Solved

Group Memberships of Users in Specific OU

Posted on 2015-02-23
20
91 Views
Last Modified: 2015-07-01
Hi I am writing a script and have completed a majority of it Im new to Powershell and am using Quest the issue i am experiencing is that i cannot figure out how to get the list of users group Memberships before the users are removed from their respective groups can you assist?

 $Users = Get-Content .\JustinPowerScripts\DisabledUsers.csv | ForEach-Object {
  Get-QADUser $_ | Disable-QADUser | Remove-QADMemberOf  -RemoveAll  
  Start-Sleep -s 5
  Move-QADObject -identity $_ -to OU= , OU=, DC=, DC=
}
0
Comment
Question by:JT3865
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
  • 3
  • +1
20 Comments
 
LVL 4

Expert Comment

by:Rich Leclair
ID: 40626061
Same basic code as the last question regarding group memberships from a specific group of users. please see code below for searching the ou structure via get-aduser. http://blogs.technet.com/b/heyscriptingguy/archive/2012/10/30/powertip-single-line-powershell-command-to-list-all-users-in-an-ou.aspx

$users = get-aduser -filter * -SearchBase "ou=TestOU,ou=TestOU,dc=Domain,dc=com" | select -ExpandProperty Name

foreach ($user in $users){
Get-ADPrincipalGroupMembership -identity $user | select Name | export-csv -NoTypeInformation -path c:\output\$user-Groups.csv}

Open in new window

0
 

Author Comment

by:JT3865
ID: 40626304
Having an issue with  "$users = get-aduser -filter * -SearchBase "ou=Marked_for_Deletion,ou=Disabled_Users,dc=bhb,dc=bm"

Throws an get-aduser  : Directory object not found message
0
 
LVL 4

Expert Comment

by:Rich Leclair
ID: 40626310
This would be the OU structure that you want to build, is there an OU called "Marked_for_Deletion"?
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:JT3865
ID: 40626315
Yes
0
 
LVL 4

Expert Comment

by:Rich Leclair
ID: 40626325
if you run the command below do you find the one you are looking for?

Get-ADOrganizationalUnit -filter * | select DistinguishedName

Open in new window

0
 

Author Comment

by:JT3865
ID: 40626334
Yes I had them misplaced however, it is now saying that the string is missing a Terminator
0
 
LVL 4

Expert Comment

by:Rich Leclair
ID: 40626335
Can you post the actual error?
0
 

Author Comment

by:JT3865
ID: 40626339
Sure- PS C:\Users\adjustin.\Desktop> $users = get-aduser -filter * -SearchBase ou=Disabled_Users,ou=Marked_for_Deletion,dc=,dc=" | select -ExpandProperty Name

foreach ($user in $users){
Get-ADPrincipalGroupMembership -identity $user | select Name | export-csv -NoTypeInformation -path c:\Users\adjustin.\desktop\$user-Groups.csv}
}
The string is missing the terminator: ".
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : TerminatorExpectedAtEndOfString
0
 
LVL 4

Expert Comment

by:Rich Leclair
ID: 40626344
can you check the file path does the "adjustin" folder actually have a .? c:\Users\adjustin.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40626353
You are missing the " quotes on the beginning of the ou=Disabled. It should be like below...

$users = get-aduser -filter * -SearchBase "ou=Disabled_Users,ou=Marked_for_Deletion,dc=,dc=" | select -ExpandProperty Name

Will.
0
 
LVL 4

Expert Comment

by:Rich Leclair
ID: 40626363
Good Catch Will, I glazed right over that once I saw the . in the file path!
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40626441
@Rich - Thanks!

I just answered another open question that references exactly what you are trying to do but I am using the native built-in cmdlets using the active directory module. This should work for you.

Remove Groups Based on Active Directory OU
Import-Module activedirectory
$FindGroups = get-aduser -Filter * -SearchBase "ou=testou,dc=domain,dc=com" | Get-ADPrincipalGroupMembership
ForEach ($user in $FindGroups) {
Remove-ADPrincipalGroupMembership -Identity $user -MemberOf $FindGroups -Confirm:$false
}

Open in new window


Will.
0
 

Author Comment

by:JT3865
ID: 40626468
Thanks Rich!
0
 

Author Comment

by:JT3865
ID: 40626565
Question...I've written this script in Quest powershell

$Users = Get-Content .\JustinPowerScripts\DisabledUsers.csv | ForEach-Object {
  Get-QADUser $_ | Disable-QADUser | Remove-QADMemberOf  -RemoveAll  
  Start-Sleep -s 5
  Move-QADObject -identity $_ -to /Marked_for_Deletion/Disabled_Users
}

I need to combine the previous powershell script to get all the users group memberships into a csv and then remove them and disable the user will it work like that or will i need to rewrite?
0
 
LVL 4

Expert Comment

by:Rich Leclair
ID: 40626577
if the rest of the script works then maybe try just adding the get-adprincipalgroupmembership into the above script.

$Users = Get-Content .\JustinPowerScripts\DisabledUsers.csv | ForEach-Object {
   Get-ADPrincipalGroupMembership -identity $user | select Name | export-csv -NoTypeInformation -path c:\output\$user-Groups.csv
   Get-QADUser $_ | Disable-QADUser | Remove-QADMemberOf  -RemoveAll  
   Start-Sleep -s 5
   Move-QADObject -identity $_ -to bhb.bm/Marked_for_Deletion/Disabled_Users
 }

Open in new window

0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40626581
Why do you require this using Quest cmdlets?

The difficult part I have already provided an answer for remove the security group memberships to all of the users in the OU. If you want to disable them after the group memberships have been removed just use the below script.

Import-Module activedirectory
$ADusers = Get-ADUser -Filter * -SearchBase "ou=testou,dc=domain,dc=com"
$FindGroups = get-aduser -Filter * -SearchBase "ou=testou,dc=domain,dc=com" | Get-ADPrincipalGroupMembership
ForEach ($user in $FindGroups) {
Remove-ADPrincipalGroupMembership -Identity $user -MemberOf $FindGroups -Confirm:$false
}

ForEach ($Account in $ADUsers) {
Set-ADuser -Identity $Account -Enabled $false
}

Open in new window


Will.
0
 

Author Comment

by:JT3865
ID: 40626611
Will,

I doesn't really matter unfortunately i've only been learning with Quest and wasn't sure the trade over for Quest to Standard Powershell but i appreciate the help nonetheless.
0
 

Author Comment

by:JT3865
ID: 40626741
Thanks Guys!
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40861251
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
A hard and fast method for reducing Active Directory Administrators members.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question