?
Solved

Remove memberships and permissions from User objects in active directory.

Posted on 2015-02-10
3
Medium Priority
?
50 Views
Last Modified: 2015-02-13
Is it possible in active directory when moving a user object to an organizational unit folder (Ex: Disabled Users), that any distribution or security groups can automatically be removed from the user object?
0
Comment
Question by:Domenic DiPasquale
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 2000 total points
ID: 40601423
To the best of my knowledge this cannot be done automatically. Typically what you would want to do is create a powershell script that removes Groups from all users in a specific OU. You would then create a scheduled task to initiate the script itself which could then be run weekly,daily,hourly etc.

If you need assistance with the powershell side i can assist.

Will.
0
 

Author Comment

by:Domenic DiPasquale
ID: 40605509
Thanks, I'm in the process of looking at a few PS script samples in a test environment that will allow me to remove groups from user objects located in a specific OU folder.
0
 

Author Comment

by:Domenic DiPasquale
ID: 40607984
I found a PS sample that looks like it will do what I need. I've made the changes I needed:
Import-Module activedirectory
$ou = Get‐ADUser ‐SearchBase "OU=Disabled Users,DC=csquaredlab,DC=loc" ‐Filter *
foreach ($user in $ou) {
$UserDN = $user.DistinguishedName
Get‐ADGroup ‐LDAPFilter "(member=$UserDN)" | foreach‐object {
if ($_.name -ne "Domain Users") {remove‐adgroupmember ‐identity $_.name ‐member $UserDN ‐Confirm:$False} }
}

When I run the script, I receive the following error:
The term 'Get‐ADUser' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Users\Administrator\Desktop\User Object Cleanup.ps1:2 char:17
+ $ou = Get‐ADUser <<<<  ‐SearchBase "OU=Disabled Users,DC=csquaredlab,DC=loc" ‐Filter *
    + CategoryInfo          : ObjectNotFound: (Get‐ADUser:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
 
The term 'Get‐ADGroup' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Users\Administrator\Desktop\User Object Cleanup.ps1:5 char:12
+ Get‐ADGroup <<<<  ‐LDAPFilter "(member=$UserDN)" | foreach‐object {
    + CategoryInfo          : ObjectNotFound: (Get‐ADGroup:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

OS: Windows Server 2008 R2
Power Shell Version: 2.0
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Let's recap what we learned from yesterday's Skyport Systems webinar.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month14 days, 12 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question