Disabled User OU - GPO to remove users from all groups RRS feed

  • Question

  • Hi,

    I have a Disabled Users Organizational Unit. I disable (left the company) users and move them there. But users are members of different groups. Is there a way using GPO to remove them from every group?


    Friday, February 14, 2020 3:14 PM

All replies

  • This is not really a task you would want to handle via a GPO.

    To automate this process, create a scheduled task that will periodically scan list of user objects in the OU and remove them from all the groups they are part of. This is actually fairly straightforward


    Friday, February 14, 2020 3:44 PM
  • You cannot do this by GPO. 

    You can script it though. Example:

    $OU = "OU=Disabled User,DC=contoso,DC=com"
    #List all disabled users in the OU $OU
    Get-ADUser -Filter {Enabled -eq $false} -SearchBase $OU | ForEach-Object {
        $DN = $_.DistinguishedName
        $User = $_.Name
        #List all the group membership but the Domain Users (it is the primary group)
        Get-ADPrincipalGroupMembership -Identity $DN | Where-Object { $ -ne "Domain Users" } | ForEach-Object {
            $Group = $
            Write-Output "Removing $User from $Group"
            #Removing the user from the group
            Remove-ADPrincipalGroupMembership -Identity $DN -MemberOf $Group -Confirm:$false
            #Create a log file to restore the group membership on the user
            $timestamp = Get-Date
            "# $timestamp - Removing $User from $Group, the following line will restore the membership" | Out-File Operations.log -Append
            "Add-ADPrincipalGroupMembership -Identity ""$DN"" -MemberOf ""$Group""" | Out-File Operations.log -Append    

    It will empty the group membership of the users (keeping the default primary Domain Users) and create a log file to restore it. Example of the log file:

    # 02/14/2020 16:04:28 - Removing USER_103 from Office E5, the following line will restore the membership
    Add-ADPrincipalGroupMembership -Identity "CN=USER_103,OU=Disabled,DC=contoso,DC=com" -MemberOf "Office E5"
    # 02/14/2020 16:04:28 - Removing USER_108 from Office E5, the following line will restore the membership
    Add-ADPrincipalGroupMembership -Identity "CN=USER_108,OU=Disabled,DC=contoso,DC=com" -MemberOf "Office E5"

    PS. The script has some assumption. 1, mono domain. 2, the primary group of the user is Domain Users, 3, the user running the script has permission to modify the listed groups.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, February 14, 2020 4:09 PM
  • Just to clarify, you cannot remove a user from their "primary" group. This membership can be changed, but not removed.

    Edit: Also, the groups cannot be identified by the Name property with the -MemberOf parameter of Remove-ADPrincipalGroupMembership. Use $_.DistinguishedName instead. The groups must be identified by SID, GUID, SamAccountName, or DistinguishedName. It should be OK to identify the "primary" group by name, in the Where-Object clause of Get-ADPrincipalGroupMembership, since it is unlikely that another group will have that name.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Friday, February 14, 2020 5:29 PM
  • Thank you. This worked for me.
    Friday, February 14, 2020 9:40 PM