locked
Remove all AD Group Memebership from users is "Disabled Accounts" OU RRS feed

  • Question

  • Hi All

    I have been trying to get a script to work which does the following:

    1. Disables a list of users in a csv file.

    2. Moves the users listed in the csv file to an OU named "Leavers" within the "Disabled Accounts" OU.

    3. Removes all AD group memebership from the users in the "Leavers" OU.

    The script I used is more like a few scripts linked together and the first "1." and "2." stages work fine but I'm struggling to get "3." to work. 

    It does complete without error, but when I check the moved user accounts in the "Leavers" folder the groups are still in the "Member Of" section, so nothing is removed.

    This my script below

    ########################################################

    Import-Module ActiveDirectory

    $list=Import-Csv c:\testing\disabledusers.csv
    forEach ($item in $list) {
        $user = Get-ADUser $item.'SamAccountName'
        $user | Disable-ADAccount
        }

    $TargetOU = "ou=Leavers,ou=disabled accounts,dc=domain,dc=local"
       Import-Csv -Path C:\testing\disabledusers.csv | ForEach-Object {
    $UserDN = (Get-ADUser -Identity $_.Name).distinguishedName
    Move-ADObject -Identity $UserDN -TargetPath $TargetOU
     }

    $searchOU = "OU=Leavers,OU=Disabled Accounts,DC=domain,DC=local"
     
    $adgroup = Get-ADGroup -Filter 'GroupCategory -eq "Security" -or GroupCategory -eq "Distribution"' -SearchBase $searchOU
    $adgroup | ForEach-Object{ $group = $_
        Get-ADGroupMember -Identity $group -Recursive | %{Get-ADUser -Identity $_.distinguishedName -Properties Enabled | ?{$_.Enabled -eq $false}} | ForEach-Object{ $user = $_
            $uname = $user.Name
            $gname = $group.Name
            Write-Host "Removing $uname from $gname" -Foreground Yellow
            Remove-ADGroupMember -Identity $group -Member $user -Confirm:$false
        }
    }

    #######################################################

    I know it isn't the tidiest script so sorry.

    Can anyone suggest where I'm going wrong or asist me in achieving the removal of the group please?

    All feedback welcomed.

    Many thanks

    Mark


    • Edited by luna c Thursday, August 10, 2017 1:46 PM
    Tuesday, August 8, 2017 4:43 PM

Answers

  • This works for most domain setups.

    Get-AdPrincipalGroupMemberShip jsmith | 
         where{$_.Name -ne 'Domain Users'} |
         Remove-AdGroupMember -member jsmith
    It may have issues if you have MAC clients.


    \_(ツ)_/


    • Edited by jrv Tuesday, August 8, 2017 4:50 PM
    • Proposed as answer by Yassine Souabni Tuesday, August 8, 2017 9:19 PM
    • Marked as answer by luna c Thursday, August 10, 2017 1:46 PM
    Tuesday, August 8, 2017 4:49 PM
  • This is very similar, but I have used code similar to below to remove all group memberships for a user (without looping):

    $User = "jsmith"
    $Groups = (Get-ADUser -Identity $User -Properties memberOf).memberOf
    Remove-ADPrincipalGroupMembership -Identity $User -MemberOf $Groups -Confirm:$False

    Because I retrieve the memberOf attribute of the user, I avoid the problem jrv alludes to, where you attempt to remove membership in the "primary" group of the user (usually "Domain Users"), which raises an error. Get-ADPrincipalGroupMembership also retrieves the "primary", which might be some other group. You cannot remove membership in the "primary" group, but it is never included in the memberOf attribute.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Proposed as answer by jrv Tuesday, August 8, 2017 9:37 PM
    • Marked as answer by luna c Thursday, August 10, 2017 1:46 PM
    Tuesday, August 8, 2017 9:19 PM
  • An example using Import-CSV to read a csv and loop:

    $Users = Import-Csv ".\users.csv"
    ForEach ($User In $Users)
    {
        $UserID = $User.sAMAccountName
        $Title = $User.title
        $Description = $User.description
        Set-ADUser -Identity $UserID -Replace @{title=$Title;description=$Description}
    }
    

    Check the help for the Import-CSV cmdlet.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Marked as answer by luna c Thursday, August 10, 2017 1:45 PM
    Wednesday, August 9, 2017 1:58 PM

All replies

  • This works for most domain setups.

    Get-AdPrincipalGroupMemberShip jsmith | 
         where{$_.Name -ne 'Domain Users'} |
         Remove-AdGroupMember -member jsmith
    It may have issues if you have MAC clients.


    \_(ツ)_/


    • Edited by jrv Tuesday, August 8, 2017 4:50 PM
    • Proposed as answer by Yassine Souabni Tuesday, August 8, 2017 9:19 PM
    • Marked as answer by luna c Thursday, August 10, 2017 1:46 PM
    Tuesday, August 8, 2017 4:49 PM
  • Good Day

    Based on your script you can either use JRV option or use this

    $Groups = Get-ADUser -Identity $User -Properties memberof | select -Property memberof -ExpandProperty memberof
    foreach ($Group in $Groups) {
    Remove-ADGroupMember -Identity $Group -Members $User -Confirm:$false -Verbose }

    Regards

    Tuesday, August 8, 2017 8:05 PM
  • This is very similar, but I have used code similar to below to remove all group memberships for a user (without looping):

    $User = "jsmith"
    $Groups = (Get-ADUser -Identity $User -Properties memberOf).memberOf
    Remove-ADPrincipalGroupMembership -Identity $User -MemberOf $Groups -Confirm:$False

    Because I retrieve the memberOf attribute of the user, I avoid the problem jrv alludes to, where you attempt to remove membership in the "primary" group of the user (usually "Domain Users"), which raises an error. Get-ADPrincipalGroupMembership also retrieves the "primary", which might be some other group. You cannot remove membership in the "primary" group, but it is never included in the memberOf attribute.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Proposed as answer by jrv Tuesday, August 8, 2017 9:37 PM
    • Marked as answer by luna c Thursday, August 10, 2017 1:46 PM
    Tuesday, August 8, 2017 9:19 PM
  • Richard has the best solution as usual.  His method is cleaner.


    \_(ツ)_/

    Tuesday, August 8, 2017 9:37 PM
  • Thank you all for your input.

    What I would really like to do is have all 3 functions interogate the csv file of users names, as this will be passed to the 2nd line team moving forward and needs to be as easy for them as possible.  It would be great to just have them enter leavers names in a csv and then run the script to disable users, move to another OU and strip AD group memberships.

    The script above from Richard works fine for a single named user ($User = "jsmith") but how would I adapt it to work on a list of users in a csv file?

    Appreciate the links Roman unfortunately I donot have Quest Addins and have searched high and low for these but cannot find anymore.

    Please guys anymore suggestions would be welcomed and help to build the script to interogate thecsv file would be awesome?

    Many thanks

    Mark

    Wednesday, August 9, 2017 10:10 AM
  • Thank you all for your input.

    What I would really like to do is have all 3 functions interogate the csv file of users names, as this will be passed to the 2nd line team moving forward and needs to be as easy for them as possible.  It would be great to just have them enter leavers names in a csv and then run the script to disable users, move to another OU and strip AD group memberships.

    The script above from Richard works fine for a single named user ($User = "jsmith") but how would I adapt it to work on a list of users in a csv file?

    Appreciate the links Roman unfortunately I donot have Quest Addins and have searched high and low for these but cannot find anymore.

    Please guys anymore suggestions would be welcomed and help to build the script to interogate thecsv file would be awesome?

    Many thanks

    Mark

    Wednesday, August 9, 2017 10:11 AM
  • An example using Import-CSV to read a csv and loop:

    $Users = Import-Csv ".\users.csv"
    ForEach ($User In $Users)
    {
        $UserID = $User.sAMAccountName
        $Title = $User.title
        $Description = $User.description
        Set-ADUser -Identity $UserID -Replace @{title=$Title;description=$Description}
    }
    

    Check the help for the Import-CSV cmdlet.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Marked as answer by luna c Thursday, August 10, 2017 1:45 PM
    Wednesday, August 9, 2017 1:58 PM