Solved

Group Memberships of Users in Specific OU

Posted on 2015-02-23
20
73 Views
Last Modified: 2015-07-01
Hi I am writing a script and have completed a majority of it Im new to Powershell and am using Quest the issue i am experiencing is that i cannot figure out how to get the list of users group Memberships before the users are removed from their respective groups can you assist?

 $Users = Get-Content .\JustinPowerScripts\DisabledUsers.csv | ForEach-Object {
  Get-QADUser $_ | Disable-QADUser | Remove-QADMemberOf  -RemoveAll  
  Start-Sleep -s 5
  Move-QADObject -identity $_ -to OU= , OU=, DC=, DC=
}
0
Comment
Question by:JT3865
  • 8
  • 7
  • 3
  • +1
20 Comments
 
LVL 4

Expert Comment

by:Rich Leclair
Comment Utility
Same basic code as the last question regarding group memberships from a specific group of users. please see code below for searching the ou structure via get-aduser. http://blogs.technet.com/b/heyscriptingguy/archive/2012/10/30/powertip-single-line-powershell-command-to-list-all-users-in-an-ou.aspx

$users = get-aduser -filter * -SearchBase "ou=TestOU,ou=TestOU,dc=Domain,dc=com" | select -ExpandProperty Name

foreach ($user in $users){
Get-ADPrincipalGroupMembership -identity $user | select Name | export-csv -NoTypeInformation -path c:\output\$user-Groups.csv}

Open in new window

0
 

Author Comment

by:JT3865
Comment Utility
Having an issue with  "$users = get-aduser -filter * -SearchBase "ou=Marked_for_Deletion,ou=Disabled_Users,dc=bhb,dc=bm"

Throws an get-aduser  : Directory object not found message
0
 
LVL 4

Expert Comment

by:Rich Leclair
Comment Utility
This would be the OU structure that you want to build, is there an OU called "Marked_for_Deletion"?
0
 

Author Comment

by:JT3865
Comment Utility
Yes
0
 
LVL 4

Expert Comment

by:Rich Leclair
Comment Utility
if you run the command below do you find the one you are looking for?

Get-ADOrganizationalUnit -filter * | select DistinguishedName

Open in new window

0
 

Author Comment

by:JT3865
Comment Utility
Yes I had them misplaced however, it is now saying that the string is missing a Terminator
0
 
LVL 4

Expert Comment

by:Rich Leclair
Comment Utility
Can you post the actual error?
0
 

Author Comment

by:JT3865
Comment Utility
Sure- PS C:\Users\adjustin.\Desktop> $users = get-aduser -filter * -SearchBase ou=Disabled_Users,ou=Marked_for_Deletion,dc=,dc=" | select -ExpandProperty Name

foreach ($user in $users){
Get-ADPrincipalGroupMembership -identity $user | select Name | export-csv -NoTypeInformation -path c:\Users\adjustin.\desktop\$user-Groups.csv}
}
The string is missing the terminator: ".
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : TerminatorExpectedAtEndOfString
0
 
LVL 4

Expert Comment

by:Rich Leclair
Comment Utility
can you check the file path does the "adjustin" folder actually have a .? c:\Users\adjustin.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
You are missing the " quotes on the beginning of the ou=Disabled. It should be like below...

$users = get-aduser -filter * -SearchBase "ou=Disabled_Users,ou=Marked_for_Deletion,dc=,dc=" | select -ExpandProperty Name

Will.
0
 
LVL 4

Expert Comment

by:Rich Leclair
Comment Utility
Good Catch Will, I glazed right over that once I saw the . in the file path!
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
Comment Utility
@Rich - Thanks!

I just answered another open question that references exactly what you are trying to do but I am using the native built-in cmdlets using the active directory module. This should work for you.

Remove Groups Based on Active Directory OU
Import-Module activedirectory
$FindGroups = get-aduser -Filter * -SearchBase "ou=testou,dc=domain,dc=com" | Get-ADPrincipalGroupMembership
ForEach ($user in $FindGroups) {
Remove-ADPrincipalGroupMembership -Identity $user -MemberOf $FindGroups -Confirm:$false
}

Open in new window


Will.
0
 

Author Comment

by:JT3865
Comment Utility
Thanks Rich!
0
 

Author Comment

by:JT3865
Comment Utility
Question...I've written this script in Quest powershell

$Users = Get-Content .\JustinPowerScripts\DisabledUsers.csv | ForEach-Object {
  Get-QADUser $_ | Disable-QADUser | Remove-QADMemberOf  -RemoveAll  
  Start-Sleep -s 5
  Move-QADObject -identity $_ -to /Marked_for_Deletion/Disabled_Users
}

I need to combine the previous powershell script to get all the users group memberships into a csv and then remove them and disable the user will it work like that or will i need to rewrite?
0
 
LVL 4

Expert Comment

by:Rich Leclair
Comment Utility
if the rest of the script works then maybe try just adding the get-adprincipalgroupmembership into the above script.

$Users = Get-Content .\JustinPowerScripts\DisabledUsers.csv | ForEach-Object {
   Get-ADPrincipalGroupMembership -identity $user | select Name | export-csv -NoTypeInformation -path c:\output\$user-Groups.csv
   Get-QADUser $_ | Disable-QADUser | Remove-QADMemberOf  -RemoveAll  
   Start-Sleep -s 5
   Move-QADObject -identity $_ -to bhb.bm/Marked_for_Deletion/Disabled_Users
 }

Open in new window

0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
Why do you require this using Quest cmdlets?

The difficult part I have already provided an answer for remove the security group memberships to all of the users in the OU. If you want to disable them after the group memberships have been removed just use the below script.

Import-Module activedirectory
$ADusers = Get-ADUser -Filter * -SearchBase "ou=testou,dc=domain,dc=com"
$FindGroups = get-aduser -Filter * -SearchBase "ou=testou,dc=domain,dc=com" | Get-ADPrincipalGroupMembership
ForEach ($user in $FindGroups) {
Remove-ADPrincipalGroupMembership -Identity $user -MemberOf $FindGroups -Confirm:$false
}

ForEach ($Account in $ADUsers) {
Set-ADuser -Identity $Account -Enabled $false
}

Open in new window


Will.
0
 

Author Comment

by:JT3865
Comment Utility
Will,

I doesn't really matter unfortunately i've only been learning with Quest and wasn't sure the trade over for Quest to Standard Powershell but i appreciate the help nonetheless.
0
 

Author Comment

by:JT3865
Comment Utility
Thanks Guys!
0
 
LVL 34

Expert Comment

by:Seth Simmons
Comment Utility
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now