Archived from groups: microsoft.public.adsi.general,microsoft.public.scripting.vbscript,microsoft.public.win2000.group_policy (
More info?)
"Glenn L" <the.only(delete)@gmail.com> wrote in message
news:eU34CrWwEHA.824@TK2MSFTNGP11.phx.gbl...
> It appears you want 1000+ users to loose their group membership and only
be
> a member of the "domain users" group.
> The easiest way to do this is to write a VBS script.
> There is no way to accomplish this using group policies.
>
> You might consider a less popular method (al-be-it more scary), if you
don't
> know scripting.
> This requires at least two domain controllers.
> Move all the users to an isolated OU, and replicate this change around.
> Perform a system state backup on one of the DCs.
> Delete the users OU (obviously do this off hours)
> Replicate this deletion. This will cause the groups forward links to the
> users to be broken.
> Then perform a system state restore, and mark the deleted OU as
> authoritative.
> This brings the users back, but will not recreate the links on the groups.
> The end result is all the users will have only the domain users as their
> group.
OUCH!! Seems a bit drastic, even more so than the most obvious script, which
would likely be time-consuming.
/Al
> The following two articles describe this phenomenon.
> http://support.microsoft.com/kb/q280079/
>
http://support.microsoft.com/kb/840001
>
> "D-a-n_L" <djlajoie@hotmail.com> wrote in message
> news:uo3wLzRwEHA.3528@tk2msftngp13.phx.gbl...
> >I could just delete the user an accomplish the same thing, but seriously,
> > what I want to do is leave all the user accts intact and remove the
groups
> > from the accounts either by putting the accts into an AD container and
> > applying a GPO against it or some other method...
> >
> > "Ken B" <none@microsoft.com> wrote in message
> > news:uc2cCQPwEHA.3088@TK2MSFTNGP12.phx.gbl...
> >> If you delete the 'custom' security groups, they will no longer be
> >> members
> >> of the groups.... but you'll also lose the groups.
> >>
> >> Ken
> >>
> >>
> >> "D-a-n_L" <djlajoie@hotmail.com> wrote in message
> >> news:OP5I24OwEHA.3144@TK2MSFTNGP15.phx.gbl...
> >> > How can I, or what would be an efficient method to remove all but the
> >> > default security groups from a 1000+ user accounts. Can I just move
all
> > of
> >> > the accounts to a specific container and apply a policy that will do
> > this
> >> > or
> >> > is there another method that is recommended?
> >> >
> >> >
> >>
> >>
> >
> >
>
>