Remove memberships and permissions from User objects in active directory.

Is it possible in active directory when moving a user object to an organizational unit folder (Ex: Disabled Users), that any distribution or security groups can automatically be removed from the user object?
Domenic DiPasqualeSystem / Network AdministratorAsked:
Who is Participating?
 
Will SzymkowskiConnect With a Mentor Senior Solution ArchitectCommented:
To the best of my knowledge this cannot be done automatically. Typically what you would want to do is create a powershell script that removes Groups from all users in a specific OU. You would then create a scheduled task to initiate the script itself which could then be run weekly,daily,hourly etc.

If you need assistance with the powershell side i can assist.

Will.
0
 
Domenic DiPasqualeSystem / Network AdministratorAuthor Commented:
Thanks, I'm in the process of looking at a few PS script samples in a test environment that will allow me to remove groups from user objects located in a specific OU folder.
0
 
Domenic DiPasqualeSystem / Network AdministratorAuthor Commented:
I found a PS sample that looks like it will do what I need. I've made the changes I needed:
Import-Module activedirectory
$ou = Get‐ADUser ‐SearchBase "OU=Disabled Users,DC=csquaredlab,DC=loc" ‐Filter *
foreach ($user in $ou) {
$UserDN = $user.DistinguishedName
Get‐ADGroup ‐LDAPFilter "(member=$UserDN)" | foreach‐object {
if ($_.name -ne "Domain Users") {remove‐adgroupmember ‐identity $_.name ‐member $UserDN ‐Confirm:$False} }
}

When I run the script, I receive the following error:
The term 'Get‐ADUser' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Users\Administrator\Desktop\User Object Cleanup.ps1:2 char:17
+ $ou = Get‐ADUser <<<<  ‐SearchBase "OU=Disabled Users,DC=csquaredlab,DC=loc" ‐Filter *
    + CategoryInfo          : ObjectNotFound: (Get‐ADUser:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
 
The term 'Get‐ADGroup' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Users\Administrator\Desktop\User Object Cleanup.ps1:5 char:12
+ Get‐ADGroup <<<<  ‐LDAPFilter "(member=$UserDN)" | foreach‐object {
    + CategoryInfo          : ObjectNotFound: (Get‐ADGroup:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

OS: Windows Server 2008 R2
Power Shell Version: 2.0
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.