Remove all AD Groups from all users within an OU using PowerShell No Quest

Hey guys

I have an OU in my ADUC called Disabled where I move employees that leave the company. I'd like to have a script that can target that OU and any user inside will have their AD member groups removed except for Domain User.

Basically, I need to accomplish the same thing as requested in the ticket from link below except I do not use Quest. How in the world do I do this, I've searched for hours. Thanks!

http://www.experts-exchange.com/Programming/Languages/Scripting/Powershell/Q_28029024.html
ryanmavesAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

becraigCommented:
Something like this should work:
Get-ADUser -SearchBase "OU=OUNAME,DC=DOMAIN,DC=LOCAL" -Filter * | %  {
$user = $_;(get-aduser -identity $user -Properties MemberOf) |  % {
remove-adgroupmember -Identity $_ -Member $user -WhatIf    } }

Open in new window


I've not tested it but the whatif is there to prevent accidental deletion
0
ryanmavesAuthor Commented:
Okay gave that a try and it's throwing back an error for each user in the group

remove-adgroupmember : Cannot find an object with identity: 'CN=Joe User,OU=OUNAME,DC=DOMAIN,DC=LOCAL'.
At line:3 char:1
+ remove-adgroupmember -Identity $_ -Member $user -WhatIf    } }
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo
0
ryanmavesAuthor Commented:
If I only run the first liner to

Get-ADUser -searchbase "OU" -filter *

That will retrieve all the users in that OU. So it's something after the first pipe it seems to not like throwing the results from the get-aduser into the $user variable.

The one liner returns the following info for each user in that OU (I've removed details about each field but these are all the properties (I think they are called) that are returned.

DistinguishedName :
Enabled           : False
GivenName         :
Name              :
ObjectClass       : user
ObjectGUID        :
SamAccountName    :
SID               :
Surname           :
UserPrincipalName
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

becraigCommented:
We can probably just replace with Samaccountname.
Get-ADUser -SearchBase "OU=OUNAME,DC=DOMAIN,DC=LOCAL" -Filter * | %  {
$user = $_.SamAccountName ;(get-aduser -identity $user -Properties MemberOf) |  % {
remove-adgroupmember -Identity $_ -Member $user -WhatIf    } }

Open in new window

0
becraigCommented:
Also in the original the domain users group was excluded if you need that done I can just pop it in once this is doing what you need.

Give it a go, or I can test when I get back from lunch.
0
Joshua GrantomSenior Systems AdministratorCommented:
This should work better and exclude Domain Users

$ou = Get-ADUser -SearchBase "OU=Disabled,DC=domain,DC=local" -Filter *
foreach ($user in $ou) {
$UserDN = $user.DistinguishedName
Get-ADGroup -LDAPFilter "(member=$UserDN)" | foreach-object {
if ($_.name -ne "Domain Users") {remove-adgroupmember -identity $_.name -member $UserDN -Confirm:$False} }
}

Open in new window

2

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ryanmavesAuthor Commented:
hey @becraig thanks for the code I tried your latest suggestion using the SAMaccountname and it was a no go but I bet it is really close to working! Still says it doesn't like the identity. Same error as before. I wonder if it would have worked with the .distinguishedname as Joshua used.

@Joshua
Your code seemed to do the trick!
It was a bit frightening because I added the -WhatIf command at the end and that didn't matter, it still executed it all lol

I got some red showing but that is for the gruops that I do not have permission to remove. The others got removed.

Thanks guys!
0
ryanmavesAuthor Commented:
Wait, I thought the code worked now I'm not sure.. the red is throwing me off because I know some of these groups I don't have permission.

But there is one group I'm sure I have permission to remove and it is not removing it?

Why is it saying

remove-adgroupmember : Cannot find an object with identity: 'MemberGroupName' under: 'DC=Domain,DC=Local'

I don't understand this and it seems to be what is the problem. Why is it looking under the domain, local when it is supposed to be looking under the Disabled OU that I specified on the -SearchBase parameter??
0
becraigCommented:
Happy you got it sorted.
0
Joshua GrantomSenior Systems AdministratorCommented:
You did change the entire search base string not just the OU= correct?
0
ryanmavesAuthor Commented:
Guys I see what happened here. Okay it worked but it didn't work "completely"

Check this out

It removed any of the AD groups that are within that same "OU tree" within this ADUC structure. However, there are groups that reside in other OU's within the ADUC structure that I have privileges to add/remove for users but these were not removed. Instead an error saying that the identity cannot find an object.

So it didn't remove the AD Groups from the users in my Disabled OU because those groups exist in a different OU folder structure. Is there a fix for that to make it check another OU or something?

I hope I'm making sense.

Does that make sense?
0
ryanmavesAuthor Commented:
The ADUC setup is like so:

>OU1 > Not my Dept > Groups I Use Folder
>OU2
>OU3
>MyOU4 > My Dept > My users > Disabled Users
   MyOU4> My Dept > My Groups > AD Groups
>OU5

So under MyOU4 I have my Disabled Users OU and an OU for my dept only AD Groups

Your command removed any of my dept only AD Groups however any groups I am using in OU1 > Not my Dept > Groups I Use ; do not get removed with the command.
0
footechCommented:
I would use this.
Get-ADUser -Filter * -SearchBase "OU=someou,DC=domain,DC=com" -Properties memberOf | ForEach `
{
    Remove-ADPrincipalGroupMembership $_.samaccountname -MemberOf $_.memberOf
}

Open in new window

0
Joshua GrantomSenior Systems AdministratorCommented:
Sorry Ryan,

I couldn't look at the post until now. This may be happening because their primary group membership is one of those groups in >OU1 > Not my Dept > Groups I Use Folder? Can you check to see under the Member of tab? it should say it at the bottom.
0
Joshua GrantomSenior Systems AdministratorCommented:
here is a different option. this may work better

$users= get-aduser -Filter * -SearchBase "ou=Disabled,dc=domain,dc=com"
Function RemoveMemberFromGroup
{
param([string]$SAMAccountName) 
$user = Get-ADUser $SAMAccountName -properties memberof
$userGroups = $user.memberof
$userGroups | %{get-adgroup $_ | Remove-ADGroupMember -confirm:$false -member $SAMAccountName}
$userGroups = $null
}
$users | %{RemoveMemberFromGroup $_.SAMAccountName}

Open in new window

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.