Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Remove all AD Groups from all users within an OU using PowerShell No Quest

Posted on 2014-09-26
15
Medium Priority
?
6,264 Views
Last Modified: 2014-09-27
Hey guys

I have an OU in my ADUC called Disabled where I move employees that leave the company. I'd like to have a script that can target that OU and any user inside will have their AD member groups removed except for Domain User.

Basically, I need to accomplish the same thing as requested in the ticket from link below except I do not use Quest. How in the world do I do this, I've searched for hours. Thanks!

http://www.experts-exchange.com/Programming/Languages/Scripting/Powershell/Q_28029024.html
0
Comment
Question by:ryanmaves
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 4
  • +1
15 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 40346834
Something like this should work:
Get-ADUser -SearchBase "OU=OUNAME,DC=DOMAIN,DC=LOCAL" -Filter * | %  {
$user = $_;(get-aduser -identity $user -Properties MemberOf) |  % {
remove-adgroupmember -Identity $_ -Member $user -WhatIf    } }

Open in new window


I've not tested it but the whatif is there to prevent accidental deletion
0
 

Author Comment

by:ryanmaves
ID: 40346846
Okay gave that a try and it's throwing back an error for each user in the group

remove-adgroupmember : Cannot find an object with identity: 'CN=Joe User,OU=OUNAME,DC=DOMAIN,DC=LOCAL'.
At line:3 char:1
+ remove-adgroupmember -Identity $_ -Member $user -WhatIf    } }
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo
0
 

Author Comment

by:ryanmaves
ID: 40346851
If I only run the first liner to

Get-ADUser -searchbase "OU" -filter *

That will retrieve all the users in that OU. So it's something after the first pipe it seems to not like throwing the results from the get-aduser into the $user variable.

The one liner returns the following info for each user in that OU (I've removed details about each field but these are all the properties (I think they are called) that are returned.

DistinguishedName :
Enabled           : False
GivenName         :
Name              :
ObjectClass       : user
ObjectGUID        :
SamAccountName    :
SID               :
Surname           :
UserPrincipalName
0
Stressed Out?

Watch some penguins on the livecam!

 
LVL 29

Expert Comment

by:becraig
ID: 40346868
We can probably just replace with Samaccountname.
Get-ADUser -SearchBase "OU=OUNAME,DC=DOMAIN,DC=LOCAL" -Filter * | %  {
$user = $_.SamAccountName ;(get-aduser -identity $user -Properties MemberOf) |  % {
remove-adgroupmember -Identity $_ -Member $user -WhatIf    } }

Open in new window

0
 
LVL 29

Expert Comment

by:becraig
ID: 40346870
Also in the original the domain users group was excluded if you need that done I can just pop it in once this is doing what you need.

Give it a go, or I can test when I get back from lunch.
0
 
LVL 16

Accepted Solution

by:
Joshua Grantom earned 2000 total points
ID: 40346871
This should work better and exclude Domain Users

$ou = Get-ADUser -SearchBase "OU=Disabled,DC=domain,DC=local" -Filter *
foreach ($user in $ou) {
$UserDN = $user.DistinguishedName
Get-ADGroup -LDAPFilter "(member=$UserDN)" | foreach-object {
if ($_.name -ne "Domain Users") {remove-adgroupmember -identity $_.name -member $UserDN -Confirm:$False} }
}

Open in new window

1
 

Author Closing Comment

by:ryanmaves
ID: 40346897
hey @becraig thanks for the code I tried your latest suggestion using the SAMaccountname and it was a no go but I bet it is really close to working! Still says it doesn't like the identity. Same error as before. I wonder if it would have worked with the .distinguishedname as Joshua used.

@Joshua
Your code seemed to do the trick!
It was a bit frightening because I added the -WhatIf command at the end and that didn't matter, it still executed it all lol

I got some red showing but that is for the gruops that I do not have permission to remove. The others got removed.

Thanks guys!
0
 

Author Comment

by:ryanmaves
ID: 40346909
Wait, I thought the code worked now I'm not sure.. the red is throwing me off because I know some of these groups I don't have permission.

But there is one group I'm sure I have permission to remove and it is not removing it?

Why is it saying

remove-adgroupmember : Cannot find an object with identity: 'MemberGroupName' under: 'DC=Domain,DC=Local'

I don't understand this and it seems to be what is the problem. Why is it looking under the domain, local when it is supposed to be looking under the Disabled OU that I specified on the -SearchBase parameter??
0
 
LVL 29

Expert Comment

by:becraig
ID: 40346910
Happy you got it sorted.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40346915
You did change the entire search base string not just the OU= correct?
0
 

Author Comment

by:ryanmaves
ID: 40346917
Guys I see what happened here. Okay it worked but it didn't work "completely"

Check this out

It removed any of the AD groups that are within that same "OU tree" within this ADUC structure. However, there are groups that reside in other OU's within the ADUC structure that I have privileges to add/remove for users but these were not removed. Instead an error saying that the identity cannot find an object.

So it didn't remove the AD Groups from the users in my Disabled OU because those groups exist in a different OU folder structure. Is there a fix for that to make it check another OU or something?

I hope I'm making sense.

Does that make sense?
0
 

Author Comment

by:ryanmaves
ID: 40346925
The ADUC setup is like so:

>OU1 > Not my Dept > Groups I Use Folder
>OU2
>OU3
>MyOU4 > My Dept > My users > Disabled Users
   MyOU4> My Dept > My Groups > AD Groups
>OU5

So under MyOU4 I have my Disabled Users OU and an OU for my dept only AD Groups

Your command removed any of my dept only AD Groups however any groups I am using in OU1 > Not my Dept > Groups I Use ; do not get removed with the command.
0
 
LVL 41

Expert Comment

by:footech
ID: 40346963
I would use this.
Get-ADUser -Filter * -SearchBase "OU=someou,DC=domain,DC=com" -Properties memberOf | ForEach `
{
    Remove-ADPrincipalGroupMembership $_.samaccountname -MemberOf $_.memberOf
}

Open in new window

0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40347802
Sorry Ryan,

I couldn't look at the post until now. This may be happening because their primary group membership is one of those groups in >OU1 > Not my Dept > Groups I Use Folder? Can you check to see under the Member of tab? it should say it at the bottom.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40347819
here is a different option. this may work better

$users= get-aduser -Filter * -SearchBase "ou=Disabled,dc=domain,dc=com"
Function RemoveMemberFromGroup
{
param([string]$SAMAccountName) 
$user = Get-ADUser $SAMAccountName -properties memberof
$userGroups = $user.memberof
$userGroups | %{get-adgroup $_ | Remove-ADGroupMember -confirm:$false -member $SAMAccountName}
$userGroups = $null
}
$users | %{RemoveMemberFromGroup $_.SAMAccountName}

Open in new window

0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question