Powershell-Script to remove all group memberships for one user

All replies

• 

  

  2

  Sign in to vote

  Hi there,

   

  ive searched all over, but found nothing out there. So i hope you can help me in this:

  I have to create a powershell-command which deletes all group-membershipments for one user. But only the mail-enabled groups.

  I dont have an idea :( you ? :-)

  You can use this script

  e.g your user's primary smtp address is user@domain.com, then this script will remove the membership of this user from each mail enabled exchange distribution groups

  $DGs= Get-DistributionGroup | where { (Get-DistributionGroupMember $_ | foreach {$_.PrimarySmtpAddress}) -contains "user@domain.com"}
   
  foreach( $dg in $DGs){
  Remove-DistributionGroupMember $dg -Member user@domain.com
  }

  Note: Put above lines of code in a text file and save it as .ps1 file and then execute it in EMS or powershell console.
  

  Regards,

  ---

  Laeeq Qazi|Team Lead(Exchange + Sharepoint + BES + DynamicsCRM) www.HostingController.com
  

  • Marked as answer by joelh80 Thursday, June 17, 2010 12:43 PM
  • Edited by Laeeq Qazi Tuesday, July 17, 2012 7:25 AM

  Thursday, June 17, 2010 10:07 AM
• 

  

  0

  Sign in to vote

  works perfectly - Thanks!!!

  Thursday, June 17, 2010 12:44 PM
• 

  

  0

  Sign in to vote

  That's great!

  Thank you for your sharing!

  ---

  Your expertise never fails to impress!

  Friday, June 18, 2010 7:05 AM
• 

  

  0

  Sign in to vote

  Hi,

  You are welcome.

  My pleaseure to work with exchange :)

  Regards,

  ---

  Laeeq Qazi|Team Lead(Exchange + Sharepoint + BES + DynamicsCRM) www.HostingController.com

  Friday, June 18, 2010 7:47 AM
• 

  

  0

  Sign in to vote

  Might some similar script be used to remove a user from all security groups except the primary (e.g., domain users)?

  Thursday, July 1, 2010 12:31 AM
• 

  

  15

  Sign in to vote

  Here is a powershell function that removes user memberships from all security and distribution groups (except of course Domain Users group):

  **************************************************************************

  $users= get-aduser -Filter * -SearchBase "ou=ExEmployees,dc=contoso,dc=com"

  Function RemoveMemberships

   {

   param([string]$SAMAccountName) 
   
   $user = Get-ADUser $SAMAccountName -properties memberof
   
   $userGroups = $user.memberof

   $userGroups | %{get-adgroup $_ | Remove-ADGroupMember -confirm:$false -member $SAMAccountName}

   $userGroups = $null

   }

  
  $users | %{RemoveMemberships $_.SAMAccountName}

  ***************************************************************************

  Hope that someone will find this helpful!

   

  Cheers!

  
  

  • Edited by MilanBanjac Tuesday, October 4, 2011 7:54 AM
  • Proposed as answer by Mitski Monday, July 22, 2013 11:50 PM
  • Unproposed as answer by Mitski Monday, July 22, 2013 11:51 PM
  • Proposed as answer by Aaron ExchangeSharePoint Guy Wednesday, November 5, 2014 4:04 PM

  Tuesday, October 4, 2011 7:53 AM
• 

  

  0

  Sign in to vote

  Laiq - works like a champ.

  ---

  Where Technology Meets Talent

  Thursday, November 3, 2011 3:50 PM
• 

  

  0

  Sign in to vote

  Perfect, just the script I was after. Very helpful

  Tuesday, July 17, 2012 3:49 AM
• 

  

  0

  Sign in to vote

  This script was very helpful, I scoured a while trying to find something that would do just this!

  I added a line and modified it a little so I can just call the .ps1 the from the power shell console and input the username manually.

  $username = read-host "Username"
  $users= get-aduser $username

  Thanks again!

  
  

  • Edited by jbailey78 Monday, November 19, 2012 7:46 PM

  Monday, November 19, 2012 7:45 PM
• 

  

  0

  Sign in to vote

  This script works for Office 365.  It does go through all groups and fails on the ones where the user is not a member, but it's quick and dirty.

  $email= read-host -prompt "Email Address"
  $DGs= Get-DistributionGroup
   
  foreach( $dg in $DGs){
  Remove-DistributionGroupMember $dg.name -Member $email -confirm:$false

  }

  Monday, February 4, 2013 5:35 PM
• 

  

  0

  Sign in to vote

  Newbie to Powershell -

  Hi guys, this doesn't work for me...Ive edited where I "thought" I should,  and incorporting jbailey's suggestion....but being that im no expert...I've italisized and bolded where I put the entries...any suggestions?  I like the option of being prompted for which user....
  

  $username = read-host "Username"
  $users= get-aduser $username

  $users= get-aduser -Filter * -SearchBase "ou=Users,dc=mydomaino,dc=local"

  Function RemoveMemberships

   {

   param([string]$username) 
   
   $users = Get-ADUser $username -properties memberof
   
   $userGroups = $user.memberof

   $userGroups | %{get-adgroup $_ | Remove-ADGroupMember -confirm:$false -member $username}

   $userGroups = $null

   }

  
  $users | %{RemoveMemberships $_.username

  Friday, March 8, 2013 9:22 PM
• 

  

  2

  Sign in to vote

  try this:

  import-module activedirectory

  $username = read-host "Username:"
  $users = (Get-ADUser $username -properties memberof).memberof
  $users | Remove-ADGroupMember -Members $username -Confirm:$false

  
  

  • Edited by jbailey78 Tuesday, March 26, 2013 12:57 AM

  Tuesday, March 26, 2013 12:44 AM
• 

  

  0

  Sign in to vote

  Well.. if you use the memberOf attribute what do you do with Groups with "odd" characters in the DN. Odd characters being / = , # > \ < ' "  and maybe one or two others?

  Powershell cmdlets seem most irrational when it comes to need or not need to escape these.

  Wednesday, July 3, 2013 6:50 AM
• 

  

  0

  Sign in to vote

  This Script is great! I wonder though how I would add an exception - That is removes all groups (except the domain users) except one group so i would like to NOT remove "TESTGROUP"

  I tried to add:

  $userGroups | %{get-adgroup -Filter (name -ne "TESTGROUP") $_ | Remove-ADGroupMember -confirm:$false -member $SAMAccountName}

  but this does not work! I also tried the filter after the Remove-ADGRoupMember but it also dd not work. Any assistance/advice would be most welcome

  thanks

  Steve

  Thursday, August 22, 2013 10:08 AM
• 

  

  0

  Sign in to vote

  Hi,

  Does anyone know how to do this for a batch of users, at the moment i have this working for a single AD user but what I am trying to do is import a .csv file with a list of users and perform this action... any ideas ??

  Thanks

  Wednesday, September 4, 2013 3:58 PM
• 

  

  0

  Sign in to vote

  Steve, looking to do a similar thing to what you want to do. I think this should be possible, I can't quite get it working correctly either.  For example, I have a bunch of groups that start with say "ABC". I would like to be able to remove ALL groups for a particular user EXCEPT those that start with "ABC".

  I would think something like:  $userGroups | get-adgroup -filter 'name -notlike "ABC"' | remove-adgroupmember -member $SAMAccountName

  It doesn't work though.

  Tuesday, November 5, 2013 8:32 PM
• 

  

  0

  Sign in to vote

  Hi,

  It seems that you forgot * in expression "name -notlike 'ABC'" .

  Can you try this:

   get-adgroup -filter "name -notlike 'ABC*'" | remove-adgroupmember -member $SAMAccountName

  Also if you want to use already retrieved groups (stored in variable $userGroups), then u can use them like this:

  $userGroups | ? { $_.Name -notlike "ABC*" }| remove-adgroupmember -member $SAMAccountName

  Regards,

  ---

  Laeeq Qazi|Team Lead(Exchange + Sharepoint + BES + DynamicsCRM) www.HostingController.com

  Wednesday, November 6, 2013 12:00 AM
• 

  

  0

  Sign in to vote

  Thanks for the help Laeeq, however, its not quite right.  If I use:

  $userGroups | ? { $_.Name -notlike "ABC*" }| remove-adgroupmember -member $SAMAccountName

  It actually removes all groups starting with ABC and leave other groups alone.  If I switch it to "LIKE", no groups are removed.

  In testing, I did this:

  $GRoupsToRemove = $userGroups | ? { $_.Name -notlike "ABC*" }|

  Showing the value of $groupsToRemove I would expect to see all groups EXCEPT those starting with ABC, however it shows only the ABC groups.  If I switch it to Like, it shows NO groups.

  • Edited by LE2Strat Wednesday, November 6, 2013 2:09 PM

  Wednesday, November 6, 2013 1:33 PM
• 

  

  0

  Sign in to vote

  Got it working using the Quest AD Cmdlets:

  import-csv

   C:\CSVFile.csv | foreach {
  $username=$_.name
  $user = get-qaduser $username-properties memberof
  $userGroups = $user.memberof
  $GroupsToRemove = $userGroups | Get-QADGroup | where {$_.name-notlike "ABC*"}
  $GroupstoRemove | Remove-QADGroupMember-Member $username
  
   }

  Monday, November 11, 2013 2:07 PM
• 

  

  0

  Sign in to vote

  PERFECT!!! THX a lott!

  Just edit ou=ExEmployees,dc=contoso,dc=com to

  ou=Disabled Accounts,dc=domain,dc=com and it removed all disabled accout users from all Groups except "Dmain User"

  Bravo Milane, Hvala velika :)

  Tuesday, April 15, 2014 7:17 AM
• 

  

  0

  Sign in to vote

  Awesome, thank you!

  Wednesday, September 17, 2014 1:44 PM
• 

  

  0

  Sign in to vote

  I'd suggest to use the following function

  Function RemoveMemberships {
   param([string]$SAMAccountName) 
   
    $user = Get-ADUser $SAMAccountName -properties memberof -errorvariable Err
    if ($err.Message -notlike "*Cannot find an object with identity*") {
      $user.memberof | where {$_ -notlike "*Domain Users*"} | %{get-adgroup $_ | Remove-ADGroupMember -confirm:$false -member $User.DistinguishedName}
    }
  }

  Unfortunaly get-aduser does not follow the erroraction, so adding SilentlyContinue will still give the errors

  (at least on Win2008R2)

  You could also feed this a list of accounts from a tex file like this

  Get-Contents "User.txt" | % { RemoveMemberships $_ }

  Thursday, February 11, 2016 9:26 AM
• 

  

  0

  Sign in to vote

  Or if you want to perform the same, only in AD.

  $username = "nemanja.jovic"
  $groups = Get-ADPrincipalGroupMembership -Identity $username | Select-Object -ExpandProperty Name
  foreach ($group in $groups) {
      Remove-ADPrincipalGroupMembership -Identity $username -MemberOf $group -Confirm:$false}

  Monday, August 28, 2017 10:45 AM