In this post we will look at how to remove the membership of a number of users using the NetTools LDAP Search option. This action is typical in a user deprovisioning activity where user accounts are moved to a separate OU and group membership of the users are removed.
We could also use LDAP Search to move the user objects to the OU as well, but we will assume that the user accounts are already in the target OU.
To complete this operation we need to complete the following steps:
Get a list of groups that users are a member of
First go to the LDAP Search option and click on the populate button.
Click on the OU Selector and select the OU that contains the users that need their group membership cleared.
The Base DN will be set to the required OU.
To limit the scope of the query to only the users that are disabled and have group membership, change the filter to (&(objectclass=user)(useraccountcontrol|=2)(memberof=*))
Set the Attributes field to memberof
Change the Search Scope to either One Level or Subtree as required
Click the More button
Select the Single Line option - this will cause each of the user’s group memberships to be displayed on a separate line
You should have something like this:
Click Go
You should get a complete list of the group membership for all the users, with each group membership on a separate line in the table view. The DN field is the DN of the user, and Memberof is the group that the user is a member of.
Remove users from groups based on list produced in step 1
We are going to use the input mode functionality with an update query to remove the users from the groups. As users are added to groups, so the update query will target the groups and remove the users from each group.
Right click on the table view and select the Table Input Mode or select Table Input in the options
The column headers will change to ##Input and ##Input2, the entries in the columns can now be used as input to the query. See Input Mode for more details.
Change the Base DN field to read ##input2 - which will target the group based on the list of DNs in the ##input2 column in the table
We now need to change the query to remove the users from the groups.
Change the Filter to (objectclass=group)
Change the Attributes field to member=-##input
Change the Search Scope to Base Level
Select the Enable Updates options, for more details see Update Queries.
Deselect the Display Results – this is to increase performance, the remaining membership of the group will not be displayed.
With the Preview option selected click Go.
Check all the entries to confirm that each line has a DN and member entry added. If one or both of these fields are missing on a line, it means that, the group on that line doesn’t exist. This shouldn’t happen as we just exported the group membership, but someone else might have changed the group membership between the steps being run.
Once confirmed unselect the Preview option and click Go
You will get a warning message, click Yes
The member field will be changed to Updated if the user was successfully removed from the group, if the update failed an error message will be displayed.
The details in the table view can be copied and pasted into a spreadsheet to record what changes have been made. It can also be used to undo the changes that have been made. By change the Attributes field to member=+##input and running the update query again, the users will be added back into the groups.