none
Removal of AD Group via Group Policy

    Question

  • Hello,

    I have a requirement to have the "Domain Users" group membership automatically removed from all users belonging to a particular AD OU.  As part of user provisioning, the user's Primary Group is already changed to something else.  My challenge is that the provisioning tool (IBM Tivoli Identity Management) my client uses is having trouble doing the removal.  In fact, I'm OK with that because, from a security perspective I'd much rather it happen on the GPO level in case "Domain Users" gets accidentally/manually re-added to the user community in question under the specific OU.

    I previously wrote a login script thinking that'll do the trick, but I quickly realized it was a chicken/egg situation because when running the login script via under the user context, the removal failed, because the user doesn't have the correct AD permissions (ie.. Account Operators) to remove themselves from the group.  I tried running the script as a computer GPO which runs under local "System", but it too doesn't have the requisite AD permissions.

    Any suggestions?

    The login script:

    Dim CurrentUserDN, CurrentUserLDAPDN
    Set objSysInfo = Createobject("ADSystemInfo")
    Vari1 = objSysInfo.UserName
    CurrentUserLDAPDN = "LDAP://" + Vari1
     Wscript.Echo CurrentUserLDAPDN
    DIM groupPath
    DIM userPath
    
    groupPath = "CN=Domain Users,CN=Users,DC=company,DC=com"
    userPath = CurrentUserLDAPDN
    
    removeFromGroup userPath,groupPath
    
    SUB removeFromGroup(userPath, groupPath)
    
    DIM objGroup
    SET objGroup = GETOBJECT(groupPath)
    	
    FOR EACH member in objGroup.members
    	IF LCASE(member.adspath) = LCASE(userPath) THEN
    	objGroup.Remove(userPath)
    	EXIT SUB
    	END IF
    NEXT
    	
    END SUB

    I did it in VBScript because that's my old school wheelhouse, but ideally, I'd like something in PowerShell.

    Any assistance / insight would be greatly appreciated.

    Cheers!

    Monday, December 12, 2016 8:38 PM

Answers

  • > "Users in a particular OU have the "Domain Users" group automatically and systemically removed from their group membership."
     
    That's similar to the concept of shadow groups (create and populate a group automatically with all members of a given OU). Google for shadow groups and then adjust to remove instead of adding :)
     
    • Marked as answer by ActLabs Tuesday, January 24, 2017 7:35 PM
    Wednesday, December 14, 2016 9:42 AM

All replies

  • Hi,

    >>I did it in VBScript because that's my old school wheelhouse, but ideally, I'd like something in PowerShell.

    You could try using:

    Remove-ADGroupMember -Identity -Credential

    >>because the user doesn't have the correct AD permissions

    Using domain admin credentials to do this.

    Best regards,

    Andy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, December 13, 2016 7:20 AM
    Moderator
  • Thanks, Andy.  That's half the battle.

    The other half is to have this run in a GPO under a non AD Admin context.  My end goal is to have something in a GPO that automatically removes the "Domain Users" group on logon.

    Any ideas?

    Tuesday, December 13, 2016 5:17 PM
  • A logon script can only do what the user account has permissions to do. Most users cannot remove themselves from groups.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, December 13, 2016 7:58 PM
  • Any other creative ideas of achieving the goal of?:

    "Users in a particular OU have the "Domain Users" group automatically and systemically removed from their group membership."

    Options I'm considering:

    1. Coming up with a Powershell or VBScript that impersonates a privileged user that runs the remove.

    2. Have a scheduled task that runs x times a day that runs under a privileged service account.

    But, I'm looking for something more elegant and secure.

    Cheers!

    Tuesday, December 13, 2016 8:30 PM
  • > "Users in a particular OU have the "Domain Users" group automatically and systemically removed from their group membership."
     
    That's similar to the concept of shadow groups (create and populate a group automatically with all members of a given OU). Google for shadow groups and then adjust to remove instead of adding :)
     
    • Marked as answer by ActLabs Tuesday, January 24, 2017 7:35 PM
    Wednesday, December 14, 2016 9:42 AM