[Samba] Script to reset group memberships...

Rowland Penny rpenny at samba.org
Wed Oct 4 16:32:58 UTC 2017

On Wed, 4 Oct 2017 17:54:35 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:

> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> > Ah, you said disable, when you meant 'delete'
> No, i meant exactly 'disabled'.
> Try to be more clearer:
> a) i cannot delete accounts, at least for years, because local law
>  mandates accountability, and so i need SID/UID.
> OK, i can save SID/UID elsewhere, but...
> b) i want to ''reset'' group membership because if users come back
>  (sometimes happen ;) i can't, even by accident, restore their
> original memberships.
> Better now? Thanks.

NO ;-)

In AD you can disable a user very easily by adding 2 to the value stored
in the users 'userAccountControl' attribute and the user wouldn't be
able to log in, but this isn't quite what you want.

To do what you want to do, you will need to search the users object in
AD for 'memberOf' attributes, then parse these (if any, there shouldn't
be one for Domain Users) Then remove the user from each group with
'samba-tool group removemembers groupname username'. This will then
leave you with the user to delete or disable as you see fit.

If you delete a user in AD, you cannot recreate it exactly as the
original user, AD will not let you i.e. if you delete user 'fred' and
then create another user 'fred', this user, even though it has the
same username will be a new user to AD, it will have a different RID
and GUID.


More information about the samba mailing list