CSSImport Utility - Remove Users from Groups
We have a security group that has a few hundred users assigned to the group. When there is a need to remove a user from the group it is difficult to find the user as I have comb through the list to find the user i am trying to remove. Two questions: is there a way to sort the users in the group in Share Services? The second question is can users be removed using the CSSImport utility by specifying the "delete" option in the importexport.properties? Does the "delete" option remove the user from the secuity group and or does it delete it completely from ShareServices? (we are using Hyperion v9.3.0.1.0 Build 5)
Hi,
I am not so sure about the sorting but removing users from groups can be done with the CSSImportExport utility, I see you are on 9.3.0, try and get hold of the 9.3.1 version as it is backward compatible to the 9.3.0 version and more stable.
When removing users from groups, just set your import operation to update
import.operation=update
and in your import csv just put the group children elements and the users you want in the group.
#group_children
id,group_id,group_provider,user_id,user_provider
TestGroup,,,UserToKeepInGroup,Native Directory
This way it will keep the users in the import file and remove the users from the group that are not in the file, also it does not remove the user from shared services only from the group.
Ok?
Cheers
John
http://john-goodwin.blogspot.com/
Similar Messages
-
I'm running a server 2012 std domain and I'm in the process of rebuilding our fileserver after we had some pretty serious permission issues. Bad permissions (Everyone had full access to user documents share) were migrated when we move to the new server and
then by some strange Monday morning freak out all users lost access to their documents. I restored from backups, redirected everyone's folders back to local computer and started to reconfigure the share permissions. I moved our administration group back to
the server after securing proper permissions for folder redirection (permissions copied from https://technet.microsoft.com/en-us/library/jj649078.aspx?f=255&MSPPError=-2147217396 table 1, only difference is instead of creating a new security group
for redirection users, I used the everyone group) to test and everything went perfectly. The GPO created the users folders under the root and redirection was good to go. Along with that, other users cannot access other users documents anymore which was the
intended outcome.
Last night I was looking at security groups and see that our administration group (back office group: accounting, HR, etc..) was a member of the domain admins. I removed them from the domain admins group and added them to the administrators group (they do
need regular admin access) then went on like normal. This morning, all users in that group can no longer access their documents on the server. I immediately think that permissions were broken again and started to get angry, but then realize that all the files
are still accessible on the server (no lost permissions like before) and the user is still shown as the owner with full permissions, but the files are inaccessible to those users. I re-added them to the domain admins group, logged out, logged back in and documents
are back and accessible by the user. Remove them from the domain admins group, log out, log back in and the documents are inaccessible again. Re-add to the domain admins group and back to normal.
Which leads me to now. If the users are part of the domain admins group, they have access to their files. If they are removed from the domain admins group, they lose access. When they lose access, they are still the owners of the files/folders with full
permissions, yet they can't access their documents. Also, just to add, the domain admins group has no specified permissions on the files or folders. See screenshots below..
Here is the root share.
And the user's desktop folder. The folder is owned by the user with full permissions. This is the folder the redirection GPO created.
Any ideas why removing the group from domain admins would drop access to their files? They are still the owners of the files and should have full access but they don't. Is there something I'm not seeing here?Effective Access shows the user has full control of the Desktop folder
This is a problem with the Effective Access tab when using CREATOR OWNER. As you have noticed, the user doesn't really have the access that the tab says it does. This is because of how CREATOR OWNER works.
CREATOR OWNER is only evaluated when a file/folder is created.
IF a user can create a file/folder, then the permissions assigned to CREATOR OWNER are copied to a new permissions entry for that user.
To see this:
Logon as an administrator and create a file in the Desktop folder in your screenshot.
Examine the permissions of the new file.
You'll see that there is a new entry for the account you logged on with.
CREATOR OWNER is gone. CREATOR OWNER would still be there if you created a folder (because of "subfolders and files").
In the Desktop folder (in your screenshot), only SYSTEM and Administrator can create/access files.
To fix this, you need to grant the users the ability to list the directory contents and create new files/folders. This corresponds with the suggestion of Table 1 in the document you found.
I see what you're saying about Administrators domain group. I'll just add them as local admins via GPO and that should solve that issue.
No, scary! This will grant those users administrative permission on your server. They will be able to see any file anywhere on that server.
If your goal is to provide a place that is private for each user, then the simplest approach is to grant each user permission to their own folder. Like this for Test User:
Notes for above:
I set the user's permission to Modify because there is no good reason why the user should change these permissions
The owner of this folder is unimportant. I leave it set to Administrators
You can, and I do, remove CREATOR OWNER. It adds no value in this situation and just causes confusion.
As for the second screen shot, the *-Admins folder is the root to which Everyone has special permissions on and can create folders. The folder for M* was created by the GPO, which makes M* the owner to which they have Full control of subfolders and files.
The GPO also created the Desktop folder, giving owner full permissions of subfolders and files. Inside the Desktop folder, permissions remain Full control for owner for subfolders and files. Even if it was the case that they only had permissions on subfolders
and files, wouldn't each subfolder under that one be considered a subfolder and file of the top folder?
If this works as you say, then Yes, it should work. But, I don't see the entries for use M*. Remember, there should be entries for the M* user that is a duplicate of CREATOR OWNER.
I suspect that Group Policy is creating the directories (elevated) and then changing the owner to M* afterward. This does not duplicate the CREATOR OWNER entries as needed. If this is the case, I consider it a flaw because your permissions do
not allow user M* to create files/folders, and group policy shouldn't bypass security.
I'm not saying your wrong, I'm just curious why the technet article would advise Creator/Owner giving full control of subfolders and files only if that were not correct. I can add the permissions for the users easily, I just don't see why I need to give
explicit permissions to access something when the GPO created those folders for me, which Microsoft recommends you allow. If the GPO can create folders and the folders are owned by the user, then the user can obviously add/create/modify/view those files and
folders.
When I restored the data, no permission were reset. Permissions were restored to the wonky version where the Everyone group has full access to everything. Ownership of the files/folders remained the same.
A couple things:
The article instructed the use of Folder Redirection Users group that had permissions to create files. Your examples didn't have that. Because of this, your user could create new files.
The article assumes that the directories you are creating will be empty. Existing files will be unreadable to everyone except Admins.
If you follow the directions in the article, then anyone in the Folder Redirection Users group can write files to anyone else's directory.
One benefit of the document's approach is that all the users could be redirected to the same folder using the article, and it would work. A benefit, I guess.
But, I like my user's separate and unable to see each other's files -- at all. This is why I recommend replacing CREATOR OWNER with the specific user.
I believe this document is a "how to get it done" document, not necessarily a best practices document. I see it as a starting point, and that's why I didn't follow it exactly.
Lastly, CREATOR OWNER permissions are useful but confusing. I avoid them unless I have the rare circumstance where they are perfect.
When I restored the data, no permission were reset. Permissions were restored to the wonky version where the Everyone group has full access to everything. Ownership of the files/folders remained the same.
To summarize:
In the user's directory, you need to provide permission to list and create new files/folders, and you need grant the user permission to the existing files.
-Tony -
Remove user from group with MaxL
hello,is it possible to remove a user from all groups he belongs to without knowing these groups?I want to execute a command such as "alter user my_user remove from ALL_GROUPS;"thanks for your help/
Not sure if it's feesible, but you could use the 'drop user' command to remove the user from the system, which would of course remove them from all groups, then use the 'create user' command to recreate the user and reassign them to the proper groups.Good luck
-
I created a new user account from SSH connection to our cluster. The user belongs to two groups by default: nobody and wheel. I tried to delete him from the two group by using dscl command, I got the following error:
/NetInfo/root/Groups > delete wheel GroupMembership ryan
<main> attribute status: eDSAttributeNotFound
/NetInfo/root/Groups > read wheel
AppleMetaNodeLocation: /NetInfo/root
GeneratedUID: ABCDEFAB-CDEF-......
GroupMembership: root
Password: *
PrimaryGroupID: 0
RealName: System Group
RecordName: wheel
RecordType: dsRecTypeStandard:Groups
SMBSID: ......
I would like to know how to remove him from the two groups. Thank you very much.
Apple Cluster Mac OS X (10.4.3)I had to update the code to the following because Get-SPUser was not working properly:
$url = "https://sharepointdev.spfarm.spcorp.com/sites/desitecoll"
$userName = "spfarm\spprofileimport";
$site = New-Object Microsoft.SharePoint.SPSite($url)
$web = $site.OpenWeb()
$siteGroups = $web.Groups;
Clear-Host
$mySiteGroups = @();
foreach($group in $siteGroups)
Write-Host $group
$mySiteGroups += $group;
}#foreach
$members = $web.Groups[$mySiteGroups[0]];
$owners = $web.Groups[$mySiteGroups[1]];
$visitors = $web.Groups[$mySiteGroups[2]];
#Convert the user name to an SPUser account
$spUser = $web.Site.RootWeb.EnsureUser($userName);
Write-Host $spUser.ID
Remove-SPUser -Identity $spUser -Web $url -Group $owners
$web.Update();
$web.Dispose();
Write-Host "User " $userName "removed from " $owners
Was I not using Get-SPUser correctly? -
How to Remove User from Built in Administrators group With Group Policy Enabled
Hi,
I want to remove user from Administrator group which is in restricted group. So I cannot remove him through Active Directory what is the way to remove user from Administrator restricted group.
Thanks
Jibran Ishtiaq> Disable Group policy
"Edit", not "Disable"
> Under Domain click Delegation and went to the restricted group account.
> Remove User from group.
Why "Delegation"? Simply edit the GP object where the "Restricted
Groups" setting is in place...
> Also we have two DNS but one from where I remove account is the primary.
How is DNS related to group policy?
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
Who removed user from AD Universal secuirty group
Hello , i am trying to find who removed user from universal AD group , i checked audit management policy is enabled but some how event is not getting generated or unable to find those events so please help how to find who did that job - removed the user
from universal security group.
And suppose if anybody is deleting and the logs should be generated on one of the local site Domain controller is that correct ? so anywhere or it can be generated on the member server. Any free third party tool who can help here .
ThanksHere is another informative technet blog resource that helps to track all the changes made in active directory : http://blogs.technet.com/b/askpfeplat/archive/2012/03/05/how-to-track-the-who-what-when-and-where-of-active-directory-attribute-changes-part-i-the-case-of-the-mysteriously-modified-upn.aspx
If you wish to audit such changes automatically, you may also consider on this automated solution (http://www.activedirectoryaudit.com/) that would be a better approach to audit all the critical changes
into real time and get instant notification for through customized email notification. -
Project Server 2013 - Remove user from resource pool via sync
Hello everyone,
has anyone managed to configure their Project Server 2013 box with a resource pool sync that will actually remove user from the resource pool (disable "User can be assigned as resource" or deactivate users) when the user is removed from the AD
group(s)?
Setup: Single box, SQL 2012 SP1, SharePoint/Project Server 2013 + PU March + CU April. 2 PWA instances, 1 in SharePoint and 1 in Project permission mode. Tried on 2 different machines (different setup, accounts, domains).
Proceedings:
Create AD user U, AD group G. Add U to G.
Go to PWA, setup resource pool sync with G, sync.
U is now in the resource pool, has no PWA permissions.
Remove U from G. Resync resoure pool.
U is still in resource pool, still a resource, still active, can still be assigned as resource.
Adding U back to G an repeating the whole spiel with a resource pool and a PWA group sync of G will result in U being added and removed from the user list (as expected), and U being added but not removed from the resource pool.
Having read
http://technet.microsoft.com/en-us/library/gg982985.aspx and
http://technet.microsoft.com/en-us/library/gg750243.aspx, there does not seem to be an omission on my part.
The first article states:
Note:
The corresponding Project Server User Account is not deactivated based on this synchronization. If the same Active Directory user is configured to synchronize with a Project Server security group, the Project Server user account will be inactivated when
that synchronization occurs. For more information, see
Best practices to configure Active Directory groups for Enterprise Resource Pool synchronization in Project Server 2013.
Unfortunately, this deactivation either does not seem to occur even with a PWA group sync or I misunderstood the article.
So, did anyone manage to setup their resource pool sync in a way, that new resource will be added, but also be removed from the resource pool?
Kind regards,
AdrianHi Adrian,
you tried to sync the same AD group that you used for the resource pool sync also with a Project Server permission group?
And on removal of the user of the AD group the project user/resource is not deactivated? Only removed from the group
Regards
Christoph
Hi Christoph,
even though I might have tried that before, I tried it again in several constellations. It didn't change anything. The the user will be properly added to and removed from the PWA group whenever I remove them from the AD group, the use will also stay active
(but cannot logon without permissions). However, the user will always remain in the resource pool, i.e. the "User can be assigned as resource." checkbox will remain unless it is cleared manually.
Having re-read the technet articles, none of the scenarios actually seem to descibe or address the process that I require, or maybe I'm just misunderstanding. Let me just try to outline the core issue:
Add user to AD group. Sync AD group with resource pool. User is now a PWA resource and PWA user.
Remove user from AD group, but do not deactivate/delete user from AD.
(Magic happens!)
User cannot be assigned as ressource in PWA.
So, is there anything to make this step 3 happen, or is it just not possible to sync users out of the resource pool anymore unless they are deleted/deactivated in AD?
Kind regards,
Adrian -
Remove users from Shared Services/ EPM
Gurus
I have some users who have gone to different department and some who are no more with the companies. I was just wondering if there is a script I can run in the EPM Environment/ Shared Services to remove users and the provisioning in bulk.
Thank you for your response.Hi John,
I got it.
What I did was that I exported the GROUPS under APPLICATION GROUP -> FOUNDATION > SHARED SERVICES -> NATIVE DIRECTORY -> GROUP. Created a CSV file and deleted the user and then imported back again.
This is how it works right?
ALSO, can I totally erase the user. The above process deleted user from group. But if I need to delete the user overall from everywhere in the EPM app, is there a way to do so?
OR do I need to ask the server team to remove the user from MSAD.
Thanks -
Command Line - Remove user and group updates
I am remote at the moment and not able to access the GUI on a number of OS X server boxes. How do I remove a user and the user from group via the command line.
ThanksI am remote at the moment and not able to access the GUI on a number of OS X server boxes. How do I remove a user and the user from group via the command line.
Thanks -
Add/Remove members from groups
Does anyone have a sample ldif entry to add/remove members from groups?
I am not exactly getting what you said here.
Basically if your intention is to rename RDN and reflect the changes in the group membership, you have to do totally 2 operations:
1) update your uid on the user entries.
2) update your membership on the group entry: remove the uid first, then add it:
updateM.ldif
dn: cn=groupA,ou=groups,ou=xxxxxxxxxxxxxxxxxxxxx
changetype: modify
delete: uniqueMember
uniqueMember: uid=1111,ou=people,ou=xxxxxxxx
add: uniqueMember
uniquMember: uid=zz1111,ou=people,ou=xxxxxxx
save it
run:
ldapmodify -v -D xxx -w xxx -h xxx -p xxx -f <PATH>/updateM.ldif -
Can I remove users from an Ad-Hoc App?
We are producing some Ad-Hoc Multi-Issue Apps with the Adobe DPS for a client to use internally with their sales reps.
The client is concerned that as staff change over the content that is published into the App will still be available to staff that are no longer employed.
Is there a way to remove users from an App so they can no longer access content as new issues become available. Changing the Provisioning only affects newly built apps and not ones already built, so they can still access content?
Is there a way to have a login?DPS content is downloaded to the device for offline reading.
It cannot be read when in the cloud.
Even if the articles are web content based and need online connection to display the content, once you disable access to it it's disabled for all readers. -
Remove users from all distribution groups in Microsoft 365
Hello
I would like to know if there is a way I can remove a user from all distribution groups in Microsoft 365. I have a rather large list of users that this would need to be applied to though.
Any help would be greatly appreciated.
JohnI would assume yes since there is a cmdlet called, "Remove-DistributionGroupMember", you usually have to have to post some code of what you have
tried or working on to get further help from most other people here. -
How to remove user from custom DLU Group
Hi,
I have created a DLU policy that creates a local user, and places this user
in a custom local group (Group is already present on the system). Now I want
to remove this user from this custom group and place it in another custom
group. I have created a second DLU policy to place the user in the new
custom group. The new custom group is added fine, but the old custom group
assignment also remains. How should I set up the policy so that the user is
removed from the old custom group, or is this not possible?
Regards,
HenHen,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
- Check all of the other support tools and options available at
http://support.novell.com.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://support.novell.com/forums)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://support.novell.com/forums/faq_general.html
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://support.novell.com/forums/ -
Remove user from multiple Group
Hi All,
Can any one help me on this .
we have around 100 different SSLVPN AD security groups. Need a script or command to remove 790 users
from all these groups.
we have list of user in excel sheet we want to remove from group only.
Regards, TriyambakHi,
Just checking in to see if the suggestion was helpful. Please let us know if you would like further assistance.
TechNet Subscriber Support
If you are
TechNet Subscription
user and have any feedback on our support quality, please send your feedback
here.
Regards, Yan Li -
Remove user from multiple groups
Hello everyone, first time posting here with a question and I apologize if I'm asking in the wrong location.
To give an idea of what I'm attempting to do, I've recently been developing a vbscript that will take a nightly csv export from my student information system and either create or deactivate student accounts based upon their enrollment status. I have
this function working great now, another function I've been developing is to have accounts moved between OU's based upon the school building code assigned to students which I have working as well. The problem I'm running into right now is having students
removed from existing active directory groups when they move between OU's. Essentially what I would like to do is have the script load the users group membership into an array and then remove any groups that end with STUDENTS, below is the code I have
been working on to accomplish this but have literally hit a brick wall. If it helps all my student groups for each location runs in this fashion.
ABCD_STUDENTS
ABCE_STUDENTS
Any suggestions would be greatly appreciated.
' Student changing OU then we need to update their account to reflect appropriate group memberships.
Set UserObj = GetObject("WinNT://server.domain.net/" & ADusrname) 'This must be hardcoded to domain controller
strUserDN = DN
strUserCN = objuser.cn
'Add user to the school group if not correct
Set objGroup = GetObject(varSchoolGroup)
strUserDN = DN ' Bind to the user object.
strGroupDN = varSchoolGroup ' Specify group Distinguished Name and check for membership.
Set objADObject = GetObject("LDAP://"& strUserDN)
objmemberOf = objadobject.GetEx("memberOf")
If Not (funIsMember (GetObject("LDAP://" & strUserDN),varSchoolGroup)) Then
objmemberOf = objadobject.GetEx("memberOf")
For Each objGroup in objmemberOf
Set objGroupDelete = GetObject ("LDAP://" & objGroup)
If Mid(objgroup,7,8) = "STUDENTS" Then
msgbox "test remove"
objGroupDelete.PutEx ADS_PROPERTY_DELETE,"member",Array(strUserDN)
objGroupDelete.setinfo
subUpdateLogFile studentcounter & " - Removed from student group " & objgroup,student_guid,student_username,student_fullname,"removed group"
End If
Next
'Add user to school group
Set objGroup = GetObject(varSchoolGroup)
objGroup.PutEx ADS_PROPERTY_APPEND, "member", Array(struserdn)
objGroup.SetInfo
subUpdateLogFile studentcounter & " - Updated school group to " & student_schoolgroup_ldap,student_guid,student_username,student_fullname,"school group"
objUser.SetInfo
updated = "yes"
End If
Any suggestions would be greatly appreciated.With Bill. This can be done with AD and PowerShell in a couple of lines for reach item.
You are taking an incorrect approach which is making this much harder than it needs to be. Your question is also hard to understand.
Each AD usre object obtained via ADSI will have a list of groups the account is a member of. You use this to remove the user from the group. How you choose this is up to you. You can use an array or a file. You can also =just use
OU associated groups. A user then is added to all or some groups associated with the OU and removed from the groups associated with the OU by just returning the OU associated group list from the OUs.
Designing AD systems is a specialty. Once you fully understand the features and capabilities of AD these things are usually simple and painless. If the design is not done well they are painful and faulty.
We can answer specific questions. Understaning the design and capabilities of AD is mostly up to you.
Start with a tool that is designed to work well with AD like PowerShell. VBScritp is onluy useful to those who are skilled with AD and scripting in VBSdcript. From your script we can see you are a beginner at both. As Bill notes...do yourself
a favor and switch to PowerShell.
¯\_(ツ)_/¯
Maybe you are looking for
-
Multiple devices (iPads & iPods) on one Apple ID - questions
OK, here are my questions. Any help/advice would be appreciated as I'm only a recent Apple convert (after 30 years of refusing to buy Apple!): a) Can I manage my entire family's devices (4; 2 iPads + 2 iPod Touch's) with a single Apple ID (which al
-
I can't access the audio memo apps but i can see under usage - manage storage that all the files are located in icloud. how to extract .wav files from icloud if the apps is no longer responding to fileshare in itunes? Thanks.
-
Safari and Firefox all media including U tube shows a quicktime ?
Anbody got had this happen, I even updated to the latest of quicktime on my system. Whether I use Safari or Firefox, media doesn't load, video and flash things I think. U tube doesn't work either. Just shows a quicktime ? The funny thing is it comes
-
Switching from PC, what is this folder?
I am in the process of switching from a PC to my Macbook Pro so I'm not too familiar with the folders on the laptop. I have a folder on the root of the Macintosh HD called 775. It has nothing in it and I don't remember seeing it before. If I try to d
-
I recently installed 10.6 on my mini. Then I discovered that my old parallels wouldn't work with it. When I installed xp in bootcamp I received the following message: "Windows could not start because the following file is missing or corrupt: (windows