Solved

Why isn't my script utilizng Remove-QADPermission not removing AD groups?

Posted on 2014-12-03
5
191 Views
Last Modified: 2015-01-09
By no means, am I an expert in scripting.  
Below is a script that attempts to remove Security Groups utilizing the Remove-QADPermission in a Windows 2008 domain.  However, this script runs but does not remove the actual AD Security group in ADUC.  Is the content of the script correct?  If so, could there be a DENY permission that is prohibiting the removal of these groups?   Any help would be appreciated!!

Import-Module ActiveDirectory
Add-PSSnapin quest.activeroles.admanagement

$ous = Get-ADOrganizationalUnit -filter * |? {($_.DistinguishedName -like "*security_*")}
$ous2 = Get-ADOrganizationalUnit -filter * |? {($_.DistinguishedName -like "*distribution_*")}

foreach ($ou in $ous)

{

Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Security' -Rights 'CreateChild, ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group'-SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Security' -Rights 'CreateChild' -ApplyTo 'All' -ChildType 'Group' -SchemaDefault | Remove-QADPermission
       
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'groupType' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'managedBy' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault| Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'info' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'description' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault| Remove-QADPermission
   
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'WriteProperty' -Property 'member' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault |Remove-QADPermission
#Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
     
}

foreach ($disou in $ous2)

{

Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Distribution' -Rights 'CreateChild, ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Distribution' -Rights 'CreateChild' -ApplyTo 'All' -ChildType 'Group' - SchemaDefault | Remove-QADPermission
   
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'groupType' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'managedBy' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'info' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'description' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
   
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_AttribUsersManagerModify' -Rights 'ReadProperty, WriteProperty' -Property 'manager' -ApplyTo 'ChildObjects' -ApplyToType 'User' -SchemaDefault | Remove-QADPermission
   
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'WriteProperty' -Property 'member' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
0
Comment
Question by:ITLady45
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 40479970
remove-adgroup groupname
0
 

Author Comment

by:ITLady45
ID: 40480354
Are you indicating to remove-qadpermissions and replace with remove-adgroup "XXX" where XXX is the AD security group?  Or append remove-adgroup groupname to the end of each line to remove?
0
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 40506508
Import-Module ActiveDirectory
Add-PSSnapin quest.activeroles.admanagement

$ous = Get-ADOrganizationalUnit -filter * |? {($_.DistinguishedName -like "*security_*")}
$ous2 = Get-ADOrganizationalUnit -filter * |? {($_.DistinguishedName -like "*distribution_*")}

foreach ($ou in $ous)
{
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Security' -Rights 'CreateChild, ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group'-SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Security' -Rights 'CreateChild' -ApplyTo 'All' -ChildType 'Group' -SchemaDefault | Remove-QADPermission
        
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'groupType' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'managedBy' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault| Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'info' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'description' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault| Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'WriteProperty' -Property 'member' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault |Remove-QADPermission
#Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
      
}

foreach ($disou in $ous2)
{
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Distribution' -Rights 'CreateChild, ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Distribution' -Rights 'CreateChild' -ApplyTo 'All' -ChildType 'Group' - SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'groupType' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'managedBy' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'info' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'description' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_AttribUsersManagerModify' -Rights 'ReadProperty, WriteProperty' -Property 'manager' -ApplyTo 'ChildObjects' -ApplyToType 'User' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'WriteProperty' -Property 'member' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission

Open in new window

moved code to code block
0
 
LVL 69

Accepted Solution

by:
Qlemo earned 500 total points
ID: 40507358
With that complexity, you'll (probably) have to troubleshoot on your own, by testing parts one after another.
I would start with the Get-ADOrganizationalUnit calls - are they returning anything if entered on their own? If so, test each Get-QADPermission for results if feeded in with a valid OU.
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Windows 10 came with  a lot of built in applications, Some organisations leave them there, some will control them using GPO's. This Article is useful for those who do not want to have any applications in their image (example:me).
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question