Solved

Group Memberships of Users in Specific OU

Posted on 2015-02-23
20
86 Views
Last Modified: 2015-07-01
Hi I am writing a script and have completed a majority of it Im new to Powershell and am using Quest the issue i am experiencing is that i cannot figure out how to get the list of users group Memberships before the users are removed from their respective groups can you assist?

 $Users = Get-Content .\JustinPowerScripts\DisabledUsers.csv | ForEach-Object {
  Get-QADUser $_ | Disable-QADUser | Remove-QADMemberOf  -RemoveAll  
  Start-Sleep -s 5
  Move-QADObject -identity $_ -to OU= , OU=, DC=, DC=
}
0
Comment
Question by:JT3865
  • 8
  • 7
  • 3
  • +1
20 Comments
 
LVL 4

Expert Comment

by:Rich Leclair
ID: 40626061
Same basic code as the last question regarding group memberships from a specific group of users. please see code below for searching the ou structure via get-aduser. http://blogs.technet.com/b/heyscriptingguy/archive/2012/10/30/powertip-single-line-powershell-command-to-list-all-users-in-an-ou.aspx

$users = get-aduser -filter * -SearchBase "ou=TestOU,ou=TestOU,dc=Domain,dc=com" | select -ExpandProperty Name

foreach ($user in $users){
Get-ADPrincipalGroupMembership -identity $user | select Name | export-csv -NoTypeInformation -path c:\output\$user-Groups.csv}

Open in new window

0
 

Author Comment

by:JT3865
ID: 40626304
Having an issue with  "$users = get-aduser -filter * -SearchBase "ou=Marked_for_Deletion,ou=Disabled_Users,dc=bhb,dc=bm"

Throws an get-aduser  : Directory object not found message
0
 
LVL 4

Expert Comment

by:Rich Leclair
ID: 40626310
This would be the OU structure that you want to build, is there an OU called "Marked_for_Deletion"?
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 

Author Comment

by:JT3865
ID: 40626315
Yes
0
 
LVL 4

Expert Comment

by:Rich Leclair
ID: 40626325
if you run the command below do you find the one you are looking for?

Get-ADOrganizationalUnit -filter * | select DistinguishedName

Open in new window

0
 

Author Comment

by:JT3865
ID: 40626334
Yes I had them misplaced however, it is now saying that the string is missing a Terminator
0
 
LVL 4

Expert Comment

by:Rich Leclair
ID: 40626335
Can you post the actual error?
0
 

Author Comment

by:JT3865
ID: 40626339
Sure- PS C:\Users\adjustin.\Desktop> $users = get-aduser -filter * -SearchBase ou=Disabled_Users,ou=Marked_for_Deletion,dc=,dc=" | select -ExpandProperty Name

foreach ($user in $users){
Get-ADPrincipalGroupMembership -identity $user | select Name | export-csv -NoTypeInformation -path c:\Users\adjustin.\desktop\$user-Groups.csv}
}
The string is missing the terminator: ".
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : TerminatorExpectedAtEndOfString
0
 
LVL 4

Expert Comment

by:Rich Leclair
ID: 40626344
can you check the file path does the "adjustin" folder actually have a .? c:\Users\adjustin.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40626353
You are missing the " quotes on the beginning of the ou=Disabled. It should be like below...

$users = get-aduser -filter * -SearchBase "ou=Disabled_Users,ou=Marked_for_Deletion,dc=,dc=" | select -ExpandProperty Name

Will.
0
 
LVL 4

Expert Comment

by:Rich Leclair
ID: 40626363
Good Catch Will, I glazed right over that once I saw the . in the file path!
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40626441
@Rich - Thanks!

I just answered another open question that references exactly what you are trying to do but I am using the native built-in cmdlets using the active directory module. This should work for you.

Remove Groups Based on Active Directory OU
Import-Module activedirectory
$FindGroups = get-aduser -Filter * -SearchBase "ou=testou,dc=domain,dc=com" | Get-ADPrincipalGroupMembership
ForEach ($user in $FindGroups) {
Remove-ADPrincipalGroupMembership -Identity $user -MemberOf $FindGroups -Confirm:$false
}

Open in new window


Will.
0
 

Author Comment

by:JT3865
ID: 40626468
Thanks Rich!
0
 

Author Comment

by:JT3865
ID: 40626565
Question...I've written this script in Quest powershell

$Users = Get-Content .\JustinPowerScripts\DisabledUsers.csv | ForEach-Object {
  Get-QADUser $_ | Disable-QADUser | Remove-QADMemberOf  -RemoveAll  
  Start-Sleep -s 5
  Move-QADObject -identity $_ -to /Marked_for_Deletion/Disabled_Users
}

I need to combine the previous powershell script to get all the users group memberships into a csv and then remove them and disable the user will it work like that or will i need to rewrite?
0
 
LVL 4

Expert Comment

by:Rich Leclair
ID: 40626577
if the rest of the script works then maybe try just adding the get-adprincipalgroupmembership into the above script.

$Users = Get-Content .\JustinPowerScripts\DisabledUsers.csv | ForEach-Object {
   Get-ADPrincipalGroupMembership -identity $user | select Name | export-csv -NoTypeInformation -path c:\output\$user-Groups.csv
   Get-QADUser $_ | Disable-QADUser | Remove-QADMemberOf  -RemoveAll  
   Start-Sleep -s 5
   Move-QADObject -identity $_ -to bhb.bm/Marked_for_Deletion/Disabled_Users
 }

Open in new window

0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40626581
Why do you require this using Quest cmdlets?

The difficult part I have already provided an answer for remove the security group memberships to all of the users in the OU. If you want to disable them after the group memberships have been removed just use the below script.

Import-Module activedirectory
$ADusers = Get-ADUser -Filter * -SearchBase "ou=testou,dc=domain,dc=com"
$FindGroups = get-aduser -Filter * -SearchBase "ou=testou,dc=domain,dc=com" | Get-ADPrincipalGroupMembership
ForEach ($user in $FindGroups) {
Remove-ADPrincipalGroupMembership -Identity $user -MemberOf $FindGroups -Confirm:$false
}

ForEach ($Account in $ADUsers) {
Set-ADuser -Identity $Account -Enabled $false
}

Open in new window


Will.
0
 

Author Comment

by:JT3865
ID: 40626611
Will,

I doesn't really matter unfortunately i've only been learning with Quest and wasn't sure the trade over for Quest to Standard Powershell but i appreciate the help nonetheless.
0
 

Author Comment

by:JT3865
ID: 40626741
Thanks Guys!
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40861251
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
In previous parts of this Nano Server deployment series, we learned how to create, deploy and configure Nano Server as a Hyper-V host. In this part, we will look for a clustering option. We will create a Hyper-V cluster of 3 Nano Server host nodes w…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question