetObject(objUser.Parent).Parent)
                        objParent.GetInfo
                        
                        parent = Replace(objParent.Name, "CN=", "")
                        objInputFile.WriteLine "Parent Site: " & parent
                        
                        objmemberOf  = objUser.GetEx("memberOf")
                        For Each objGroup in objmemberOf
                                objInputFile.WriteLine
                                objInputFile.WriteLine "Group LDAP: " & objGroup 
                                
                                Set objGroup = GetObject("LDAP://" & objGroup)
                                objGroup.GetInfo

                                strName = objGroup.Get("name")
                                strSAMAccountName = objGroup.Get("sAMAccountName")
                                intgroupType = objGroup.Get("groupType")
                                distinguishedName = objGroup.Get("distinguishedName")
                                 
                                objInputFile.WriteLine "distinguishedName: " & distinguishedName
                                objInputFile.WriteLine "name: " & strName
                                objInputFile.WriteLine "sAMAccountName: " & strSAMAccountName
                                 
                                WScript.StdOut.Write "Group scope: "
                                If intGroupType AND ADS_GROUP_TYPE_LOCAL_GROUP Then
                                  objInputFile.WriteLine "Domain local"
                                ElseIf intGroupType AND ADS_GROUP_TYPE_GLOBAL_GROUP Then
                                  objInputFile.WriteLine "Global"
                                ElseIf intGroupType AND ADS_GROUP_TYPE_UNIVERSAL_GROUP Then
                                  objInputFile.WriteLine "Universal"
                                Else
                                  objInputFile.WriteLine "Unknown"
                                End If
                                 
                                WScript.StdOut.Write "Group type: "
                                If intGroupType AND ADS_GROUP_TYPE_SECURITY_ENABLED Then
                                  objInputFile.WriteLine "Security group"
                                Else
                                  objInputFile.WriteLine "Distribution group"
                                End If
                                 
                                objInputFile.WriteLine
                                objInputFile.WriteLine "***** validating user's group [START]********"
                                objInputFile.WriteLine "Looking for " & parent & " in " & distinguishedName
                                
                                if InStr(UCase(distinguishedName), UCase(parent)) > 0 then
                                        objInputFile.WriteLine "Group " & strName & " is under the same site as user " & user
                                        groupParentLdap = "LDAP://" & ROOT_OU & "," & strDNSDomain
                                        objInputFile.WriteLine "Prepare to remove group " & strName &  " from " & groupParentLdap
                                        Set objDelGroup = GetObject(groupParentLdap)
                                        objDelGroup.Delete "group", "cn=" & strName                     
                                        objInputFile.WriteLine "group " & strName & " was removed"
                                end if 
                                
                                objInputFile.WriteLine "***** validating user's group [END]********"
                                objInputFile.WriteLine
                        Next
                End IF
        Next
End Sub

objInputFile.Close
WScript.Quit
Random Solutions  
 
programming4us programming4us