Solved

Why isn't my script utilizng Remove-QADPermission not removing AD groups?

Posted on 2014-12-03
5
204 Views
Last Modified: 2015-01-09
By no means, am I an expert in scripting.  
Below is a script that attempts to remove Security Groups utilizing the Remove-QADPermission in a Windows 2008 domain.  However, this script runs but does not remove the actual AD Security group in ADUC.  Is the content of the script correct?  If so, could there be a DENY permission that is prohibiting the removal of these groups?   Any help would be appreciated!!

Import-Module ActiveDirectory
Add-PSSnapin quest.activeroles.admanagement

$ous = Get-ADOrganizationalUnit -filter * |? {($_.DistinguishedName -like "*security_*")}
$ous2 = Get-ADOrganizationalUnit -filter * |? {($_.DistinguishedName -like "*distribution_*")}

foreach ($ou in $ous)

{

Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Security' -Rights 'CreateChild, ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group'-SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Security' -Rights 'CreateChild' -ApplyTo 'All' -ChildType 'Group' -SchemaDefault | Remove-QADPermission
       
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'groupType' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'managedBy' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault| Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'info' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'description' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault| Remove-QADPermission
   
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'WriteProperty' -Property 'member' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault |Remove-QADPermission
#Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
     
}

foreach ($disou in $ous2)

{

Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Distribution' -Rights 'CreateChild, ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Distribution' -Rights 'CreateChild' -ApplyTo 'All' -ChildType 'Group' - SchemaDefault | Remove-QADPermission
   
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'groupType' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'managedBy' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'info' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'description' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
   
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_AttribUsersManagerModify' -Rights 'ReadProperty, WriteProperty' -Property 'manager' -ApplyTo 'ChildObjects' -ApplyToType 'User' -SchemaDefault | Remove-QADPermission
   
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'WriteProperty' -Property 'member' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
0
Comment
Question by:ITLady45
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 40479970
remove-adgroup groupname
0
 

Author Comment

by:ITLady45
ID: 40480354
Are you indicating to remove-qadpermissions and replace with remove-adgroup "XXX" where XXX is the AD security group?  Or append remove-adgroup groupname to the end of each line to remove?
0
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 40506508
Import-Module ActiveDirectory
Add-PSSnapin quest.activeroles.admanagement

$ous = Get-ADOrganizationalUnit -filter * |? {($_.DistinguishedName -like "*security_*")}
$ous2 = Get-ADOrganizationalUnit -filter * |? {($_.DistinguishedName -like "*distribution_*")}

foreach ($ou in $ous)
{
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Security' -Rights 'CreateChild, ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group'-SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Security' -Rights 'CreateChild' -ApplyTo 'All' -ChildType 'Group' -SchemaDefault | Remove-QADPermission
        
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'groupType' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'managedBy' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault| Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'info' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'WriteProperty' -Property 'description' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModify_Security' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault| Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'WriteProperty' -Property 'member' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault |Remove-QADPermission
#Get-QADPermission -Identity $ou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
      
}

foreach ($disou in $ous2)
{
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Distribution' -Rights 'CreateChild, ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsCreate_Distribution' -Rights 'CreateChild' -ApplyTo 'All' -ChildType 'Group' - SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'groupType' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'managedBy' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'info' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'WriteProperty' -Property 'description' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModify_Distribution' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_AttribUsersManagerModify' -Rights 'ReadProperty, WriteProperty' -Property 'manager' -ApplyTo 'ChildObjects' -ApplyToType 'User' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'WriteProperty' -Property 'member' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission
Get-QADPermission -Identity $disou.DistinguishedName -Account 'ADDelegate_GroupsModifyMembership' -Rights 'ListChildren, ReadProperty' -ApplyTo 'ChildObjects' -ApplyToType 'Group' -SchemaDefault | Remove-QADPermission

Open in new window

moved code to code block
0
 
LVL 70

Accepted Solution

by:
Qlemo earned 500 total points
ID: 40507358
With that complexity, you'll (probably) have to troubleshoot on your own, by testing parts one after another.
I would start with the Get-ADOrganizationalUnit calls - are they returning anything if entered on their own? If so, test each Get-QADPermission for results if feeded in with a valid OU.
0

Featured Post

Want Experts Exchange at your fingertips?

With Experts Exchange’s latest app release, you can now experience our most recent features, updates, and the same community interface while on-the-go. Download our latest app release at the Android or Apple stores today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question