Solved

Remove memberships and permissions from User objects in active directory.

Posted on 2015-02-10
3
48 Views
Last Modified: 2015-02-13
Is it possible in active directory when moving a user object to an organizational unit folder (Ex: Disabled Users), that any distribution or security groups can automatically be removed from the user object?
0
Comment
Question by:Domenic DiPasquale
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40601423
To the best of my knowledge this cannot be done automatically. Typically what you would want to do is create a powershell script that removes Groups from all users in a specific OU. You would then create a scheduled task to initiate the script itself which could then be run weekly,daily,hourly etc.

If you need assistance with the powershell side i can assist.

Will.
0
 

Author Comment

by:Domenic DiPasquale
ID: 40605509
Thanks, I'm in the process of looking at a few PS script samples in a test environment that will allow me to remove groups from user objects located in a specific OU folder.
0
 

Author Comment

by:Domenic DiPasquale
ID: 40607984
I found a PS sample that looks like it will do what I need. I've made the changes I needed:
Import-Module activedirectory
$ou = Get‐ADUser ‐SearchBase "OU=Disabled Users,DC=csquaredlab,DC=loc" ‐Filter *
foreach ($user in $ou) {
$UserDN = $user.DistinguishedName
Get‐ADGroup ‐LDAPFilter "(member=$UserDN)" | foreach‐object {
if ($_.name -ne "Domain Users") {remove‐adgroupmember ‐identity $_.name ‐member $UserDN ‐Confirm:$False} }
}

When I run the script, I receive the following error:
The term 'Get‐ADUser' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Users\Administrator\Desktop\User Object Cleanup.ps1:2 char:17
+ $ou = Get‐ADUser <<<<  ‐SearchBase "OU=Disabled Users,DC=csquaredlab,DC=loc" ‐Filter *
    + CategoryInfo          : ObjectNotFound: (Get‐ADUser:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
 
The term 'Get‐ADGroup' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Users\Administrator\Desktop\User Object Cleanup.ps1:5 char:12
+ Get‐ADGroup <<<<  ‐LDAPFilter "(member=$UserDN)" | foreach‐object {
    + CategoryInfo          : ObjectNotFound: (Get‐ADGroup:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

OS: Windows Server 2008 R2
Power Shell Version: 2.0
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question