Solved

Remove memberships and permissions from User objects in active directory.

Posted on 2015-02-10
3
42 Views
Last Modified: 2015-02-13
Is it possible in active directory when moving a user object to an organizational unit folder (Ex: Disabled Users), that any distribution or security groups can automatically be removed from the user object?
0
Comment
Question by:Domenic DiPasquale
  • 2
3 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40601423
To the best of my knowledge this cannot be done automatically. Typically what you would want to do is create a powershell script that removes Groups from all users in a specific OU. You would then create a scheduled task to initiate the script itself which could then be run weekly,daily,hourly etc.

If you need assistance with the powershell side i can assist.

Will.
0
 

Author Comment

by:Domenic DiPasquale
ID: 40605509
Thanks, I'm in the process of looking at a few PS script samples in a test environment that will allow me to remove groups from user objects located in a specific OU folder.
0
 

Author Comment

by:Domenic DiPasquale
ID: 40607984
I found a PS sample that looks like it will do what I need. I've made the changes I needed:
Import-Module activedirectory
$ou = Get‐ADUser ‐SearchBase "OU=Disabled Users,DC=csquaredlab,DC=loc" ‐Filter *
foreach ($user in $ou) {
$UserDN = $user.DistinguishedName
Get‐ADGroup ‐LDAPFilter "(member=$UserDN)" | foreach‐object {
if ($_.name -ne "Domain Users") {remove‐adgroupmember ‐identity $_.name ‐member $UserDN ‐Confirm:$False} }
}

When I run the script, I receive the following error:
The term 'Get‐ADUser' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Users\Administrator\Desktop\User Object Cleanup.ps1:2 char:17
+ $ou = Get‐ADUser <<<<  ‐SearchBase "OU=Disabled Users,DC=csquaredlab,DC=loc" ‐Filter *
    + CategoryInfo          : ObjectNotFound: (Get‐ADUser:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
 
The term 'Get‐ADGroup' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Users\Administrator\Desktop\User Object Cleanup.ps1:5 char:12
+ Get‐ADGroup <<<<  ‐LDAPFilter "(member=$UserDN)" | foreach‐object {
    + CategoryInfo          : ObjectNotFound: (Get‐ADGroup:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

OS: Windows Server 2008 R2
Power Shell Version: 2.0
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now