Script disable user acount and remove all groups from memberOf attribute except „Domain Users“.
@echo off
setlocal enableextensions enabledelayedexpansion
set tmp1=temp1.txt
set tmp2=temp2.txt
:user
set user=""
set /p user=Login :
if /I %user%=="" goto user
:start
set log=%user%.log
echo [%date% %time%] >> %log%
net user %user% /active:no /domain
dsquery user -samid %user% | dsget user -memberof | dsget group -samid > %tmp1%
type %tmp1% >> %log%
findstr /i /v "samid" %tmp1% | findstr /i /v "dsget succeeded" | findstr /c:"domain users" /i /v > %tmp2%
del %tmp1%
for /f "tokens=* delims= " %%a in ('type %tmp2%') do echo %%a >> %tmp1%
del %tmp2%
for /f "delims=" %%x in ('type %tmp1%') do (
set "str=%%x"
for /l %%a in (1,1,256) do if "!str:~-1!"==" " set "str=!str:~0,-1!"
echo.!str!>> %tmp2%
)
for /f "tokens=1 delims=" %%a in (%tmp2%) do (
net group "%%a" %user% /delete /domain
net localgroup "%%a" %user% /delete /domain
)
echo. >> %log% & echo [%date% %time%] >> %log%
dsquery user -samid %user% | dsget user -memberof | dsget group -samid >> %log%
del /f /q %tmp1% %tmp2%