need help to text a script for Remove-ADGroupMember

All replies

• 

  

  0

  Sign in to vote

  maybe instead of getting the current context the script is running under, create parameters to the script that take a username as a parameter and a groupList as another parameter.  The groupList can say ALL, which means if you pass All to that parameter, ALL members they are a group of will be removed

  psudocode

  ensure username is valid

  ensure each group in groupList is valid

  if only a short list of groups, for each group, run a remove user on that group

  if ALL, I would first get a list of groups the user is a member and then run remove user on those groups.

  Add logging

  
  

  • Edited by mrasmussen Thursday, March 28, 2019 6:14 PM

  Thursday, March 28, 2019 4:12 PM
• 

  

  0

  Sign in to vote

  mmmm thanks for the quick reply .. maybe i didnt get u.

  what i d like it:

  let s suppose there are user "X" "Y" "Z" 

  and the groups "A" "B" "C"

  X is in group A

  Y is in group A C

  Z is in group A B C

  let's suppose the end user click and execute the script.

  ( here i could accept both solution )

  solution a. the user that execute remove himself from all the group is member

  solution b. the user that execute remove himself from group A and C if he is a member, otherqise nothing happen

  obviusly end user has no admin privilege

  thanks for u help mate

  Thursday, March 28, 2019 6:10 PM
• 

  

  0

  Sign in to vote

  the user needs to have permissions to remove themselves from groups in AD.

  so, if you want to use the security context of the user account executing the script, the flow would basically be:

  Get group membership - get a list of groups

  foreach group - remove user X

  Catch errors like access denied 

  Why would the current user want to remove themselves from every group they are a member of?  Seems like an off-boarding process, and in that case you wouldn't log in or runas a particular user to delete membership.

  Thursday, March 28, 2019 6:20 PM
• 

  

  0

  Sign in to vote

  I would expect only an administrator (or account operator) could do this, not a normal user. Also, you cannot remove the "primary" group membership (generally the group "Domain Users").

  ---

  Richard Mueller - MVP Enterprise Mobility (Identity and Access)

  Thursday, March 28, 2019 6:35 PM
• 

  

  0

  Sign in to vote

  -the user needs to have permissions to remove themselves from groups in AD.-

  HOw can i exatcly set this without giving any admin permission ?

  -the flow would basically be:-

  I understand the flow u said, but how it should be exacltly text the script please ?

  -Why would the current user want to remove themselves from every group they are a member of?  Seems like an off-boarding process, and in that case you wouldn't log in or runas a particular user to delete membership.-

  It's complicated to explain. In case of wanna cry attach or something similar, the virus start executing all file and folder from the top to down or down to top. if a place at the end or at the beginning a script that do like i want, i prevent attack to all the content of share.

  Friday, March 29, 2019 8:04 AM
• 

  

  0

  Sign in to vote

  ++anyone ??

  Monday, April 1, 2019 7:45 AM
• 

  

  0

  Sign in to vote

  no one ? 

  Please can u help me guys ??????????

  thanks

  cheers

  Wednesday, April 3, 2019 8:18 AM
• 

  

  0

  Sign in to vote

  I would be very careful with the following script.  Also not that this is an example, there is no error handling and the script blindly removed the current user from all groups they are a member of.  

  As we previously said, this is an odd way to handle this request as I wouldn't expect the current user to remove themselves from all AD groups.

  example of how you might accomplish this

  $user = [System.DirectoryServices.AccountManagement.UserPrincipal]::Current
  
  $groups = Get-ADPrincipalGroupMembership $user.Name | select name
  
  foreach($group in $groups)
  {
     Remove-ADGroupMembership -Identity $group -Members $user.Name 
  }

  
  

  Wednesday, April 3, 2019 1:41 PM
• 

  

  0

  Sign in to vote

  ohhhh thanks

  .bat ?

  Wednesday, April 3, 2019 3:24 PM
• 

  

  0

  Sign in to vote

  This is a PowerShell script. .ps1

  ---

  Just do it.

  Tuesday, April 9, 2019 2:41 PM