Solved

Removing Disabled Users - Powershell Script

Posted on 2014-04-03
11
310 Views
Last Modified: 2014-05-01
Afternoon,

There is a script I found online that should allow me to look at a particular OU and remove any users from AD Groups that are disabled.

Making minor modifications to the script, it ran without any errors reported in the shell, however there were no users deleted once it ran.

Script
 Get-QADGroup -SearchRoot "OU=Disabled Users,DC=domain,DC=local" | Foreach-Object{
     $group = $_
     Get-QADGroupMember -Identity $group -Disabled -Type User | Remove-QADGroupMember -Identity $group -WhatIf
 }



User is part of two other groups. From what I can see, this script appears accurate.(domain would be our domain name of course)

The groups however have remained there, even with the -WhatIf statement removed.

Thanks!
0
Comment
Question by:victory2201
  • 6
  • 5
11 Comments
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39977893
Hello,

Are the groups located in the OU "OU=Disabled Users,DC=domain,DC=local"? The searchroot parameter is for looking for the location of the groups, not the users. If you want to remove the users from any group in your domain, remove the searchroot parameter from your command.

-JJ
0
 

Author Comment

by:victory2201
ID: 39978315
Get-QADGroup  "OU=Disabled Users,DC=domain,DC=local" | Foreach-Object{
     $group = $_
     Get-QADGroupMember -Identity $group -Disabled -Type User | Remove-QADGroupMember -Identity $group -WhatIf
 }


What about the whatif statement? I thought that would have to be removed as well before deletion could occur? (I removed the -searchroot above)
0
 

Author Comment

by:victory2201
ID: 39978324
Yes, they are located in the OU labeled disabled users for testing right now.

The actual OU structure would look like this if applying on a per site basis instead of that OU.

OU=SiteName, OU=Disabled Users, DC=DomainName, DC=local
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39978326
Yes, you also need to remove the whatif statement.

-JJ
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39978337
After the line: $group = $_

Add the line: $group

This will echo back the group and confirm that it is finding the groups you want it to.

-JJ
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:victory2201
ID: 39978372
Ok,

Modified the script as discussed. The result however was still the same.

Thanks.
EX5.png
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39978403
Remove "OU=Disabled Users,DC=domain,DC=local" from your script

Your script should look like this:

Get-QADGroup  | Foreach-Object{
     $group = $_
     Get-QADGroupMember -Identity $group -Disabled -Type User | Remove-QADGroupMember -Identity $group 
 }

Open in new window


-JJ
0
 

Author Comment

by:victory2201
ID: 39978425
OK, question though.

That modification you made above is no longer looking to a particular OU.

Ideally, what I am looking for is being able to filter, per disabled user OU, to remove all current disabled accounts from any groups that they may still be part of.

EX:
Username John Smith, is part of HQGlobal and HQMarketing. We need that script to run on that OU and remove him from those groups, since he is no longer an employee.

I need this to happen for multiple users that are within the OU as well, during the script.


Thanks. : )
0
 
LVL 37

Accepted Solution

by:
Jamie McKillop earned 500 total points
ID: 39978556
OK, you need to approach it a bit differently to do what you want. try this script:

$users = Get-QADUser -SearchRoot "OU=Disabled Users,DC=domain,DC=local" 
foreach ($user in $users) {
	Get-QADGroup  | where {Get-QADGroupMember -Identity $_ -Name $user.Name} | % {
		Remove-QADGroupMember -Identity $_ -Member $user
	}
}

Open in new window


-JJ
0
 

Author Comment

by:victory2201
ID: 39978624
Ok, that startled me when the -searchroot command ran inside ISE. >_>

That should show a progress bar as it scans AD and its entirety correct?
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39978637
Yes, it will search all of AD for the groups. You may need to add -sizelimit 0 to the get-qadgroup command ig you have a lot of groups. If all your groups are in a single OU, you can add the -searchroot parameter to specify that OU only be searched.

-JJ
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Entering a date in Microsoft Access can be tricky. A typo can cause month and day to be shuffled, entering the day only causes an error, as does entering, say, day 31 in June. This article shows how an inputmask supported by code can help the user a…
Whether you've completed a degree in computer sciences or you're a self-taught programmer, writing your first lines of code in the real world is always a challenge. Here are some of the most common pitfalls for new programmers.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now