locked
Remove Mulitple Computer Accounts from a Active Directory Group RRS feed

  • Question

  • I am looking for a vbscript or powershell command to remove mulitple computer accounts from an AD group.
    Wednesday, February 3, 2010 2:50 PM

Answers

  • The basic VBScript code to remove one computer from a group would be similar to below:

    ' Specify the Distinguished Name of the computer object.
    strComputerDN = "cn=TestComputer,ou=West,dc=MyDomain,dc=com"
    
    ' Bind to the group object.
    Set objGroup = Set objGroup("LDAP://cn=TestGroup,ou=East,dc=MyDomain,dc=com")
    
    ' Check if computer is a member of the group.
    If (objGroup.IsMember("LDAP://" & strComputerDN) = True) Then
        ' Remove computer from the group.
        objGroup.Remove("LDAP://" & strComputerDN)
    End If

    If you have a file of computer NetBIOS names, you will need to use the NameTranslate object to convert the NetBIOS names into Distinguished Names (DN's). For example:

    Option Explicit
    
    Dim objFSO, strFile, objFile, strNTName, strComputerDN
    Dim objTrans, strDomain, objGroup
    
    Const ForReading = 1
    ' Constants for NameTranslate
    Const ADS_NAME_INITTYPE_GC = 3
    Const ADS_NAME_TYPE_NT4 = 3
    Const ADS_NAME_TYPE_1779 = 1
    
    ' Specify NetBIOS name of the domain.
    strDomain = "MyDomain"
    
    ' Specify input file of computer NetBIOS names (NT names).
    strFile = "c:\scripts\computers.txt"
    
    ' Bind to the group object.
    Set objGroup = GetObject("LDAP://cn=MyGroup,ou=Sales,dc=MyDomain,dc=com")
    
    ' Open the file for read access.
    Set objFSO = CreateObject("Scripting.FileSystemObject")
    Set objFile = objFSO.OpenTextFile(strFile, ForReading)
    
    ' Use NameTranslate object to convert NT names to DN's.
    Set objTrans = CreateObject("NameTranslate")
    ' Initialize NameTranslate by locating Global Catalog.
    objTrans.Init ADS_NAME_INITTYPE_GC, ""
    
    ' Read NT names from input file.
    Do Until objFile.AtEndOfStream
        strNTName = Trim(objFile.ReadLine)
    ' Skip blank lines. If (strNTName <> "") Then ' Specify NT format of name. ' sAMAccountName of computer is NetBIOS name with "$" appended. ' Trap error if name not found. On Error Resume Next objTrans.Set ADS_NAME_TYPE_NT4, strDomain & "\" & strNTName & "$" If (Err.Number <> 0) Then On Error GoTo 0 Wscript.Echo "Computer " & strNTName & " not found." Else On Error GoTo 0 ' Retrieve RPC 1779 Distinguished Name. strComputerDN = objTrans.Get(ADS_NAME_TYPE_1779) ' Check if computer is a member of the group. If (objGroup.IsMember("LDAP://" & strComputerDN) = True) Then ' Remove computer from group. objGroup.Remove("LDAP://" & strComputerDN) End If End If End If Loop ' Clean up. objFile.Close
    Richard Mueller
    MVP ADSI
    Wednesday, February 3, 2010 4:47 PM
  • If you can't use the ADPowerShell module as suggested, the quest cmdlets are another option. The syntax is basically the same:

    Remove-QADGroupMember GroupName -Member computername
    Wednesday, February 3, 2010 4:55 PM

All replies

  • If you've got at least an AD 2003 domain with the ADGW service running on one of the DC's, and the ActiveDirectory Module from the W7 RSAT tools, it's as easy as:

    remove-adgropmember <group name> -members <list of accounts to remove>
    Wednesday, February 3, 2010 3:00 PM
  • The basic VBScript code to remove one computer from a group would be similar to below:

    ' Specify the Distinguished Name of the computer object.
    strComputerDN = "cn=TestComputer,ou=West,dc=MyDomain,dc=com"
    
    ' Bind to the group object.
    Set objGroup = Set objGroup("LDAP://cn=TestGroup,ou=East,dc=MyDomain,dc=com")
    
    ' Check if computer is a member of the group.
    If (objGroup.IsMember("LDAP://" & strComputerDN) = True) Then
        ' Remove computer from the group.
        objGroup.Remove("LDAP://" & strComputerDN)
    End If

    If you have a file of computer NetBIOS names, you will need to use the NameTranslate object to convert the NetBIOS names into Distinguished Names (DN's). For example:

    Option Explicit
    
    Dim objFSO, strFile, objFile, strNTName, strComputerDN
    Dim objTrans, strDomain, objGroup
    
    Const ForReading = 1
    ' Constants for NameTranslate
    Const ADS_NAME_INITTYPE_GC = 3
    Const ADS_NAME_TYPE_NT4 = 3
    Const ADS_NAME_TYPE_1779 = 1
    
    ' Specify NetBIOS name of the domain.
    strDomain = "MyDomain"
    
    ' Specify input file of computer NetBIOS names (NT names).
    strFile = "c:\scripts\computers.txt"
    
    ' Bind to the group object.
    Set objGroup = GetObject("LDAP://cn=MyGroup,ou=Sales,dc=MyDomain,dc=com")
    
    ' Open the file for read access.
    Set objFSO = CreateObject("Scripting.FileSystemObject")
    Set objFile = objFSO.OpenTextFile(strFile, ForReading)
    
    ' Use NameTranslate object to convert NT names to DN's.
    Set objTrans = CreateObject("NameTranslate")
    ' Initialize NameTranslate by locating Global Catalog.
    objTrans.Init ADS_NAME_INITTYPE_GC, ""
    
    ' Read NT names from input file.
    Do Until objFile.AtEndOfStream
        strNTName = Trim(objFile.ReadLine)
    ' Skip blank lines. If (strNTName <> "") Then ' Specify NT format of name. ' sAMAccountName of computer is NetBIOS name with "$" appended. ' Trap error if name not found. On Error Resume Next objTrans.Set ADS_NAME_TYPE_NT4, strDomain & "\" & strNTName & "$" If (Err.Number <> 0) Then On Error GoTo 0 Wscript.Echo "Computer " & strNTName & " not found." Else On Error GoTo 0 ' Retrieve RPC 1779 Distinguished Name. strComputerDN = objTrans.Get(ADS_NAME_TYPE_1779) ' Check if computer is a member of the group. If (objGroup.IsMember("LDAP://" & strComputerDN) = True) Then ' Remove computer from group. objGroup.Remove("LDAP://" & strComputerDN) End If End If End If Loop ' Clean up. objFile.Close
    Richard Mueller
    MVP ADSI
    Wednesday, February 3, 2010 4:47 PM
  • If you can't use the ADPowerShell module as suggested, the quest cmdlets are another option. The syntax is basically the same:

    Remove-QADGroupMember GroupName -Member computername
    Wednesday, February 3, 2010 4:55 PM
  • I vouch for the Powershell method. Far FAR easier.  And to confirm, I have used both the REMOVE-ADGROUPMEMBER (Active Directory Modules with a Server 2008 R2 DC) as well as Quest Commandlets.

    It's life changingly easier.

    Sean
    The Energized Tech
    Powershell. It's so Easy and it's FREE! Dive in and use it now, It'll take no time. :) http://www.energizedtech.com
    Wednesday, February 3, 2010 7:38 PM