Go-GBS
asked on
Remove certain users from group using PowerShell
I am going to create a large group of users with powershell by importing from a CSV, how can I then remove them all from Domain Users?
Oh and, don't think you can get away with not having them in any groups :) It occurred to me that might be the hope :)
The user must have a Primary group at the very least, although there's no harm in us changing which that is (provided you do not need them to have the rights associated with Domain Users).
Chris
The user must have a Primary group at the very least, although there's no harm in us changing which that is (provided you do not need them to have the rights associated with Domain Users).
Chris
This is why he is a super genius... My question would be why not leave domain users and create a group to put people in that are supposed to have access to areas that you do not want everyone (Domain users) to have?
ASKER
No I understand they need to be in at least one group, and adding them to anther group is easy enough, even through Active Directory. But, lets say I only wanted to remove certain users within Domain Users, not all, is that possible?
ASKER
I'd like to domain users not have access to anything, but group access was setup before I was here, so it would take some work to fix the permissions.
Yes, that's absolutely fine.
You have to run the process I linked on my blog for each of the users to change the primary group. The snippet does the following:
1. Gets the appropriate group tokens
2. Adds users to the new group
3. Changes over the primary group
4. Removes users from the old group
My snippet does everyone in the source group, but there's no reason it can't be a lot more flexible. How would you like to define who moves?
Chris
ASKER
Well, if I added them to another group, lets call it "No Access." So for each user in No Access, remove them from Domain Users.
Now let me understand this part, would I need to run that process for each user individually, or can I run it once to catch all of them?
Now let me understand this part, would I need to run that process for each user individually, or can I run it once to catch all of them?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, I'll give this a try in a little bit, thanks.
ASKER
Where in here do I specify the new Group's name?
ASKER
Ah, I think I get it now, CN=No Access would be the group, so lines 5 and 30 are the only places I need to adjust, correct?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Where exactly do I specify the distinguished name for $NewGroupDN?
Line 5.
For example, if your group in AD was like this:
yourdomain.local
| --- Some First Folder
| --- Some Second Folder
| --- No Access
You would set $NewGroupDN like this:
$NewGroupDN = "CN=No Access,OU=Some Second Folder,OU=Some First Folder,DC=yourdomain,DC=lo cal"
Then the script would be able to pick up everything it needs about that particular group.
We can simplify this to an extent if you pick up the Quest AD CmdLets:
http://www.quest.com/powershell/activeroles-server.aspx
It should be able to deal with everything we need, more abstraction, less obscure code :) Do yell if you'd like me to re-post using those instead.
Chris
For example, if your group in AD was like this:
yourdomain.local
| --- Some First Folder
| --- Some Second Folder
| --- No Access
You would set $NewGroupDN like this:
$NewGroupDN = "CN=No Access,OU=Some Second Folder,OU=Some First Folder,DC=yourdomain,DC=lo
Then the script would be able to pick up everything it needs about that particular group.
We can simplify this to an extent if you pick up the Quest AD CmdLets:
http://www.quest.com/powershell/activeroles-server.aspx
It should be able to deal with everything we need, more abstraction, less obscure code :) Do yell if you'd like me to re-post using those instead.
Chris
ASKER
Oh ok, yeah I did specify that. I also installed the Quest cmdlets, but I think I'm ok with this so far. I think I'm going to create a group and put some users in it to test, that way I'm not affecting anything thats going to mess people up.
Okay, let me know if you change your mind, it would be interesting :)
Chris
Chris
ASKER
If you're up for reposting I'll give it a try, I just hate to make more work for you.
No real bother for me, a few minutes work. That said, you might not get it until tomorrow morning, at home now which means I don't have anything to check against :)
Chris
Chris
ASKER
That's perfectly fine, and thank you again for all the help.
Ahh now see that presents a unique little problem.
To remove someone from Domain Users you must first change the Primary Group.
Which is something I've done before, because I blogged about it:
http://www.indented.co.uk/index.php/2010/01/22/changing-the-primary-group-with-powershell/
Please don't hesitate to ask if it raises more questions.
Chris