Question : Script to Remove Groups from the "Member of" groups in a list of user accounts

OK, I'm going to attempt to describe my request as clearly as possible.  I'm not a scripting expert by any means and need a lot of help to do this.  I've checked all over the internet to find something that will work that I can build on, but was only able to find a small example that I will paste below. Here's my situation:

We have a very large Windows 2003 AD domain with many OU's of which I have administrative rights over a single site (call it OU=A). We have many users moving in to, and out of, our OU. When we move a User "out of" our OU we need to Remove all the groups that exist in the "Member of" tab in ADUC associated with our site (OU=A). While this is a simple process when the move is for 1 to 15 users it gets much more work intensive when we have to move 50 to 100 users.  We often receive these requests with the users listed in an Excel spreadsheet. I would like to script this process by taking advantage of the spreadsheet.  

As always, there are a couple of catches. 1) The user account may have a Security group from another Site OU, which should be ignored because my admin account won't be able to remove it. 2) We need to remove Global, Domain Local, Universal, and Distribution groups that are in our Site OU (OU=A). Any group that exists in my Site OU (call it OU=A) will need to be removed.

The VB code snippet I found is below  It may not be the direction you would go, so I'm open to suggestions

* VBScript

On Error Resume Next

Const ADS_PROPERTY_DELETE = 4
Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D
 
Set objUser = GetObject _
    ("LDAP://cn=cn=username,ou=A,ou=SITES,dc=OURDC,dc=OURDC,dc=COM")
arrMemberOf = objUser.GetEx("memberOf")
 
If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
    WScript.Echo "This account is not a member of any security groups."
    WScript.Quit
End If
 
For Each Group in arrMemberOf
    Set objGroup = GetObject("LDAP://" & Group)
    objGroup.PutEx ADS_PROPERTY_DELETE, _
        "member", Array("cn=username,ou=A,ou=SITES,dc=OURDC,dc=OURDC,dc=COM")
    objGroup.SetInfo
Next

The problem with this code is that it is for a single user and not calling an Excel file with a list of users. Also, I don't think it will handle the Groups that are in a different Site OU, but I'm not positive about this.

In the long term I'd like to make this the core of a larger script that confirms the user name before it removes groups then moves the users Exchange 2007 mailboxes to a staging or holding storage group, which already exists (I can fill in those blanks if I can get the proper commands and syntax).

I hope I explained this clearly enough.  Thanks in advance for your help and advice.  

Answer : Script to Remove Groups from the "Member of" groups in a list of user accounts

i changed the script to log to file instead of output to console.
the file is under c:\temp\shdrv.log

1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30: 31: 32: 33: 34: 35: 36: 37: 38: 39: 40: 41: 42: 43: 44: 45: 46: 47: 48: 49: 50: 51: 52: 53: 54: 55: 56: 57: 58: 59: 60: 61: 62: 63: 64: 65: 66: 67: 68: 69: 70: 71: 72: 73: 74: 75: 76: 77: 78: 79: 80: 81: 82: 83: 84: 85: 86: 87: 88: 89: 90: 91: 92: 93: 94: 95: 96: 97: 98: 99: 100: 101: 102: 103: 104: 105: 106: 107: 108: 109: 110: 111: 112: 113: 114: 115: 116: 117: 118: 119: 120: 121: 122: 123: 124: 125: 126: 127: 128: 129: 130: 131: 132: 133: 134:

Option Explicit Const ADS_PROPERTY_DELETE = 4 Const ADS_GROUP_TYPE_GLOBAL_GROUP = &h2 Const ADS_GROUP_TYPE_LOCAL_GROUP = &h4 Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8 Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000 dim parent,intRow,users,user Dim objDelGroup, objRootLDAP, objGroup, objUser, objOU, objmemberOf Dim objParent,objWorkbook,objExcel,strValue, strMail,strDescription,strInfo,intgroupType,distinguishedName,strSAMAccountName dim groupParentLdap,strName, strUser, strDNSDomain, strLDAP, strList,root Set objFSO = CreateObject("Scripting.FileSystemObject") Set objInputFile = objFSO.CreateTextFile("c:\temp\shdrv.log", 2) const ROOT_OU = "ou=<ROOT_OU>" ' read users list from excel file Set objExcel = CreateObject("Excel.Application") Set objWorkbook = objExcel.Workbooks.Open ("C:\temp\users_list.xls") intRow = 1 user = objExcel.Cells(intRow,1).Value Do Until user = "" if users = "" then users = user else users = users & "," & user end if intRow = intRow + 1 user = objExcel.Cells(intRow,1).Value Loop Set objRootLDAP = GetObject("LDAP://RootDSE") strDNSDomain = objRootLDAP.Get("DefaultNamingContext") root = "LDAP://" & ROOT_OU & "," & strDNSDomain objInputFile.WriteLine root RecurseOUs GetObject(root) Sub RecurseOUs(objOU) Dim objOUObject, strConnString For Each objOUObject In objOU If UCase(Left(objOUObject.Name, 3)) = "OU=" Then strConnString = objOUObject.DistinguishedName objInputFile.WriteLine strConnString Set ObjUser = GetObject("LDAP://" & strConnString) CheckUser strConnString RecurseOUs ObjUser End If Next End Sub Sub CheckUser(strConnString) On Error Resume Next for each user in Split(users, ",") objInputFile.WriteLine objInputFile.WriteLine "User: " & user strUser ="cn=" & user & "," strLDAP ="LDAP://" & strUser & strConnString objInputFile.WriteLine strLDAP Set objUser = GetObject(strLDAP) If Err.Number = 0 Then Set objParent = GetObject(GetObject(objUser.Parent).Parent) objParent.GetInfo parent = Replace(objParent.Name, "CN=", "") objInputFile.WriteLine "Parent Site: " & parent objmemberOf = objUser.GetEx("memberOf") For Each objGroup in objmemberOf objInputFile.WriteLine objInputFile.WriteLine "Group LDAP: " & objGroup Set objGroup = GetObject("LDAP://" & objGroup) objGroup.GetInfo strName = objGroup.Get("name") strSAMAccountName = objGroup.Get("sAMAccountName") intgroupType = objGroup.Get("groupType") distinguishedName = objGroup.Get("distinguishedName") objInputFile.WriteLine "distinguishedName: " & distinguishedName objInputFile.WriteLine "name: " & strName objInputFile.WriteLine "sAMAccountName: " & strSAMAccountName WScript.StdOut.Write "Group scope: " If intGroupType AND ADS_GROUP_TYPE_LOCAL_GROUP Then objInputFile.WriteLine "Domain local" ElseIf intGroupType AND ADS_GROUP_TYPE_GLOBAL_GROUP Then objInputFile.WriteLine "Global" ElseIf intGroupType AND ADS_GROUP_TYPE_UNIVERSAL_GROUP Then objInputFile.WriteLine "Universal" Else objInputFile.WriteLine "Unknown" End If WScript.StdOut.Write "Group type: " If intGroupType AND ADS_GROUP_TYPE_SECURITY_ENABLED Then objInputFile.WriteLine "Security group" Else objInputFile.WriteLine "Distribution group" End If objInputFile.WriteLine objInputFile.WriteLine "***** validating user's group [START]********" objInputFile.WriteLine "Looking for " & parent & " in " & distinguishedName if InStr(UCase(distinguishedName), UCase(parent)) > 0 then objInputFile.WriteLine "Group " & strName & " is under the same site as user " & user groupParentLdap = "LDAP://" & ROOT_OU & "," & strDNSDomain objInputFile.WriteLine "Prepare to remove group " & strName & " from " & groupParentLdap Set objDelGroup = GetObject(groupParentLdap) objDelGroup.Delete "group", "cn=" & strName objInputFile.WriteLine "group " & strName & " was removed" end if objInputFile.WriteLine "***** validating user's group [END]********" objInputFile.WriteLine Next End IF Next End Sub objInputFile.Close WScript.Quit