Remove Security Groups

[Guest]

Archived from groups: microsoft.public.adsi.general,microsoft.public.scripting.vbscript,microsoft.public.win2000.group_policy (More info?)

How can I, or what would be an efficient method to remove all but the
default security groups from a 1000+ user accounts. Can I just move all of
the accounts to a specific container and apply a policy that will do this or
is there another method that is recommended?

 

[Guest]

Archived from groups: microsoft.public.adsi.general,microsoft.public.scripting.vbscript,microsoft.public.win2000.group_policy (More info?)

If you delete the 'custom' security groups, they will no longer be members
of the groups.... but you'll also lose the groups.

Ken


"D-a-n_L" <djlajoie@hotmail.com> wrote in message
news:OP5I24OwEHA.3144@TK2MSFTNGP15.phx.gbl...
> How can I, or what would be an efficient method to remove all but the
> default security groups from a 1000+ user accounts. Can I just move all of
> the accounts to a specific container and apply a policy that will do this
> or
> is there another method that is recommended?
>
>

 

[Guest]

Archived from groups: microsoft.public.adsi.general,microsoft.public.scripting.vbscript,microsoft.public.win2000.group_policy (More info?)

I could just delete the user an accomplish the same thing, but seriously,
what I want to do is leave all the user accts intact and remove the groups
from the accounts either by putting the accts into an AD container and
applying a GPO against it or some other method...

"Ken B" <none@microsoft.com> wrote in message
news:uc2cCQPwEHA.3088@TK2MSFTNGP12.phx.gbl...
> If you delete the 'custom' security groups, they will no longer be members
> of the groups.... but you'll also lose the groups.
>
> Ken
>
>
> "D-a-n_L" <djlajoie@hotmail.com> wrote in message
> news:OP5I24OwEHA.3144@TK2MSFTNGP15.phx.gbl...
> > How can I, or what would be an efficient method to remove all but the
> > default security groups from a 1000+ user accounts. Can I just move all
of
> > the accounts to a specific container and apply a policy that will do
this
> > or
> > is there another method that is recommended?
> >
> >
>
>

 

[Guest]

Archived from groups: microsoft.public.adsi.general,microsoft.public.scripting.vbscript,microsoft.public.win2000.group_policy (More info?)

It appears you want 1000+ users to loose their group membership and only be
a member of the "domain users" group.
The easiest way to do this is to write a VBS script.
There is no way to accomplish this using group policies.

You might consider a less popular method (al-be-it more scary), if you don't
know scripting.
This requires at least two domain controllers.
Move all the users to an isolated OU, and replicate this change around.
Perform a system state backup on one of the DCs.
Delete the users OU (obviously do this off hours)
Replicate this deletion. This will cause the groups forward links to the
users to be broken.
Then perform a system state restore, and mark the deleted OU as
authoritative.
This brings the users back, but will not recreate the links on the groups.
The end result is all the users will have only the domain users as their
group.

The following two articles describe this phenomenon.
http://support.microsoft.com/kb/q280079/
http://support.microsoft.com/kb/840001

"D-a-n_L" <djlajoie@hotmail.com> wrote in message
news:uo3wLzRwEHA.3528@tk2msftngp13.phx.gbl...
>I could just delete the user an accomplish the same thing, but seriously,
> what I want to do is leave all the user accts intact and remove the groups
> from the accounts either by putting the accts into an AD container and
> applying a GPO against it or some other method...
>
> "Ken B" <none@microsoft.com> wrote in message
> news:uc2cCQPwEHA.3088@TK2MSFTNGP12.phx.gbl...
>> If you delete the 'custom' security groups, they will no longer be
>> members
>> of the groups.... but you'll also lose the groups.
>>
>> Ken
>>
>>
>> "D-a-n_L" <djlajoie@hotmail.com> wrote in message
>> news:OP5I24OwEHA.3144@TK2MSFTNGP15.phx.gbl...
>> > How can I, or what would be an efficient method to remove all but the
>> > default security groups from a 1000+ user accounts. Can I just move all
> of
>> > the accounts to a specific container and apply a policy that will do
> this
>> > or
>> > is there another method that is recommended?
>> >
>> >
>>
>>
>
>

 

[Guest]

Archived from groups: microsoft.public.adsi.general,microsoft.public.scripting.vbscript,microsoft.public.win2000.group_policy (More info?)

Exactly, that was what I was looking for. Since GPO's can't do it, now I
need to find a script that will loop through multiple users with error
control to accomplish this. The scary recommendations is slick but your
right to drastic for this scenario albeit clever.

Can you apply a security template to multiple users or a container or is
this just for a computer object? Thanks.

"D-a-n_L" <djlajoie@hotmail.com> wrote in message
news:OP5I24OwEHA.3144@TK2MSFTNGP15.phx.gbl...
> How can I, or what would be an efficient method to remove all but the
> default security groups from a 1000+ user accounts. Can I just move all of
> the accounts to a specific container and apply a policy that will do this
or
> is there another method that is recommended?
>
>

 

[Guest]

Archived from groups: microsoft.public.adsi.general,microsoft.public.scripting.vbscript,microsoft.public.win2000.group_policy (More info?)

Or, you could get Hyena. It's a cool program that allows you to do batch
operations like what you're talking about from a nice GUI interface. Very
easy to use, and pretty cheap, too. They also have a fully functional eval.

http://www.systemtools.com/hyena/


"D-a-n_L" <djlajoie@hotmail.com> wrote in message
news:ektygcbwEHA.2196@TK2MSFTNGP14.phx.gbl...
> Exactly, that was what I was looking for. Since GPO's can't do it, now I
> need to find a script that will loop through multiple users with error
> control to accomplish this. The scary recommendations is slick but your
> right to drastic for this scenario albeit clever.
>
> Can you apply a security template to multiple users or a container or is
> this just for a computer object? Thanks.
>
> "D-a-n_L" <djlajoie@hotmail.com> wrote in message
> news:OP5I24OwEHA.3144@TK2MSFTNGP15.phx.gbl...
> > How can I, or what would be an efficient method to remove all but the
> > default security groups from a 1000+ user accounts. Can I just move all
of
> > the accounts to a specific container and apply a policy that will do
this
> or
> > is there another method that is recommended?
> >
> >
>
>

 

[Guest]

Archived from groups: microsoft.public.adsi.general,microsoft.public.scripting.vbscript,microsoft.public.win2000.group_policy (More info?)

"Glenn L" <the.only(delete)@gmail.com> wrote in message
news:eU34CrWwEHA.824@TK2MSFTNGP11.phx.gbl...
> It appears you want 1000+ users to loose their group membership and only
be
> a member of the "domain users" group.
> The easiest way to do this is to write a VBS script.
> There is no way to accomplish this using group policies.
>
> You might consider a less popular method (al-be-it more scary), if you
don't
> know scripting.
> This requires at least two domain controllers.
> Move all the users to an isolated OU, and replicate this change around.
> Perform a system state backup on one of the DCs.
> Delete the users OU (obviously do this off hours)
> Replicate this deletion. This will cause the groups forward links to the
> users to be broken.
> Then perform a system state restore, and mark the deleted OU as
> authoritative.
> This brings the users back, but will not recreate the links on the groups.
> The end result is all the users will have only the domain users as their
> group.

OUCH!! Seems a bit drastic, even more so than the most obvious script, which
would likely be time-consuming.


/Al

> The following two articles describe this phenomenon.
> http://support.microsoft.com/kb/q280079/
> http://support.microsoft.com/kb/840001
>
> "D-a-n_L" <djlajoie@hotmail.com> wrote in message
> news:uo3wLzRwEHA.3528@tk2msftngp13.phx.gbl...
> >I could just delete the user an accomplish the same thing, but seriously,
> > what I want to do is leave all the user accts intact and remove the
groups
> > from the accounts either by putting the accts into an AD container and
> > applying a GPO against it or some other method...
> >
> > "Ken B" <none@microsoft.com> wrote in message
> > news:uc2cCQPwEHA.3088@TK2MSFTNGP12.phx.gbl...
> >> If you delete the 'custom' security groups, they will no longer be
> >> members
> >> of the groups.... but you'll also lose the groups.
> >>
> >> Ken
> >>
> >>
> >> "D-a-n_L" <djlajoie@hotmail.com> wrote in message
> >> news:OP5I24OwEHA.3144@TK2MSFTNGP15.phx.gbl...
> >> > How can I, or what would be an efficient method to remove all but the
> >> > default security groups from a 1000+ user accounts. Can I just move
all
> > of
> >> > the accounts to a specific container and apply a policy that will do
> > this
> >> > or
> >> > is there another method that is recommended?
> >> >
> >> >
> >>
> >>
> >
> >
>
>