Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Why isn't my script utilizng Remove-QADPermission not removing AD groups?

Posted on 2014-12-03
5
Medium Priority
?
211 Views
Last Modified: 2015-01-09
By no means, am I an expert in scripting.  
Below is a script that attempts to remove Security Groups utilizing the Remove-QADPermission in a Windows 2008 domain.  However, this script runs but does not remove the actual AD Security group in ADUC.  Is the content of the script correct?  If so, could there be a DENY permission that is prohibiting the removal of these groups?   Any help would be appreciated!!

Import-Module ActiveDirectory
Add-PSSnapin quest.activeroles.admanagement

$ous = Get-ADOrganizationalUnit -filter * |? {($_.DistinguishedName -like "*security_*")}
$ous2 = Get-ADOrganizationalUnit -filter * |? {($_.DistinguishedName -like "*distribution_*")}

foreach ($ou in $ous)

{

Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Security' -Rights 'CreateChild, ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group'-SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Security' -Rights 'CreateChild' -ApplyTo 'All' -ChildType 'Group' -SchemaDefault | Remove-QADPermission
       
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'groupType' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'managedBy' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault| Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'info' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'description' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault| Remove-QADPermission
   
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'WriteProperty' -Property 'member' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault |Remove-QADPermission
#Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
     
}

foreach ($disou in $ous2)

{

Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Distribution' -Rights 'CreateChild, ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Distribution' -Rights 'CreateChild' -ApplyTo 'All' -ChildType 'Group' - SchemaDefault | Remove-QADPermission
   
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'groupType' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'managedBy' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'info' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'description' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
   
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_AttribUsersManagerModify' -Rights 'ReadProperty, WriteProperty' -Property 'manager' -ApplyTo 'ChildObjects' -ApplyToType 'User' -SchemaDefault | Remove-QADPermission
   
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'WriteProperty' -Property 'member' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
0
Comment
Question by:ITLady45
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 40479970
remove-adgroup groupname
0
 

Author Comment

by:ITLady45
ID: 40480354
Are you indicating to remove-qadpermissions and replace with remove-adgroup "XXX" where XXX is the AD security group?  Or append remove-adgroup groupname to the end of each line to remove?
0
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 40506508
Import-Module ActiveDirectory
Add-PSSnapin quest.activeroles.admanagement

$ous = Get-ADOrganizationalUnit -filter * |? {($_.DistinguishedName -like "*security_*")}
$ous2 = Get-ADOrganizationalUnit -filter * |? {($_.DistinguishedName -like "*distribution_*")}

foreach ($ou in $ous)
{
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Security' -Rights 'CreateChild, ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group'-SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Security' -Rights 'CreateChild' -ApplyTo 'All' -ChildType 'Group' -SchemaDefault | Remove-QADPermission
        
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'groupType' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'managedBy' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault| Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'info' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'description' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault| Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'WriteProperty' -Property 'member' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault |Remove-QADPermission
#Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
      
}

foreach ($disou in $ous2)
{
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Distribution' -Rights 'CreateChild, ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Distribution' -Rights 'CreateChild' -ApplyTo 'All' -ChildType 'Group' - SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'groupType' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'managedBy' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'info' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'description' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_AttribUsersManagerModify' -Rights 'ReadProperty, WriteProperty' -Property 'manager' -ApplyTo 'ChildObjects' -ApplyToType 'User' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'WriteProperty' -Property 'member' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission

Open in new window

moved code to code block
0
 
LVL 71

Accepted Solution

by:
Qlemo earned 1500 total points
ID: 40507358
With that complexity, you'll (probably) have to troubleshoot on your own, by testing parts one after another.
I would start with the Get-ADOrganizationalUnit calls - are they returning anything if entered on their own? If so, test each Get-QADPermission for results if feeded in with a valid OU.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question