0

I'm having trouble trying to overcome an issue in VB.net. What I'd like to achieve is to remove one specific AD user from all groups where the name of the group starts with "Google"...

If I know the full name of the group, this is a straightforward affair and I can do the following:

Dim ctx As DirectoryServices.AccountManagement.PrincipalContext = New DirectoryServices.AccountManagement.PrincipalContext(DirectoryServices.AccountManagement.ContextType.Domain, "Company.co.uk")
Dim googleremove As DirectoryServices.AccountManagement.GroupPrincipal = DirectoryServices.AccountManagement.GroupPrincipal.FindByIdentity(ctx, "Google-Group1")
googleremove.Members.Remove(ctx, DirectoryServices.AccountManagement.IdentityType.SamAccountName, "UserID")
googleremove.Save()

But the issue is my application won't always know which specific group the user needs to be removed from. There are 28 different groups each with thousands of users where the group name starts with "Google-". Is there an efficient way to remove the user from all groups where the name of the group starts with "Google-" that won't slow things down horribly?

MattOverton
  • 67
  • 7
  • What if you only get the groups the user is member of and then remove him from all of these groups that start with "Google". Depending on the count of group memberships, that could maybe be a lot faster...? – MatSnow Jan 31 '18 at 12:31
  • @MatSnow Yes that would be suitable. I'm able to get the MemberOf information using System.DirectoryServices, but I don't know how to get any further than that... – MattOverton Jan 31 '18 at 12:47
  • _I don't know how to get any further than that_ -> I don't understand...you already posted the code to remove the user from a group. What's the issue? – MatSnow Jan 31 '18 at 13:17
  • @MatSnow The problem I have is that I can do each thing in isolation, but don't have the knowledge to combine the two processes. – MattOverton Jan 31 '18 at 14:07

2 Answers2

1

I worked it out! Here is how I managed for anyone else with my issue:

Dim ctx As DirectoryServices.AccountManagement.PrincipalContext = New DirectoryServices.AccountManagement.PrincipalContext(DirectoryServices.AccountManagement.ContextType.Domain, "MyCompany.co.uk")
Dim usr As DirectoryServices.AccountManagement.UserPrincipal = DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(ctx, "User ID")
Dim grp As DirectoryServices.AccountManagement.GroupPrincipal = New DirectoryServices.AccountManagement.GroupPrincipal(ctx)
grp.Name = "Google-*"
grp.Members.Contains(usr)
Dim srch As DirectoryServices.AccountManagement.PrincipalSearcher = New DirectoryServices.AccountManagement.PrincipalSearcher(grp)
For Each s As DirectoryServices.AccountManagement.GroupPrincipal In srch.FindAll()
    s.Members.Remove(ctx, DirectoryServices.AccountManagement.IdentityType.SamAccountName, "User ID")
    s.Save()
Next
MattOverton
  • 67
  • 7
0

You said you know how to get the MemberOf information. Do you would loop through that array to find groups that start with "Google".

But keep in mind that the MemberOf array is an array of distinguishedNames, so the group names are prefixed with "CN=". So you really need to do something like this:

For Each groupDn as String in memberOf
    If groupDn.StartsWith("CN=Google"))
        //remove user from this group
    End If
Next

I haven't used VB in a while, so that may not work as-is. But that's the idea.

Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84