preetham wrote:

> i need to write a script that will remove only few groups of a user from
> AD.
>
> any in this matter would be great.

You cannot modify AD objects with a query. You will need to bind to AD
objects to make changes. The method I prefer to remove a user from a group
would be similar to below:
================
' Bind to the user object.
Set objUser = GetObject("LDAP://cn=Jim Smith,ou=West,dc=MyDomain,dc=com")

' Bind to the group object.
Set objGroup = GetObject("LDAP://cn=TestGroup,ou=East,dc=MyDomain,dc=com")

' Check if user a member of the group.
If (objGroup.IsMember(objUser.AdsPath) = True) Then
' Remove user from group.
objGroup.Remove(objUser.AdsPath)
End If

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

HI Richard,

if i want to remove only certain group membership of a user will the
below given option work

what i mean is lets say is user U1 is a member of groups G1,G2, G3, G4 and
G5. when i disable the user i want all the groups except G3 to be removed.
can this be done?

"preetham" wrote:

> Thanks for you richard
>
> "Richard Mueller [MVP]" wrote:
>
> > preetham wrote:
> >
> > > i need to write a script that will remove only few groups of a user from
> > > AD.
> > >
> > > any in this matter would be great.
> >
> > You cannot modify AD objects with a query. You will need to bind to AD
> > objects to make changes. The method I prefer to remove a user from a group
> > would be similar to below:
> > ================
> > ' Bind to the user object.
> > Set objUser = GetObject("LDAP://cn=Jim Smith,ou=West,dc=MyDomain,dc=com")
> >
> > ' Bind to the group object.
> > Set objGroup = GetObject("LDAP://cn=TestGroup,ou=East,dc=MyDomain,dc=com")
> >
> > ' Check if user a member of the group.
> > If (objGroup.IsMember(objUser.AdsPath) = True) Then
> > ' Remove user from group.
> > objGroup.Remove(objUser.AdsPath)
> > End If
> >
> > --
> > Richard Mueller
> > Microsoft MVP Scripting and ADSI
> > Hilltop Lab - http://www.rlmueller.net
> > --
> >
> >
> >

Yes, you can just remove the group memberships you want and leave the rest.
You would repeat the "If/Then/End If" structure for each group membership to
be removed. It requires binding to each group whose membership will be
modified.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

"preetham" <preetham@discussions.microsoft.com> wrote in message
news:1E747958-3C2E-40FC-9F9F-5D42863D7B23@microsoft.com...
> HI Richard,
>
> if i want to remove only certain group membership of a user will the
> below given option work
>
> what i mean is lets say is user U1 is a member of groups G1,G2, G3, G4 and
> G5. when i disable the user i want all the groups except G3 to be removed.
> can this be done?
>
> "preetham" wrote:
>
>> Thanks for you richard
>>
>> "Richard Mueller [MVP]" wrote:
>>
>> > preetham wrote:
>> >
>> > > i need to write a script that will remove only few groups of a user
>> > > from
>> > > AD.
>> > >
>> > > any in this matter would be great.
>> >
>> > You cannot modify AD objects with a query. You will need to bind to AD
>> > objects to make changes. The method I prefer to remove a user from a
>> > group
>> > would be similar to below:
>> > ================
>> > ' Bind to the user object.
>> > Set objUser = GetObject("LDAP://cn=Jim
>> > Smith,ou=West,dc=MyDomain,dc=com")
>> >
>> > ' Bind to the group object.
>> > Set objGroup =
>> > GetObject("LDAP://cn=TestGroup,ou=East,dc=MyDomain,dc=com")
>> >
>> > ' Check if user a member of the group.
>> > If (objGroup.IsMember(objUser.AdsPath) = True) Then
>> > ' Remove user from group.
>> > objGroup.Remove(objUser.AdsPath)
>> > End If
>> >
>> > --
>> > Richard Mueller
>> > Microsoft MVP Scripting and ADSI
>> > Hilltop Lab - http://www.rlmueller.net
>> > --
>> >
>> >
>> >