Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 6438
  • Last Modified:

Remove all AD Groups from all users within an OU using PowerShell No Quest

Hey guys

I have an OU in my ADUC called Disabled where I move employees that leave the company. I'd like to have a script that can target that OU and any user inside will have their AD member groups removed except for Domain User.

Basically, I need to accomplish the same thing as requested in the ticket from link below except I do not use Quest. How in the world do I do this, I've searched for hours. Thanks!

http://www.experts-exchange.com/Programming/Languages/Scripting/Powershell/Q_28029024.html
0
ryanmaves
Asked:
ryanmaves
  • 6
  • 4
  • 4
  • +1
1 Solution
 
becraigCommented:
Something like this should work:
Get-ADUser -SearchBase "OU=OUNAME,DC=DOMAIN,DC=LOCAL" -Filter * | %  {
$user = $_;(get-aduser -identity $user -Properties MemberOf) |  % {
remove-adgroupmember -Identity $_ -Member $user -WhatIf    } }

Open in new window


I've not tested it but the whatif is there to prevent accidental deletion
0
 
ryanmavesAuthor Commented:
Okay gave that a try and it's throwing back an error for each user in the group

remove-adgroupmember : Cannot find an object with identity: 'CN=Joe User,OU=OUNAME,DC=DOMAIN,DC=LOCAL'.
At line:3 char:1
+ remove-adgroupmember -Identity $_ -Member $user -WhatIf    } }
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo
0
 
ryanmavesAuthor Commented:
If I only run the first liner to

Get-ADUser -searchbase "OU" -filter *

That will retrieve all the users in that OU. So it's something after the first pipe it seems to not like throwing the results from the get-aduser into the $user variable.

The one liner returns the following info for each user in that OU (I've removed details about each field but these are all the properties (I think they are called) that are returned.

DistinguishedName :
Enabled           : False
GivenName         :
Name              :
ObjectClass       : user
ObjectGUID        :
SamAccountName    :
SID               :
Surname           :
UserPrincipalName
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
becraigCommented:
We can probably just replace with Samaccountname.
Get-ADUser -SearchBase "OU=OUNAME,DC=DOMAIN,DC=LOCAL" -Filter * | %  {
$user = $_.SamAccountName ;(get-aduser -identity $user -Properties MemberOf) |  % {
remove-adgroupmember -Identity $_ -Member $user -WhatIf    } }

Open in new window

0
 
becraigCommented:
Also in the original the domain users group was excluded if you need that done I can just pop it in once this is doing what you need.

Give it a go, or I can test when I get back from lunch.
0
 
Joshua GrantomSenior EngineerCommented:
This should work better and exclude Domain Users

$ou = Get-ADUser -SearchBase "OU=Disabled,DC=domain,DC=local" -Filter *
foreach ($user in $ou) {
$UserDN = $user.DistinguishedName
Get-ADGroup -LDAPFilter "(member=$UserDN)" | foreach-object {
if ($_.name -ne "Domain Users") {remove-adgroupmember -identity $_.name -member $UserDN -Confirm:$False} }
}

Open in new window

1
 
ryanmavesAuthor Commented:
hey @becraig thanks for the code I tried your latest suggestion using the SAMaccountname and it was a no go but I bet it is really close to working! Still says it doesn't like the identity. Same error as before. I wonder if it would have worked with the .distinguishedname as Joshua used.

@Joshua
Your code seemed to do the trick!
It was a bit frightening because I added the -WhatIf command at the end and that didn't matter, it still executed it all lol

I got some red showing but that is for the gruops that I do not have permission to remove. The others got removed.

Thanks guys!
0
 
ryanmavesAuthor Commented:
Wait, I thought the code worked now I'm not sure.. the red is throwing me off because I know some of these groups I don't have permission.

But there is one group I'm sure I have permission to remove and it is not removing it?

Why is it saying

remove-adgroupmember : Cannot find an object with identity: 'MemberGroupName' under: 'DC=Domain,DC=Local'

I don't understand this and it seems to be what is the problem. Why is it looking under the domain, local when it is supposed to be looking under the Disabled OU that I specified on the -SearchBase parameter??
0
 
becraigCommented:
Happy you got it sorted.
0
 
Joshua GrantomSenior EngineerCommented:
You did change the entire search base string not just the OU= correct?
0
 
ryanmavesAuthor Commented:
Guys I see what happened here. Okay it worked but it didn't work "completely"

Check this out

It removed any of the AD groups that are within that same "OU tree" within this ADUC structure. However, there are groups that reside in other OU's within the ADUC structure that I have privileges to add/remove for users but these were not removed. Instead an error saying that the identity cannot find an object.

So it didn't remove the AD Groups from the users in my Disabled OU because those groups exist in a different OU folder structure. Is there a fix for that to make it check another OU or something?

I hope I'm making sense.

Does that make sense?
0
 
ryanmavesAuthor Commented:
The ADUC setup is like so:

>OU1 > Not my Dept > Groups I Use Folder
>OU2
>OU3
>MyOU4 > My Dept > My users > Disabled Users
   MyOU4> My Dept > My Groups > AD Groups
>OU5

So under MyOU4 I have my Disabled Users OU and an OU for my dept only AD Groups

Your command removed any of my dept only AD Groups however any groups I am using in OU1 > Not my Dept > Groups I Use ; do not get removed with the command.
0
 
footechCommented:
I would use this.
Get-ADUser -Filter * -SearchBase "OU=someou,DC=domain,DC=com" -Properties memberOf | ForEach `
{
    Remove-ADPrincipalGroupMembership $_.samaccountname -MemberOf $_.memberOf
}

Open in new window

0
 
Joshua GrantomSenior EngineerCommented:
Sorry Ryan,

I couldn't look at the post until now. This may be happening because their primary group membership is one of those groups in >OU1 > Not my Dept > Groups I Use Folder? Can you check to see under the Member of tab? it should say it at the bottom.
0
 
Joshua GrantomSenior EngineerCommented:
here is a different option. this may work better

$users= get-aduser -Filter * -SearchBase "ou=Disabled,dc=domain,dc=com"
Function RemoveMemberFromGroup
{
param([string]$SAMAccountName) 
$user = Get-ADUser $SAMAccountName -properties memberof
$userGroups = $user.memberof
$userGroups | %{get-adgroup $_ | Remove-ADGroupMember -confirm:$false -member $SAMAccountName}
$userGroups = $null
}
$users | %{RemoveMemberFromGroup $_.SAMAccountName}

Open in new window

0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 6
  • 4
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now