• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 328
  • Last Modified:

Removing Disabled Users - Powershell Script

Afternoon,

There is a script I found online that should allow me to look at a particular OU and remove any users from AD Groups that are disabled.

Making minor modifications to the script, it ran without any errors reported in the shell, however there were no users deleted once it ran.

Script
 Get-QADGroup -SearchRoot "OU=Disabled Users,DC=domain,DC=local" | Foreach-Object{
     $group = $_
     Get-QADGroupMember -Identity $group -Disabled -Type User | Remove-QADGroupMember -Identity $group -WhatIf
 }



User is part of two other groups. From what I can see, this script appears accurate.(domain would be our domain name of course)

The groups however have remained there, even with the -WhatIf statement removed.

Thanks!
0
victory2201
Asked:
victory2201
  • 6
  • 5
1 Solution
 
Jamie McKillopIT ManagerCommented:
Hello,

Are the groups located in the OU "OU=Disabled Users,DC=domain,DC=local"? The searchroot parameter is for looking for the location of the groups, not the users. If you want to remove the users from any group in your domain, remove the searchroot parameter from your command.

-JJ
0
 
victory2201Author Commented:
Get-QADGroup  "OU=Disabled Users,DC=domain,DC=local" | Foreach-Object{
     $group = $_
     Get-QADGroupMember -Identity $group -Disabled -Type User | Remove-QADGroupMember -Identity $group -WhatIf
 }


What about the whatif statement? I thought that would have to be removed as well before deletion could occur? (I removed the -searchroot above)
0
 
victory2201Author Commented:
Yes, they are located in the OU labeled disabled users for testing right now.

The actual OU structure would look like this if applying on a per site basis instead of that OU.

OU=SiteName, OU=Disabled Users, DC=DomainName, DC=local
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
Jamie McKillopIT ManagerCommented:
Yes, you also need to remove the whatif statement.

-JJ
0
 
Jamie McKillopIT ManagerCommented:
After the line: $group = $_

Add the line: $group

This will echo back the group and confirm that it is finding the groups you want it to.

-JJ
0
 
victory2201Author Commented:
Ok,

Modified the script as discussed. The result however was still the same.

Thanks.
EX5.png
0
 
Jamie McKillopIT ManagerCommented:
Remove "OU=Disabled Users,DC=domain,DC=local" from your script

Your script should look like this:

Get-QADGroup  | Foreach-Object{
     $group = $_
     Get-QADGroupMember -Identity $group -Disabled -Type User | Remove-QADGroupMember -Identity $group 
 }

Open in new window


-JJ
0
 
victory2201Author Commented:
OK, question though.

That modification you made above is no longer looking to a particular OU.

Ideally, what I am looking for is being able to filter, per disabled user OU, to remove all current disabled accounts from any groups that they may still be part of.

EX:
Username John Smith, is part of HQGlobal and HQMarketing. We need that script to run on that OU and remove him from those groups, since he is no longer an employee.

I need this to happen for multiple users that are within the OU as well, during the script.


Thanks. : )
0
 
Jamie McKillopIT ManagerCommented:
OK, you need to approach it a bit differently to do what you want. try this script:

$users = Get-QADUser -SearchRoot "OU=Disabled Users,DC=domain,DC=local" 
foreach ($user in $users) {
	Get-QADGroup  | where {Get-QADGroupMember -Identity $_ -Name $user.Name} | % {
		Remove-QADGroupMember -Identity $_ -Member $user
	}
}

Open in new window


-JJ
0
 
victory2201Author Commented:
Ok, that startled me when the -searchroot command ran inside ISE. >_>

That should show a progress bar as it scans AD and its entirety correct?
0
 
Jamie McKillopIT ManagerCommented:
Yes, it will search all of AD for the groups. You may need to add -sizelimit 0 to the get-qadgroup command ig you have a lot of groups. If all your groups are in a single OU, you can add the -searchroot parameter to specify that OU only be searched.

-JJ
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now