<-> wrote in message news:...
> I've seen the examples with
>
> LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com
>
> but it's only one account, I have a whole OU full of accounts whose group
> memberships I need to clear (Domain Users excepted of course). I know I
> can't modify the user account I have to modify the group, because memberof
> is backlinked, but is there a way to essentially loop through the actions
> of the one account and its group memberships, then move to the next user
> account and repeat?
>
> Any help appreciated
You can enumerate all users in the OU, and for each user enumerate all
direct group memberships, which will not include the "primary" group (which
should be "Domain Users"). You can use the Remove method of each group
object to remove the user from the group. To save binding to each group
repeatedly for many users, I would track the groups in a dictionary object.
For example (not tested):
============
Option Explicit
Dim objOU, objUser, arrGroups, strGroup, objGroup
Dim objGroupList
' Bind to OU object.
Set objOU = GetObject("LDAP://ou=West,dc=MyDomain,dc=com")
' Filter on objects of class user.
objOU.Filter = Array("user")
' Create dictionary object of group objects.
Set objGroupList = CreateObject("Scripting.Dictionary")
objGroupList.CompareMode = vbTextCompare
' Enumerate users in OU.
For Each objUser In objOU
' Enumerate direct group memberships.
' Trap error if there are no groups.
' Primary group is not included.
On Error Resume Next
arrGroups = objUser.GetEx("memberOf")
If (Err.Number = 0) Then
On Error GoTo 0
For Each strGroup In arrGroups
' Check if group already bound.
If (objGroupList.Exists(strGroup) = False) Then
' Add group object to the dictionary object.
Set objGroupList(strGroup) = GetObject("LDAP://" & strGroup)
End If
' Remove user from the group.
objGroupList(strGroup).Remove(objUser.AdsPath)
Next
End If
On Error GoTo 0
Next
--
Richard Mueller
MVP Directory Services
Hilltop Lab -
http://www.rlmueller.net
--
Similar Threads
Linear Mode
