Solved

Remove all AD Groups from all users within an OU using PowerShell No Quest

Posted on 2014-09-26
15
5,508 Views
Last Modified: 2014-09-27
Hey guys

I have an OU in my ADUC called Disabled where I move employees that leave the company. I'd like to have a script that can target that OU and any user inside will have their AD member groups removed except for Domain User.

Basically, I need to accomplish the same thing as requested in the ticket from link below except I do not use Quest. How in the world do I do this, I've searched for hours. Thanks!

http://www.experts-exchange.com/Programming/Languages/Scripting/Powershell/Q_28029024.html
0
Comment
Question by:ryanmaves
  • 6
  • 4
  • 4
  • +1
15 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 40346834
Something like this should work:
Get-ADUser -SearchBase "OU=OUNAME,DC=DOMAIN,DC=LOCAL" -Filter * | %  {
$user = $_;(get-aduser -identity $user -Properties MemberOf) |  % {
remove-adgroupmember -Identity $_ -Member $user -WhatIf    } }

Open in new window


I've not tested it but the whatif is there to prevent accidental deletion
0
 

Author Comment

by:ryanmaves
ID: 40346846
Okay gave that a try and it's throwing back an error for each user in the group

remove-adgroupmember : Cannot find an object with identity: 'CN=Joe User,OU=OUNAME,DC=DOMAIN,DC=LOCAL'.
At line:3 char:1
+ remove-adgroupmember -Identity $_ -Member $user -WhatIf    } }
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo
0
 

Author Comment

by:ryanmaves
ID: 40346851
If I only run the first liner to

Get-ADUser -searchbase "OU" -filter *

That will retrieve all the users in that OU. So it's something after the first pipe it seems to not like throwing the results from the get-aduser into the $user variable.

The one liner returns the following info for each user in that OU (I've removed details about each field but these are all the properties (I think they are called) that are returned.

DistinguishedName :
Enabled           : False
GivenName         :
Name              :
ObjectClass       : user
ObjectGUID        :
SamAccountName    :
SID               :
Surname           :
UserPrincipalName
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 29

Expert Comment

by:becraig
ID: 40346868
We can probably just replace with Samaccountname.
Get-ADUser -SearchBase "OU=OUNAME,DC=DOMAIN,DC=LOCAL" -Filter * | %  {
$user = $_.SamAccountName ;(get-aduser -identity $user -Properties MemberOf) |  % {
remove-adgroupmember -Identity $_ -Member $user -WhatIf    } }

Open in new window

0
 
LVL 29

Expert Comment

by:becraig
ID: 40346870
Also in the original the domain users group was excluded if you need that done I can just pop it in once this is doing what you need.

Give it a go, or I can test when I get back from lunch.
0
 
LVL 16

Accepted Solution

by:
Joshua Grantom earned 500 total points
ID: 40346871
This should work better and exclude Domain Users

$ou = Get-ADUser -SearchBase "OU=Disabled,DC=domain,DC=local" -Filter *
foreach ($user in $ou) {
$UserDN = $user.DistinguishedName
Get-ADGroup -LDAPFilter "(member=$UserDN)" | foreach-object {
if ($_.name -ne "Domain Users") {remove-adgroupmember -identity $_.name -member $UserDN -Confirm:$False} }
}

Open in new window

1
 

Author Closing Comment

by:ryanmaves
ID: 40346897
hey @becraig thanks for the code I tried your latest suggestion using the SAMaccountname and it was a no go but I bet it is really close to working! Still says it doesn't like the identity. Same error as before. I wonder if it would have worked with the .distinguishedname as Joshua used.

@Joshua
Your code seemed to do the trick!
It was a bit frightening because I added the -WhatIf command at the end and that didn't matter, it still executed it all lol

I got some red showing but that is for the gruops that I do not have permission to remove. The others got removed.

Thanks guys!
0
 

Author Comment

by:ryanmaves
ID: 40346909
Wait, I thought the code worked now I'm not sure.. the red is throwing me off because I know some of these groups I don't have permission.

But there is one group I'm sure I have permission to remove and it is not removing it?

Why is it saying

remove-adgroupmember : Cannot find an object with identity: 'MemberGroupName' under: 'DC=Domain,DC=Local'

I don't understand this and it seems to be what is the problem. Why is it looking under the domain, local when it is supposed to be looking under the Disabled OU that I specified on the -SearchBase parameter??
0
 
LVL 29

Expert Comment

by:becraig
ID: 40346910
Happy you got it sorted.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40346915
You did change the entire search base string not just the OU= correct?
0
 

Author Comment

by:ryanmaves
ID: 40346917
Guys I see what happened here. Okay it worked but it didn't work "completely"

Check this out

It removed any of the AD groups that are within that same "OU tree" within this ADUC structure. However, there are groups that reside in other OU's within the ADUC structure that I have privileges to add/remove for users but these were not removed. Instead an error saying that the identity cannot find an object.

So it didn't remove the AD Groups from the users in my Disabled OU because those groups exist in a different OU folder structure. Is there a fix for that to make it check another OU or something?

I hope I'm making sense.

Does that make sense?
0
 

Author Comment

by:ryanmaves
ID: 40346925
The ADUC setup is like so:

>OU1 > Not my Dept > Groups I Use Folder
>OU2
>OU3
>MyOU4 > My Dept > My users > Disabled Users
   MyOU4> My Dept > My Groups > AD Groups
>OU5

So under MyOU4 I have my Disabled Users OU and an OU for my dept only AD Groups

Your command removed any of my dept only AD Groups however any groups I am using in OU1 > Not my Dept > Groups I Use ; do not get removed with the command.
0
 
LVL 39

Expert Comment

by:footech
ID: 40346963
I would use this.
Get-ADUser -Filter * -SearchBase "OU=someou,DC=domain,DC=com" -Properties memberOf | ForEach `
{
    Remove-ADPrincipalGroupMembership $_.samaccountname -MemberOf $_.memberOf
}

Open in new window

0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40347802
Sorry Ryan,

I couldn't look at the post until now. This may be happening because their primary group membership is one of those groups in >OU1 > Not my Dept > Groups I Use Folder? Can you check to see under the Member of tab? it should say it at the bottom.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40347819
here is a different option. this may work better

$users= get-aduser -Filter * -SearchBase "ou=Disabled,dc=domain,dc=com"
Function RemoveMemberFromGroup
{
param([string]$SAMAccountName) 
$user = Get-ADUser $SAMAccountName -properties memberof
$userGroups = $user.memberof
$userGroups | %{get-adgroup $_ | Remove-ADGroupMember -confirm:$false -member $SAMAccountName}
$userGroups = $null
}
$users | %{RemoveMemberFromGroup $_.SAMAccountName}

Open in new window

0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
The viewer will learn how to count occurrences of each item in an array.

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question