Solved

Why isn't my script utilizng Remove-QADPermission not removing AD groups?

Posted on 2014-12-03
5
178 Views
Last Modified: 2015-01-09
By no means, am I an expert in scripting.  
Below is a script that attempts to remove Security Groups utilizing the Remove-QADPermission in a Windows 2008 domain.  However, this script runs but does not remove the actual AD Security group in ADUC.  Is the content of the script correct?  If so, could there be a DENY permission that is prohibiting the removal of these groups?   Any help would be appreciated!!

Import-Module ActiveDirectory
Add-PSSnapin quest.activeroles.admanagement

$ous = Get-ADOrganizationalUnit -filter * |? {($_.DistinguishedName -like "*security_*")}
$ous2 = Get-ADOrganizationalUnit -filter * |? {($_.DistinguishedName -like "*distribution_*")}

foreach ($ou in $ous)

{

Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Security' -Rights 'CreateChild, ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group'-SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Security' -Rights 'CreateChild' -ApplyTo 'All' -ChildType 'Group' -SchemaDefault | Remove-QADPermission
       
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'groupType' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'managedBy' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault| Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'info' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'description' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault| Remove-QADPermission
   
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'WriteProperty' -Property 'member' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault |Remove-QADPermission
#Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
     
}

foreach ($disou in $ous2)

{

Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Distribution' -Rights 'CreateChild, ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Distribution' -Rights 'CreateChild' -ApplyTo 'All' -ChildType 'Group' - SchemaDefault | Remove-QADPermission
   
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'groupType' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'managedBy' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'info' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'description' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
   
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_AttribUsersManagerModify' -Rights 'ReadProperty, WriteProperty' -Property 'manager' -ApplyTo 'ChildObjects' -ApplyToType 'User' -SchemaDefault | Remove-QADPermission
   
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'WriteProperty' -Property 'member' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
0
Comment
Question by:ITLady45
  • 2
5 Comments
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 40479970
remove-adgroup groupname
0
 

Author Comment

by:ITLady45
ID: 40480354
Are you indicating to remove-qadpermissions and replace with remove-adgroup "XXX" where XXX is the AD security group?  Or append remove-adgroup groupname to the end of each line to remove?
0
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 40506508
Import-Module ActiveDirectory
Add-PSSnapin quest.activeroles.admanagement

$ous = Get-ADOrganizationalUnit -filter * |? {($_.DistinguishedName -like "*security_*")}
$ous2 = Get-ADOrganizationalUnit -filter * |? {($_.DistinguishedName -like "*distribution_*")}

foreach ($ou in $ous)
{
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Security' -Rights 'CreateChild, ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group'-SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Security' -Rights 'CreateChild' -ApplyTo 'All' -ChildType 'Group' -SchemaDefault | Remove-QADPermission
        
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'groupType' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'managedBy' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault| Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'info' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'description' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault| Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'WriteProperty' -Property 'member' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault |Remove-QADPermission
#Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
      
}

foreach ($disou in $ous2)
{
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Distribution' -Rights 'CreateChild, ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Distribution' -Rights 'CreateChild' -ApplyTo 'All' -ChildType 'Group' - SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'groupType' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'managedBy' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'info' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'description' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_AttribUsersManagerModify' -Rights 'ReadProperty, WriteProperty' -Property 'manager' -ApplyTo 'ChildObjects' -ApplyToType 'User' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'WriteProperty' -Property 'member' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission

Open in new window

moved code to code block
0
 
LVL 69

Accepted Solution

by:
Qlemo earned 500 total points
ID: 40507358
With that complexity, you'll (probably) have to troubleshoot on your own, by testing parts one after another.
I would start with the Get-ADOrganizationalUnit calls - are they returning anything if entered on their own? If so, test each Get-QADPermission for results if feeded in with a valid OU.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now