Sign in
 
HomeLibraryLearnDownloadsRepositoryCommunityForumsBlog
Script Center >
Help?! How to remove users from a security group when they leave an OU?

Answered Help?! How to remove users from a security group when they leave an OU?

  • Friday, November 16, 2012 4:56 PM
     
     
    Sign In to Vote
    0

    Hi

    I have already deployed a script which adds users to a group as soon as they are moved to (or created in) one particular OU.  I am, however, struggling to create one which removes any users from that group should they leave the OU.  For example, if someone moves from that business area to another, we don't want them to retain membership of that particular group. I am looking for a short, efficient script which would do this.

    Can anyone help me please??

    Mancunian Man.

     

All Replies

  • Friday, November 16, 2012 5:17 PM
    Moderator
     
     Answered Has Code
    Sign In to Vote
    1

    The VBScript below is based on a similar question some time ago, to enforce group membership based on the OU where the user resides. You must run the script periodically:

    Option Explicit

    Dim objOU, objGroup, objUser, objMember, strOUPath

    ' Bind to OU object.
    Set objOU = GetObject("LDAP://ou=TestOU,ou=ParentOU,dc=MyDomain,dc=com")

    ' Bind to group object.
    Set objGroup = GetObject("LDAP://cn=Test Group,ou=ParentOU,dc=MyDomain,dc=com")

    ' Enumerate all child objects in OU.
    For Each objUser In objOU
        ' Only consider user objects.
        If (objUser.Class = "user") Then
            ' Make sure user is in group.
            If (objGroup.IsMember(objUser.ADsPath) = False) Then
                ' Add the user to the group.
                objGroup.Add(objUser.ADsPath)
            End If
        End If
    Next

    ' Enumerate all members of the group
    strOUPath = objOU.ADsPath
    For Each objMember In objGroup.Members
        ' Only consider user members.
        If (objMember.Class = "user") Then
            ' Check that member is in the specified OU.
            If (LCase(objMember.Parent) <> LCase(strOUPath)) Then
                ' Remove the member from the group.
                objGroup.Remove(objMember.ADsPath)
            End If
        End If
    Next

    -----

    Do you somehow trigger a script to run when a users is moved?

    Richard Mueller - MVP Directory Services

    • Marked As Answer by MancunianMan Sunday, November 18, 2012 10:11 AM
    •  
     
  • Sunday, November 18, 2012 10:15 AM
     
     
    Sign In to Vote
    0

    Hi Richard

    That's fantastic; thank you so much.   :o)

    In the case of the script I already have in place, I simply use Scheduled Tasks to run it every morning. So doing the same with your script should suffice.  I'll give it a go!

    Thanks again

    Hugo.