Mandi! Rowland Penny via samba In chel di` si favelave...> Ah, you said disable, when you meant 'delete'No, i meant exactly 'disabled'. Try to be more clearer: a) i cannot delete accounts, at least for years, because local law mandates accountability, and so i need SID/UID. OK, i can save SID/UID elsewhere, but... b) i want to ''reset'' group membership because if users come back (sometimes happen ;) i can't, even by accident, restore their original memberships. Better now? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Wed, 4 Oct 2017 17:54:35 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! Rowland Penny via samba > In chel di` si favelave... > > > Ah, you said disable, when you meant 'delete' > > No, i meant exactly 'disabled'. > > Try to be more clearer: > > a) i cannot delete accounts, at least for years, because local law > mandates accountability, and so i need SID/UID. > OK, i can save SID/UID elsewhere, but... > > b) i want to ''reset'' group membership because if users come back > (sometimes happen ;) i can't, even by accident, restore their > original memberships. > > > Better now? Thanks. >NO ;-) In AD you can disable a user very easily by adding 2 to the value stored in the users 'userAccountControl' attribute and the user wouldn't be able to log in, but this isn't quite what you want. To do what you want to do, you will need to search the users object in AD for 'memberOf' attributes, then parse these (if any, there shouldn't be one for Domain Users) Then remove the user from each group with 'samba-tool group removemembers groupname username'. This will then leave you with the user to delete or disable as you see fit. If you delete a user in AD, you cannot recreate it exactly as the original user, AD will not let you i.e. if you delete user 'fred' and then create another user 'fred', this user, even though it has the same username will be a new user to AD, it will have a different RID and GUID. Rowland
Mandi! Rowland Penny via samba In chel di` si favelave...> In AD you can disable a user very easily by adding 2 to the value stored > in the users 'userAccountControl' attribute and the user wouldn't be > able to log in, but this isn't quite what you want.Only for a sake of completeness, it is the same of the 'D' account flag, right?> To do what you want to do, you will need to search the users object in > AD for 'memberOf' attributes, then parse these (if any, there shouldn't > be one for Domain Users) Then remove the user from each group with > 'samba-tool group removemembers groupname username'. This will then > leave you with the user to delete or disable as you see fit.OK, thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)