Solved

Why isn't my script utilizng Remove-QADPermission not removing AD groups?

Posted on 2014-12-03
5
193 Views
Last Modified: 2015-01-09
By no means, am I an expert in scripting.  
Below is a script that attempts to remove Security Groups utilizing the Remove-QADPermission in a Windows 2008 domain.  However, this script runs but does not remove the actual AD Security group in ADUC.  Is the content of the script correct?  If so, could there be a DENY permission that is prohibiting the removal of these groups?   Any help would be appreciated!!

Import-Module ActiveDirectory
Add-PSSnapin quest.activeroles.admanagement

$ous = Get-ADOrganizationalUnit -filter * |? {($_.DistinguishedName -like "*security_*")}
$ous2 = Get-ADOrganizationalUnit -filter * |? {($_.DistinguishedName -like "*distribution_*")}

foreach ($ou in $ous)

{

Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Security' -Rights 'CreateChild, ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group'-SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Security' -Rights 'CreateChild' -ApplyTo 'All' -ChildType 'Group' -SchemaDefault | Remove-QADPermission
       
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'groupType' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'managedBy' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault| Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'info' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'description' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault| Remove-QADPermission
   
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'WriteProperty' -Property 'member' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault |Remove-QADPermission
#Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
     
}

foreach ($disou in $ous2)

{

Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Distribution' -Rights 'CreateChild, ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Distribution' -Rights 'CreateChild' -ApplyTo 'All' -ChildType 'Group' - SchemaDefault | Remove-QADPermission
   
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'groupType' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'managedBy' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'info' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'description' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
   
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_AttribUsersManagerModify' -Rights 'ReadProperty, WriteProperty' -Property 'manager' -ApplyTo 'ChildObjects' -ApplyToType 'User' -SchemaDefault | Remove-QADPermission
   
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'WriteProperty' -Property 'member' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
0
Comment
Question by:ITLady45
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 40479970
remove-adgroup groupname
0
 

Author Comment

by:ITLady45
ID: 40480354
Are you indicating to remove-qadpermissions and replace with remove-adgroup "XXX" where XXX is the AD security group?  Or append remove-adgroup groupname to the end of each line to remove?
0
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 40506508
Import-Module ActiveDirectory
Add-PSSnapin quest.activeroles.admanagement

$ous = Get-ADOrganizationalUnit -filter * |? {($_.DistinguishedName -like "*security_*")}
$ous2 = Get-ADOrganizationalUnit -filter * |? {($_.DistinguishedName -like "*distribution_*")}

foreach ($ou in $ous)
{
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Security' -Rights 'CreateChild, ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group'-SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Security' -Rights 'CreateChild' -ApplyTo 'All' -ChildType 'Group' -SchemaDefault | Remove-QADPermission
        
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'groupType' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'managedBy' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault| Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'info' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'description' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault| Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'WriteProperty' -Property 'member' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault |Remove-QADPermission
#Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
      
}

foreach ($disou in $ous2)
{
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Distribution' -Rights 'CreateChild, ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Distribution' -Rights 'CreateChild' -ApplyTo 'All' -ChildType 'Group' - SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'groupType' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'managedBy' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'info' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'description' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_AttribUsersManagerModify' -Rights 'ReadProperty, WriteProperty' -Property 'manager' -ApplyTo 'ChildObjects' -ApplyToType 'User' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'WriteProperty' -Property 'member' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission

Open in new window

moved code to code block
0
 
LVL 70

Accepted Solution

by:
Qlemo earned 500 total points
ID: 40507358
With that complexity, you'll (probably) have to troubleshoot on your own, by testing parts one after another.
I would start with the Get-ADOrganizationalUnit calls - are they returning anything if entered on their own? If so, test each Get-QADPermission for results if feeded in with a valid OU.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick Powershell script I wrote to find old program installations and check versions of a specific file across the network.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question