locked
Removing User from Groups RRS feed

  • Question

  • User-1337800814 posted

     

    hey all

    is it possible to remove one user from all groups ?

    because i have about 1200 user and everyone could be in many groups, so what i want to do is to take the user and remove him from all groups that he belongs

    thank you

    Sunday, June 22, 2008 3:16 AM

Answers

  • User1191518856 posted

    You should be able to use something like this:

    DirectoryEntry user = new DirectoryEntry("LDAP://cn=someuser,cn=users,dc=somedomain,dc=com", null, null);
    PropertyValueCollection groups = user.Properties["memberOf"];
    if (groups != null)
    {
       for (int i = 0; i < groups.Count; i++)
       {
          string groupDn = (string)propColl[i];
          if (!groupDn.StartsWith("cn=groupthatIwantToKeep", StringComparison.CurrentCultureIgnoreCase))
          {
             DirectoryEntry group = new DirectoryEntry("LDAP://" + groupDn, null, null);
             if (group != null)
             {
                 group.Invoke("Remove", new object[] { user.FullAddress });
             }
          }
       }
    }
    

    Some notes:You need to provide a valid LDAP path to the user you want to process. If you want to loop through a number of users, you don't go for the DirectoryEntry of the user, but you rather use the DirectorySearcher to enumerate the users of your choice. Also, in my example I pass null, null to the DirectoryEntry. This means that the credentials of the current user will be used against the AD. This is fine as long as you're on your local box (running in Visual Studio), but as soon as you deploy this to an IIS you need to consider how to set up the security. See Ryan Dunn's Common System.DirectoryServices Issues and Solutions for a discussion on this.

    Good luck!

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, June 23, 2008 5:13 PM
  • User1191518856 posted

    Sorry. I took the code a bit out of context. I renamed some variables but forgot to do it in all places.

    1. propColl should be groups

    2. FullAddress should be Path.

    3. When you bind a DirectoryEntry, you always specify the distinguished name of the entry. For a user, the dn begins with cn= (which is the common name). If you want to identify the user by samaccountname, you need to do a search. See below for revised code.

    4. Well, groupDn contains the full distinguished name of the group, example cn=Somegroup,dc=somedomain,dc=com. This path is valid if the group is located in the root of the AD. If the group is located in the groups container, then the dn would read: cn=Somegroup,cn=Groups,dc=somedomain,dc=com. So it is not necessarily enough to add the cn=groupname in front of dc=domain. It depends on where the group is located. In my code, when I do "LDAP://" + groupDn, this means that I will construct the path dynamically, depending on the groupDn variable which is read from the memberOf multivalue attribute of the user. You can use the code as is, no need to modify this, as it will go through all groups except from the one you want to keep.

    Revised code:

    string sAMAccountName = "someuser";
    DirectoryEntry root = new DirectoryEntry("LDAP://dc=somedomain,dc=com", null, null);
    DirectorySearcher searcher = new DirectorySearcher(root, "(samaccountname=" + sAMAccountName + ")", new string[] { "memberOf" });
    SearchResultCollection results = searcher.FindAll();
    foreach (SearchResult result in results)
    {
      if (result.Properties.Contains("memberOf"))
      {
        PropertyValueCollection groups = result.Properties["memberOf"];
        if (groups != null)
        {
           for (int i = 0; i < groups.Count; i++)
           {
              string groupDn = (string)groups[i];
              if (!groupDn.StartsWith("cn=groupthatIwantToKeep", StringComparison.CurrentCultureIgnoreCase))
              {
                 DirectoryEntry group = new DirectoryEntry("LDAP://" + groupDn, null, null);
                 if (group != null)
                 {
                     group.Invoke("Remove", new object[] { result.Path });
                 }
              }
           }
        }
      }
    }
    
     
    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, June 24, 2008 2:29 AM

All replies

  • User-588862349 posted

    Yes, you can do it.  From a web page you need to impersonate a role that has rights to do it.  Ask the admin to create a specific user/password for you that has rights to do it.

    You'll use LDAP commands in ASP.NET.

    One suggestion is to just remove the user.  You can turn right back around and add him back in and don't assign him any groups.  That should be easier than sequentually removing him from the groups. That may reset his password though.

    But, if that's not what you're looking for you could grab all of his groups using LDAP and then call LDAP commands to remove him from those groups.

     Happy Coding!

    Jason

    Sunday, June 22, 2008 11:46 AM
  • User-1337800814 posted

    ok

    how could i grap all groups that one user belong and how should i remove him from most of them because i want every user to belong only to one group

    thank you

    Monday, June 23, 2008 1:35 AM
  • User-2009597737 posted

    You cannot remove memberOf, you have to remove the account from the group. Set the directoryentry to the user object --> Loop thru the memberOf and save the group Names in an array or something. Loop thru the array of the MemberOf , create the directoryEntry for the AD group. Remove the user from the group (account CN). I had to do a similar program to keep track of users being moved/deleted from the AD.

    HTH 

    Monday, June 23, 2008 8:43 AM
  • User1191518856 posted

    You should be able to use something like this:

    DirectoryEntry user = new DirectoryEntry("LDAP://cn=someuser,cn=users,dc=somedomain,dc=com", null, null);
    PropertyValueCollection groups = user.Properties["memberOf"];
    if (groups != null)
    {
       for (int i = 0; i < groups.Count; i++)
       {
          string groupDn = (string)propColl[i];
          if (!groupDn.StartsWith("cn=groupthatIwantToKeep", StringComparison.CurrentCultureIgnoreCase))
          {
             DirectoryEntry group = new DirectoryEntry("LDAP://" + groupDn, null, null);
             if (group != null)
             {
                 group.Invoke("Remove", new object[] { user.FullAddress });
             }
          }
       }
    }
    

    Some notes:You need to provide a valid LDAP path to the user you want to process. If you want to loop through a number of users, you don't go for the DirectoryEntry of the user, but you rather use the DirectorySearcher to enumerate the users of your choice. Also, in my example I pass null, null to the DirectoryEntry. This means that the credentials of the current user will be used against the AD. This is fine as long as you're on your local box (running in Visual Studio), but as soon as you deploy this to an IIS you need to consider how to set up the security. See Ryan Dunn's Common System.DirectoryServices Issues and Solutions for a discussion on this.

    Good luck!

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, June 23, 2008 5:13 PM
  • User-1337800814 posted

    thank you for answering me but i have several questions that can help me to understand if you dont mind
    1. what is propColl ? it gave me an error
    2. what is FullAddress ? it also gave me an error that i missing some reffrence, so i am gonna try .Path
    3. at user definition you used cn=someuser, can i use sAMAccountName insted of ? that if i wanted for one user but i have several users i dont need to use it, right?
    4. you mean by "LDAP://"+ groupdn that i just need to add cn=groupname just before dc=domain, right ?

    note : i am using .net Framework 3.5

    and thank you again for helping me in this

    Tuesday, June 24, 2008 2:04 AM
  • User1191518856 posted

    Sorry. I took the code a bit out of context. I renamed some variables but forgot to do it in all places.

    1. propColl should be groups

    2. FullAddress should be Path.

    3. When you bind a DirectoryEntry, you always specify the distinguished name of the entry. For a user, the dn begins with cn= (which is the common name). If you want to identify the user by samaccountname, you need to do a search. See below for revised code.

    4. Well, groupDn contains the full distinguished name of the group, example cn=Somegroup,dc=somedomain,dc=com. This path is valid if the group is located in the root of the AD. If the group is located in the groups container, then the dn would read: cn=Somegroup,cn=Groups,dc=somedomain,dc=com. So it is not necessarily enough to add the cn=groupname in front of dc=domain. It depends on where the group is located. In my code, when I do "LDAP://" + groupDn, this means that I will construct the path dynamically, depending on the groupDn variable which is read from the memberOf multivalue attribute of the user. You can use the code as is, no need to modify this, as it will go through all groups except from the one you want to keep.

    Revised code:

    string sAMAccountName = "someuser";
    DirectoryEntry root = new DirectoryEntry("LDAP://dc=somedomain,dc=com", null, null);
    DirectorySearcher searcher = new DirectorySearcher(root, "(samaccountname=" + sAMAccountName + ")", new string[] { "memberOf" });
    SearchResultCollection results = searcher.FindAll();
    foreach (SearchResult result in results)
    {
      if (result.Properties.Contains("memberOf"))
      {
        PropertyValueCollection groups = result.Properties["memberOf"];
        if (groups != null)
        {
           for (int i = 0; i < groups.Count; i++)
           {
              string groupDn = (string)groups[i];
              if (!groupDn.StartsWith("cn=groupthatIwantToKeep", StringComparison.CurrentCultureIgnoreCase))
              {
                 DirectoryEntry group = new DirectoryEntry("LDAP://" + groupDn, null, null);
                 if (group != null)
                 {
                     group.Invoke("Remove", new object[] { result.Path });
                 }
              }
           }
        }
      }
    }
    
     
    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, June 24, 2008 2:29 AM
  • User-1771673208 posted

    Hi, Just in regards to your script, Thankyou very helpful did the job - But you need to specify a GetDirectoryEntry() method.

    "PropertyValueCollection groups = result.Properties["memberOf"];" > "PropertyValueCollection groups = result.GetDirectoryEntry().Properties["memberOf"];

     

    Then it should work well.

    Cheers

    Friday, November 20, 2009 4:51 AM