locked
need help to text a script for Remove-ADGroupMember RRS feed

  • Question

  • hi all,

    i need to write a script that when executed remove the user that execute it from all the ad group it is member, or from a specified group

    please can u help me text it

    thanks

    cheers

    Thursday, March 28, 2019 4:08 PM

All replies

  • maybe instead of getting the current context the script is running under, create parameters to the script that take a username as a parameter and a groupList as another parameter.  The groupList can say ALL, which means if you pass All to that parameter, ALL members they are a group of will be removed

    psudocode

    ensure username is valid

    ensure each group in groupList is valid

    if only a short list of groups, for each group, run a remove user on that group

    if ALL, I would first get a list of groups the user is a member and then run remove user on those groups.

    Add logging


    • Edited by mrasmussen Thursday, March 28, 2019 6:14 PM
    Thursday, March 28, 2019 4:12 PM
  • mmmm thanks for the quick reply .. maybe i didnt get u.

    what i d like it:

    let s suppose there are user "X" "Y" "Z" 

    and the groups "A" "B" "C"

    X is in group A

    Y is in group A C

    Z is in group A B C

    let's suppose the end user click and execute the script.

    ( here i could accept both solution )

    solution a. the user that execute remove himself from all the group is member

    solution b. the user that execute remove himself from group A and C if he is a member, otherqise nothing happen

    obviusly end user has no admin privilege

    thanks for u help mate

    Thursday, March 28, 2019 6:10 PM
  • the user needs to have permissions to remove themselves from groups in AD.

    so, if you want to use the security context of the user account executing the script, the flow would basically be:

    Get group membership - get a list of groups

    foreach group - remove user X

    Catch errors like access denied 

    Why would the current user want to remove themselves from every group they are a member of?  Seems like an off-boarding process, and in that case you wouldn't log in or runas a particular user to delete membership.

    Thursday, March 28, 2019 6:20 PM
  • I would expect only an administrator (or account operator) could do this, not a normal user. Also, you cannot remove the "primary" group membership (generally the group "Domain Users").

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, March 28, 2019 6:35 PM
  • -the user needs to have permissions to remove themselves from groups in AD.-

    HOw can i exatcly set this without giving any admin permission ?

    -the flow would basically be:-

    I understand the flow u said, but how it should be exacltly text the script please ?

    -Why would the current user want to remove themselves from every group they are a member of?  Seems like an off-boarding process, and in that case you wouldn't log in or runas a particular user to delete membership.-

    It's complicated to explain. In case of wanna cry attach or something similar, the virus start executing all file and folder from the top to down or down to top. if a place at the end or at the beginning a script that do like i want, i prevent attack to all the content of share.

    Friday, March 29, 2019 8:04 AM
  • ++anyone ??
    Monday, April 1, 2019 7:45 AM
  • no one ? 

    Please can u help me guys ??????????

    thanks

    cheers

    Wednesday, April 3, 2019 8:18 AM
  • I would be very careful with the following script.  Also not that this is an example, there is no error handling and the script blindly removed the current user from all groups they are a member of.  

    As we previously said, this is an odd way to handle this request as I wouldn't expect the current user to remove themselves from all AD groups.

    example of how you might accomplish this

    $user = [System.DirectoryServices.AccountManagement.UserPrincipal]::Current
    
    $groups = Get-ADPrincipalGroupMembership $user.Name | select name
    
    foreach($group in $groups)
    {
       Remove-ADGroupMembership -Identity $group -Members $user.Name 
    }

    Wednesday, April 3, 2019 1:41 PM
  • ohhhh thanks

    .bat ?

    Wednesday, April 3, 2019 3:24 PM
  • This is a PowerShell script. .ps1

    Just do it.

    Tuesday, April 9, 2019 2:41 PM