Solved

Remove certain users from group using PowerShell

Posted on 2011-02-17
19
763 Views
Last Modified: 2012-05-11
I am going to create a large group of users with powershell by importing from a CSV, how can I then remove them all from Domain Users?
0
Comment
Question by:Go-GBS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 8
19 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34916943

Ahh now see that presents a unique little problem.

To remove someone from Domain Users you must first change the Primary Group.

Which is something I've done before, because I blogged about it:

http://www.indented.co.uk/index.php/2010/01/22/changing-the-primary-group-with-powershell/

Please don't hesitate to ask if it raises more questions.

Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34916956
Oh and, don't think you can get away with not having them in any groups :) It occurred to me that might be the hope :)

The user must have a Primary group at the very least, although there's no harm in us changing which that is (provided you do not need them to have the rights associated with Domain Users).

Chris
0
 
LVL 9

Expert Comment

by:snurker
ID: 34916982
This is why he is a super genius... My question would be why not leave domain users and create a group to put people in that are supposed to have access to areas that you do not want everyone (Domain users) to have?
0
Backup Solution for AWS

Read about how CloudBerry Backup fully integrates your backups with Amazon S3 and Amazon Glacier to provide military-grade encryption and dramatically cut storage costs on any platform.

 

Author Comment

by:Go-GBS
ID: 34916998
No I understand they need to be in at least one group, and adding them to anther group is easy enough, even through Active Directory.  But, lets say I only wanted to remove certain users within Domain Users, not all, is that possible?
0
 

Author Comment

by:Go-GBS
ID: 34917020
I'd like to domain users not have access to anything, but group access was setup before I was here, so it would take some work to fix the permissions.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34917035

Yes, that's absolutely fine.

You have to run the process I linked on my blog for each of the users to change the primary group. The snippet does the following:

1. Gets the appropriate group tokens
2. Adds users to the new group
3. Changes over the primary group
4. Removes users from the old group

My snippet does everyone in the source group, but there's no reason it can't be a lot more flexible. How would you like to define who moves?

Chris
0
 

Author Comment

by:Go-GBS
ID: 34917068
Well, if I added them to another group, lets call it "No Access."  So for each user in No Access, remove them from Domain Users.

Now let me understand this part, would I need to run that process for each user individually, or can I run it once to catch all of them?
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 34917896

Individually, but we can make the script do that. Do you have a list of users or something?

Perhaps they're already in the No Access group? We could set it up so the script finds members of "No Access" who's primary group is *not* "No Access". Then change it for all of those.

In fact, because that, to me, feels like a nice solution, here's how we'd do just that.

Chris
#
# You need to correct this value for me
#

$NewGroupDN = "CN=No Access,OU=somewhere,DC=domain,DC=com"

#
# Get the Domain users group token
#

$DomainNC = ([ADSI]"LDAP://RootDSE").DefaultNamingContext

$OldGroup = [ADSI]"LDAP://CN=Domain Users,CN=Users,$DomainNC"
$OldGroup.GetInfoEx(@("primaryGroupToken"), 0)
$OldGroupToken = $DomainUsers.Get("primaryGroupToken")

#
# Get the NewGroup token
#

$NewGroup = [ADSI]"LDAP://$NewGroupDN"
$NewGroup.GetInfoEx(@("primaryGroupToken"), 0)
$NewGroupToken = $NewGroup.Get("primaryGroupToken")

#
# Determine which accounts will be effected by the change
#
# Members of $NewGroupDN who's primary group token is not set to $NewGroupToken

$BaseOU = [ADSI]"LDAP://OU=SomeWhere,$DomainNC"
$LdapFilter = "(&(objectClass=user)(objectCategory=person)" + `
  "(memberOf=$NewGroupDN)(!primaryGroupID=$NewGroupToken))"

#
# Find the users
#

$Searcher = New-Object DirectoryServices.DirectorySearcher($BaseOU, $LdapFilter)
$Searcher.PageSize = 1000

$Searcher.FindAll() | ForEach-Object {
  $User = $_.GetDirectoryEntry()

  # Change the Primary Group

  $User.Put("primaryGroupId", $NewGroupToken)
  $User.SetInfo()

  # Then the old group can be removed

  $OldGroup.Remove($User.AdsPath)
}

Open in new window

0
 

Author Comment

by:Go-GBS
ID: 34918030
Ok, I'll give this a try in a little bit, thanks.
0
 

Author Comment

by:Go-GBS
ID: 34918294
Where in here do I specify the new Group's name?
0
 

Author Comment

by:Go-GBS
ID: 34919031
Ah, I think I get it now, CN=No Access would be the group, so lines 5 and 30 are the only places I need to adjust, correct?
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 500 total points
ID: 34919421
Yes, that's correct. I should have moved 30 up so it was more obvious, sorry about that.

Just make sure you include the full distinguished name for the group for $NewGroupDN.

I haven't tested it, and obviously it should be tested carefully first. Initially I suggest running with lines 46, 47 and 51 commented out. Perhaps add this at line 43:

Write-Host "Changing primary group for $($User.Get('name'))"

And of course, you should ask if anything I'm posting isn't clear :)

Chris
0
 

Author Comment

by:Go-GBS
ID: 34919445
Where exactly do I specify the distinguished name for $NewGroupDN?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34919491
Line 5.

For example, if your group in AD was like this:

yourdomain.local
          | --- Some First Folder
                         | --- Some Second Folder
                                         | --- No Access

You would set $NewGroupDN like this:

$NewGroupDN = "CN=No Access,OU=Some Second Folder,OU=Some First Folder,DC=yourdomain,DC=local"

Then the script would be able to pick up everything it needs about that particular group.

We can simplify this to an extent if you pick up the Quest AD CmdLets:

http://www.quest.com/powershell/activeroles-server.aspx

It should be able to deal with everything we need, more abstraction, less obscure code :) Do yell if you'd like me to re-post using those instead.

Chris
0
 

Author Comment

by:Go-GBS
ID: 34919514
Oh ok, yeah I did specify that.  I also installed the Quest cmdlets, but I think I'm ok with this so far.  I think I'm going to create a group and put some users in it to test, that way I'm not affecting anything thats going to mess people up.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34920132
Okay, let me know if you change your mind, it would be interesting :)

Chris
0
 

Author Comment

by:Go-GBS
ID: 34920171
If you're up for reposting I'll give it a try, I just hate to make more work for you.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34920190
No real bother for me, a few minutes work. That said, you might not get it until tomorrow morning, at home now which means I don't have anything to check against :)

Chris
0
 

Author Comment

by:Go-GBS
ID: 34920207
That's perfectly fine, and thank you again for all the help.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Previously, on our Nano Server Deployment series, we've created a new nano server image and deployed it on a physical server in part 2. Now we will go through configuration.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question