Discussion:
How to remove a computer object from a group via a batch script?
(too old to reply)
Egil Hansen
2005-02-23 21:50:40 UTC
Permalink
Hi

I need to remove a computer object from a group so it is not a member
anymore, but I need to do it via a batch script. I found a article on
TechNet that talked about using cusrmgr.exe (server 2000 reskit util)
but couldn't get it to work. I also played around with dsmod, but
since the computers all are in different OU I couldn't figure out how
to do that either. Can anybody help me out?

Say for instant, I have to computer objects, both member of the group
called "TestGroup". I want to remove them, when I run a script on each
of the computers (e.g. the computer I run the script on gets removed).

E.g.:
My domain is: microsoft.com
My groups name is: TestGroup, and is located at: microsoft.com\Users\
My first computer name is: PC001, and is located at
microsoft.com\Computers\
My second computer name is: PC002, and is located at
microsoft.com\Helpdesk\Computers\

How do I make a script that will detect what the computer name is and
where it is located in the domain, and then cancel its membership of a
specific group?

Long post, hope it makes a little sense.

Best regards, Egil Hansen.
Oli Restorick [MVP]
2005-02-23 22:25:47 UTC
Permalink
You could try using netdom.exe with the "remove" command. Netdom.exe is
part of the Support Tools folder on your Windows CD.

So, the command you'd issue would be something like "netdom.exe remove
%computername%".

I'm assuming that you've correctly delegated the ability to add and remove
computer accounts in Active Directory. You would not want to be logging on
to workstations with domain admin credentials unless you didn't care about
security.

Hope this helps

Oli
Post by Egil Hansen
Hi
I need to remove a computer object from a group so it is not a member
anymore, but I need to do it via a batch script. I found a article on
TechNet that talked about using cusrmgr.exe (server 2000 reskit util)
but couldn't get it to work. I also played around with dsmod, but
since the computers all are in different OU I couldn't figure out how
to do that either. Can anybody help me out?
Say for instant, I have to computer objects, both member of the group
called "TestGroup". I want to remove them, when I run a script on each
of the computers (e.g. the computer I run the script on gets removed).
My domain is: microsoft.com
My groups name is: TestGroup, and is located at: microsoft.com\Users\
My first computer name is: PC001, and is located at
microsoft.com\Computers\
My second computer name is: PC002, and is located at
microsoft.com\Helpdesk\Computers\
How do I make a script that will detect what the computer name is and
where it is located in the domain, and then cancel its membership of a
specific group?
Long post, hope it makes a little sense.
Best regards, Egil Hansen.
mocity
2005-02-24 22:09:06 UTC
Permalink
hey, i could be totally off in understanding what you want to do, but if you
trying to take a list of ten PC's (pc001,pc002,....pc010) and remove them
from being members of a security group (i.e. not an OU) but they're all in
diffrent ou's, you could try this:

1) type Net Group "testgroup" from a domain controller prompt. This should
show you the list of PC accounts in this group. something like "PC001$,
PC002$"

2) to remove PC001, type Net Group "testgroup" "PC001$" /delete

3) type net group "testgroup" again to verify its gone.

4) if you want to do this for many pcs, compile a text file called
listofpcs.txt with a list of the PC's.
Write a batch file like:

for /F "tokens=1 delims=" %%i in (listofpcs.txt) do net group "testgroup"
"%%i" /delete.

I would be careful b/c you could mess up your AD with batch files if you
make a mistake.
hope this helps.
-mocity
Post by Egil Hansen
Hi
I need to remove a computer object from a group so it is not a member
anymore, but I need to do it via a batch script. I found a article on
TechNet that talked about using cusrmgr.exe (server 2000 reskit util)
but couldn't get it to work. I also played around with dsmod, but
since the computers all are in different OU I couldn't figure out how
to do that either. Can anybody help me out?
Say for instant, I have to computer objects, both member of the group
called "TestGroup". I want to remove them, when I run a script on each
of the computers (e.g. the computer I run the script on gets removed).
My domain is: microsoft.com
My groups name is: TestGroup, and is located at: microsoft.com\Users\
My first computer name is: PC001, and is located at
microsoft.com\Computers\
My second computer name is: PC002, and is located at
microsoft.com\Helpdesk\Computers\
How do I make a script that will detect what the computer name is and
where it is located in the domain, and then cancel its membership of a
specific group?
Long post, hope it makes a little sense.
Best regards, Egil Hansen.
Egil Hansen
2005-03-02 14:26:03 UTC
Permalink
Actually, I might have been a little vague as to what I'm trying to do
here.

What I need to do is to run a script on each computer in our domain
only ONE time (this script copies a few files to the computer and sets
a few reg settings). To do this, I figured I need to use the "computer
configurations -> startup" part in a GPO, that would run my script when
the computer boots up, but before the user is able to log in (I am
unsure what rights the script has in the domain at this point). I would
however, also like to know which computers have already run the script.
So I read somewhere on TechNet, that I could make the computer objects
a member of a security group (i.e. not an OU), and then have the script
remove the computer it is running from, from the security group. This
way the members of the security group would also serve as a log over
which computers who hadn't executed the script yet. And, my GPO that
would tell the computers to run the script would of course only affect
computer objects that are a member of the security group.

However, I can't figure out how to remove a computer object from a
security group.

Continue reading on narkive:
Loading...