How To: Clear the group membership for a list of users

In this post we will look at how to remove the membership of a number of users using the NetTools LDAP Search option. This action is typical in a user deprovisioning activity where user accounts are moved to a separate OU and group membership of the users are removed.

We could also use LDAP Search to move the user objects to the OU as well, but we will assume that the user accounts are already in the target OU.

To complete this operation we need to complete the following steps:

Clear Group Membership Steps

    Get a list of groups that users are a member of

    First go to the LDAP Search option and click on the populate button.


    Click on the OU Selector and select the OU that contains the users that need their group membership cleared.

    OU Selector

    The Base DN will be set to the required OU.

    To limit the scope of the query to only the users that are disabled and have group membership, change the filter to (&(objectclass=user)(useraccountcontrol|=2)(memberof=*))

    Set the Attributes field to memberof

    Change the Search Scope to either One Level or Subtree as required

    Click the More button

    Select the Single Line option -  this will cause each of the user’s group memberships to be displayed on a separate line

    You should have something like this:

    List Group Membership

    Click Go

    You should get a complete list of the group membership for all the users, with each group membership on a separate line in the table view.  The DN field is the DN of the user, and Memberof is the group that the user is a member of.

    Group List Output

    Remove users from groups based on list produced in step 1

    We are going to use the input mode functionality with an update query to remove the users from the groups.  As users are added to groups, so the update query will target the groups and remove the users from each group.

    Right click on the table view and select the Table Input Mode or select Table Input in the options

    Input Mode

    The column headers will change to ##Input and ##Input2, the entries in the columns can now be used as input to the query.   See Input Mode for more details.

    Change the Base DN field to read ##input2 -  which will target the group based on the list of DNs in the ##input2 column in the table

    Input Mode Column Headers

    We now need to change the query to remove the users from the groups.

    Change the Filter to (objectclass=group)

    Change the Attributes field to member=-##input

    Change the Search Scope to Base Level

    Select the Enable Updates options, for more details see Update Queries.

    Deselect the Display Results – this is to increase performance, the remaining membership of the group will not be displayed.

    Remove Group Members

    With the Preview option selected click Go.

    Check all the entries to confirm that each line has a DN and member entry added.  If one or both of these fields are missing on a line, it means that, the group on that line doesn’t exist.  This shouldn’t happen as we just exported the group membership, but someone else might have changed the group membership between the steps being run.

    Preview Results

    Once confirmed unselect the Preview option and click Go

    You will get a warning message, click Yes

    The member field will be changed to Updated if the user was successfully removed from the group, if the update failed an error message will be displayed.

    Update Results

    The details in the table view can be copied and pasted into a spreadsheet to record what changes have been made.  It can also be used to undo the changes that have been made.  By change the Attributes field to member=+##input and running the update query again, the users will be added back into the groups.