ADD and Remove Users from AD group – Python

Lately, I am working with Python so sharing a TIP on how to ADD and remove users from AD group.

With PowerShell there is Active Directory Module that makes our life easy.

Similarly with python you can utilize ldap3 library.

https://pypi.org/project/ldap3/

Install it on your machine using pip install ldap3


Here are the samples that I have used in my Python project I hope these will assist you.

First import the appropriate functions from ldap3

 

from ldap3 import Server, Connection, AUTO_BIND_NO_TLS, SUBTREE, ALL_ATTRIBUTES #for active directory

from ldap3.extend.microsoft.addMembersToGroups import ad_add_members_to_groups as addUsersInGroups

from ldap3.extend.microsoft.removeMembersFromGroups import ad_remove_members_from_groups as removeUsersInGroups

 

Next step is to get user Distinguished Name:

Example TO GET userdn: (Here we have user email address, and we are finding user DN so that we can use ADD and remove membership function that we imported above)

You can use below approach and get the DN from any attribute of the user that you have in hand.

 

obj_filter = ‘(&(objectClass=user)(objectCategory=person)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(mail=’+ Email + ‘))’

with Connection(Server(dc_1, port=636, use_ssl=True),auto_bind=AUTO_BIND_NO_TLS,read_only=True,check_names=True,user=admin_user, password=Password) as c:

   c.extend.standard.paged_search(search_base=base_dn,search_filter=obj_filter,search_scope=SUBTREE,attributes={‘distinguishedName’},get_operational_attributes=True,paged_size=1500,generator=False)

user_dn = c.entries[0].distinguishedName.values[0]

 

Last step is to ADD user to group or Remove user from Group: (pretty much same syntax)

Here is the sample code for these operations:

 

ADD user to Group:

with Connection(Server(dc_1, port=636, use_ssl=True),auto_bind=AUTO_BIND_NO_TLS,read_only=False,check_names=True,user=admin_user, password=Password) as c:

   addUsersInGroups(c, user_dn, AD_Group_dn)

Remove user from Group:

with Connection(Server(dc_1, port=636, use_ssl=True),auto_bind=AUTO_BIND_NO_TLS,read_only=False,check_names=True,user=admin_user, password=Password) as c:

   removeUsersInGroups(c, user_dn, AD_Group_Flow_dn,fix=True)

 

I will say it is not much difficult if you already know PowerShell, but definitely more work involved.

PowerShell is better and easier in handling things when it comes to Microsoft but its worth to learn a new scripting language as it will be new weapon in your arsenal.

I am utilizing DPAPI to encrypt and decrypt the password, I will share the TIP/Samples in some future article but mean while you can use the other approach that I had shared in the past post:

Secure Password or Token on Windows – Python | Tech Wizard

Note: Please take care of indentation spaces in Sample code

 

Thanks for reading …

Tech Wizard

https://techwizard.cloud

https://syscloudpro.com/

PowerShell Fast Track

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s