locked
move from ad groups RRS feed

  • Question

  • hello, I am trying to write a script that will get a list of users and then move those users from all AD groups them are a member of.  I'm doing something wrong here but not sure what.

    $DisabledUsers = Get-ADUser -Filter * -SearchBase "OU=Disabled Users, DC=company, DC=com" | Select-Object samaccountName
    Get-ADPrincipalGroupMembership -Identity $DisabledUsers | % {Remove-ADGroupMember -Identity "$DisabledUsers" -MemberOf $_}
    


    When this runs it gives an error:  

    Get-ADPrincipalGroupMembership : Cannot convert 'System.Object[]' to the type 'Microsoft.ActiveDirectory.Management.ADPrincipal' required by 
    parameter 'Identity'. Specified method is not supported.

    But from what I've Googled this looks like it should work.   what did I do wrong?

    Monday, October 9, 2017 6:51 PM

Answers

  • This is based on my idea stated above (not tested):

    # Retrieve all disabled users, with their direct group membership (except their "primary" group).
    $DisabledUsers = Get-ADUser -Filter * -SearchBase 'OU=Disabled Users, DC=company, DC=com' -Properties memberOf
    
    # Enumerate the disabled users.
    ForEach ($User in $DisabledUsers)
    {
        $UserDN = $User.distinguishedName
        $Groups = $User.memberOf
        # Make sure there is at least one group membership to remove.
        If ($Groups)
        {
            # Remove all direct group memberships for this user.
            Remove-ADPrincipalGroupMembership -Identity $UserDN -MemberOf $Groups -Confirm:$False
        }
    }
    
    You can use the -WhatIf parameter of Remove-ADPrincipalGroupMembership to test what would happen.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Marked as answer by bellmonster Tuesday, October 10, 2017 3:53 PM
    Tuesday, October 10, 2017 3:27 PM

All replies

  • The -Identity parameter of Get-ADPrincipalGroupMembership must identify a security principal, not a collection like $DisabledUsers. You need to loop over the collection to get each user's groups.

    But the cmdlet will retrieve all group memberships, including the "primary" group and nested group memberships. You cannot remove a user from their primary group, or from groups the user is a member of due to group nesting.

    You could retrieve the memberOf attribute of the disabled users and use this instead. This collection of DN's does not include the "primary" group or any nested groups.

    And if the users are disabled, I would argue there is little reason to remove the group memberships. Do you plan to eventually delete these users?


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Monday, October 9, 2017 9:07 PM
  • $DisabledUsers = Get-ADUser -Filter * -SearchBase 'OU=Disabled Users, DC=company, DC=com'
    Remove-ADGroupMember -Identity '??groupname??' -Members $DisabledUsers
    Read the full help for a CmdLet before you try to use it.

    \_(ツ)_/

    Monday, October 9, 2017 9:08 PM
  • Try this:

    $DisabledUsers = Get-ADUser -SearchBase "OU=Disabled Users, DC=company, DC=com" -Filter *
    foreach ($user in $DisabledUsers) {
    $UserDN = $user.DistinguishedName
    Get-ADGroup -LDAPFilter "(member=$UserDN)" | foreach-object {remove-adgroupmember -identity $_.name -member $UserDN -Confirm:$False} 
    }


    Kind regards,

    Tim
    MCITP, MCTS, MCSA
    http://directoryadmin.blogspot.com

    This posting is provided 'AS IS' with no warranties or guarantees and confers no rights.

    "If this thread answered your question, please click on "Mark as Answer"

    Tuesday, October 10, 2017 7:47 AM
  • This is based on my idea stated above (not tested):

    # Retrieve all disabled users, with their direct group membership (except their "primary" group).
    $DisabledUsers = Get-ADUser -Filter * -SearchBase 'OU=Disabled Users, DC=company, DC=com' -Properties memberOf
    
    # Enumerate the disabled users.
    ForEach ($User in $DisabledUsers)
    {
        $UserDN = $User.distinguishedName
        $Groups = $User.memberOf
        # Make sure there is at least one group membership to remove.
        If ($Groups)
        {
            # Remove all direct group memberships for this user.
            Remove-ADPrincipalGroupMembership -Identity $UserDN -MemberOf $Groups -Confirm:$False
        }
    }
    
    You can use the -WhatIf parameter of Remove-ADPrincipalGroupMembership to test what would happen.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Marked as answer by bellmonster Tuesday, October 10, 2017 3:53 PM
    Tuesday, October 10, 2017 3:27 PM
  • Hello.  I ran your code and did not remove any AD groups the user was a member of.   I am not specifying a GroupName since a disabled user is a member of many many AD groups.   This is turning out to be an interesting problem!!  Any other hints?

    Tuesday, October 10, 2017 3:34 PM
  • Richard, that worked!!  Very cool once I see it.  thank you.

    Tuesday, October 10, 2017 3:53 PM
  • I need some minutes to test. Probably something simple, like converting to string or a collection.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, October 10, 2017 3:55 PM