Solved

Remove all AD Groups from all users within an OU using PowerShell No Quest

Posted on 2014-09-26
15
5,068 Views
Last Modified: 2014-09-27
Hey guys

I have an OU in my ADUC called Disabled where I move employees that leave the company. I'd like to have a script that can target that OU and any user inside will have their AD member groups removed except for Domain User.

Basically, I need to accomplish the same thing as requested in the ticket from link below except I do not use Quest. How in the world do I do this, I've searched for hours. Thanks!

http://www.experts-exchange.com/Programming/Languages/Scripting/Powershell/Q_28029024.html
0
Comment
Question by:ryanmaves
  • 6
  • 4
  • 4
  • +1
15 Comments
 
LVL 28

Expert Comment

by:becraig
Comment Utility
Something like this should work:
Get-ADUser -SearchBase "OU=OUNAME,DC=DOMAIN,DC=LOCAL" -Filter * | %  {
$user = $_;(get-aduser -identity $user -Properties MemberOf) |  % {
remove-adgroupmember -Identity $_ -Member $user -WhatIf    } }

Open in new window


I've not tested it but the whatif is there to prevent accidental deletion
0
 

Author Comment

by:ryanmaves
Comment Utility
Okay gave that a try and it's throwing back an error for each user in the group

remove-adgroupmember : Cannot find an object with identity: 'CN=Joe User,OU=OUNAME,DC=DOMAIN,DC=LOCAL'.
At line:3 char:1
+ remove-adgroupmember -Identity $_ -Member $user -WhatIf    } }
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo
0
 

Author Comment

by:ryanmaves
Comment Utility
If I only run the first liner to

Get-ADUser -searchbase "OU" -filter *

That will retrieve all the users in that OU. So it's something after the first pipe it seems to not like throwing the results from the get-aduser into the $user variable.

The one liner returns the following info for each user in that OU (I've removed details about each field but these are all the properties (I think they are called) that are returned.

DistinguishedName :
Enabled           : False
GivenName         :
Name              :
ObjectClass       : user
ObjectGUID        :
SamAccountName    :
SID               :
Surname           :
UserPrincipalName
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
We can probably just replace with Samaccountname.
Get-ADUser -SearchBase "OU=OUNAME,DC=DOMAIN,DC=LOCAL" -Filter * | %  {
$user = $_.SamAccountName ;(get-aduser -identity $user -Properties MemberOf) |  % {
remove-adgroupmember -Identity $_ -Member $user -WhatIf    } }

Open in new window

0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
Also in the original the domain users group was excluded if you need that done I can just pop it in once this is doing what you need.

Give it a go, or I can test when I get back from lunch.
0
 
LVL 16

Accepted Solution

by:
Joshua Grantom earned 500 total points
Comment Utility
This should work better and exclude Domain Users

$ou = Get-ADUser -SearchBase "OU=Disabled,DC=domain,DC=local" -Filter *
foreach ($user in $ou) {
$UserDN = $user.DistinguishedName
Get-ADGroup -LDAPFilter "(member=$UserDN)" | foreach-object {
if ($_.name -ne "Domain Users") {remove-adgroupmember -identity $_.name -member $UserDN -Confirm:$False} }
}

Open in new window

1
 

Author Closing Comment

by:ryanmaves
Comment Utility
hey @becraig thanks for the code I tried your latest suggestion using the SAMaccountname and it was a no go but I bet it is really close to working! Still says it doesn't like the identity. Same error as before. I wonder if it would have worked with the .distinguishedname as Joshua used.

@Joshua
Your code seemed to do the trick!
It was a bit frightening because I added the -WhatIf command at the end and that didn't matter, it still executed it all lol

I got some red showing but that is for the gruops that I do not have permission to remove. The others got removed.

Thanks guys!
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:ryanmaves
Comment Utility
Wait, I thought the code worked now I'm not sure.. the red is throwing me off because I know some of these groups I don't have permission.

But there is one group I'm sure I have permission to remove and it is not removing it?

Why is it saying

remove-adgroupmember : Cannot find an object with identity: 'MemberGroupName' under: 'DC=Domain,DC=Local'

I don't understand this and it seems to be what is the problem. Why is it looking under the domain, local when it is supposed to be looking under the Disabled OU that I specified on the -SearchBase parameter??
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
Happy you got it sorted.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
Comment Utility
You did change the entire search base string not just the OU= correct?
0
 

Author Comment

by:ryanmaves
Comment Utility
Guys I see what happened here. Okay it worked but it didn't work "completely"

Check this out

It removed any of the AD groups that are within that same "OU tree" within this ADUC structure. However, there are groups that reside in other OU's within the ADUC structure that I have privileges to add/remove for users but these were not removed. Instead an error saying that the identity cannot find an object.

So it didn't remove the AD Groups from the users in my Disabled OU because those groups exist in a different OU folder structure. Is there a fix for that to make it check another OU or something?

I hope I'm making sense.

Does that make sense?
0
 

Author Comment

by:ryanmaves
Comment Utility
The ADUC setup is like so:

>OU1 > Not my Dept > Groups I Use Folder
>OU2
>OU3
>MyOU4 > My Dept > My users > Disabled Users
   MyOU4> My Dept > My Groups > AD Groups
>OU5

So under MyOU4 I have my Disabled Users OU and an OU for my dept only AD Groups

Your command removed any of my dept only AD Groups however any groups I am using in OU1 > Not my Dept > Groups I Use ; do not get removed with the command.
0
 
LVL 39

Expert Comment

by:footech
Comment Utility
I would use this.
Get-ADUser -Filter * -SearchBase "OU=someou,DC=domain,DC=com" -Properties memberOf | ForEach `
{
    Remove-ADPrincipalGroupMembership $_.samaccountname -MemberOf $_.memberOf
}

Open in new window

0
 
LVL 16

Expert Comment

by:Joshua Grantom
Comment Utility
Sorry Ryan,

I couldn't look at the post until now. This may be happening because their primary group membership is one of those groups in >OU1 > Not my Dept > Groups I Use Folder? Can you check to see under the Member of tab? it should say it at the bottom.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
Comment Utility
here is a different option. this may work better

$users= get-aduser -Filter * -SearchBase "ou=Disabled,dc=domain,dc=com"
Function RemoveMemberFromGroup
{
param([string]$SAMAccountName) 
$user = Get-ADUser $SAMAccountName -properties memberof
$userGroups = $user.memberof
$userGroups | %{get-adgroup $_ | Remove-ADGroupMember -confirm:$false -member $SAMAccountName}
$userGroups = $null
}
$users | %{RemoveMemberFromGroup $_.SAMAccountName}

Open in new window

0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This script checks a path to see if a folder exists. If the folder does exist you will get output "The folder has previously been created. No action taken" If not it will create the folder. Then adds one user modify permission to the folder. It …
Synchronize a new Active Directory domain with an existing Office 365 tenant
Learn the basics of while and for loops in Python.  while loops are used for testing while, or until, a condition is met: The structure of a while loop is as follows:     while <condition>:         do something         repeate: The break statement m…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now