Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Group Memberships of Users in Specific OU

Posted on 2015-02-23
20
Medium Priority
?
101 Views
Last Modified: 2015-07-01
Hi I am writing a script and have completed a majority of it Im new to Powershell and am using Quest the issue i am experiencing is that i cannot figure out how to get the list of users group Memberships before the users are removed from their respective groups can you assist?

 $Users = Get-Content .\JustinPowerScripts\DisabledUsers.csv | ForEach-Object {
  Get-QADUser $_ | Disable-QADUser | Remove-QADMemberOf  -RemoveAll  
  Start-Sleep -s 5
  Move-QADObject -identity $_ -to OU= , OU=, DC=, DC=
}
0
Comment
Question by:JT3865
  • 8
  • 7
  • 3
  • +1
19 Comments
 
LVL 4

Expert Comment

by:Rich Leclair
ID: 40626061
Same basic code as the last question regarding group memberships from a specific group of users. please see code below for searching the ou structure via get-aduser. http://blogs.technet.com/b/heyscriptingguy/archive/2012/10/30/powertip-single-line-powershell-command-to-list-all-users-in-an-ou.aspx

$users = get-aduser -filter * -SearchBase "ou=TestOU,ou=TestOU,dc=Domain,dc=com" | select -ExpandProperty Name

foreach ($user in $users){
Get-ADPrincipalGroupMembership -identity $user | select Name | export-csv -NoTypeInformation -path c:\output\$user-Groups.csv}

Open in new window

0
 

Author Comment

by:JT3865
ID: 40626304
Having an issue with  "$users = get-aduser -filter * -SearchBase "ou=Marked_for_Deletion,ou=Disabled_Users,dc=bhb,dc=bm"

Throws an get-aduser  : Directory object not found message
0
 
LVL 4

Expert Comment

by:Rich Leclair
ID: 40626310
This would be the OU structure that you want to build, is there an OU called "Marked_for_Deletion"?
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 

Author Comment

by:JT3865
ID: 40626315
Yes
0
 
LVL 4

Expert Comment

by:Rich Leclair
ID: 40626325
if you run the command below do you find the one you are looking for?

Get-ADOrganizationalUnit -filter * | select DistinguishedName

Open in new window

0
 

Author Comment

by:JT3865
ID: 40626334
Yes I had them misplaced however, it is now saying that the string is missing a Terminator
0
 
LVL 4

Expert Comment

by:Rich Leclair
ID: 40626335
Can you post the actual error?
0
 

Author Comment

by:JT3865
ID: 40626339
Sure- PS C:\Users\adjustin.\Desktop> $users = get-aduser -filter * -SearchBase ou=Disabled_Users,ou=Marked_for_Deletion,dc=,dc=" | select -ExpandProperty Name

foreach ($user in $users){
Get-ADPrincipalGroupMembership -identity $user | select Name | export-csv -NoTypeInformation -path c:\Users\adjustin.\desktop\$user-Groups.csv}
}
The string is missing the terminator: ".
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : TerminatorExpectedAtEndOfString
0
 
LVL 4

Expert Comment

by:Rich Leclair
ID: 40626344
can you check the file path does the "adjustin" folder actually have a .? c:\Users\adjustin.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40626353
You are missing the " quotes on the beginning of the ou=Disabled. It should be like below...

$users = get-aduser -filter * -SearchBase "ou=Disabled_Users,ou=Marked_for_Deletion,dc=,dc=" | select -ExpandProperty Name

Will.
0
 
LVL 4

Expert Comment

by:Rich Leclair
ID: 40626363
Good Catch Will, I glazed right over that once I saw the . in the file path!
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 2000 total points
ID: 40626441
@Rich - Thanks!

I just answered another open question that references exactly what you are trying to do but I am using the native built-in cmdlets using the active directory module. This should work for you.

Remove Groups Based on Active Directory OU
Import-Module activedirectory
$FindGroups = get-aduser -Filter * -SearchBase "ou=testou,dc=domain,dc=com" | Get-ADPrincipalGroupMembership
ForEach ($user in $FindGroups) {
Remove-ADPrincipalGroupMembership -Identity $user -MemberOf $FindGroups -Confirm:$false
}

Open in new window


Will.
0
 

Author Comment

by:JT3865
ID: 40626468
Thanks Rich!
0
 

Author Comment

by:JT3865
ID: 40626565
Question...I've written this script in Quest powershell

$Users = Get-Content .\JustinPowerScripts\DisabledUsers.csv | ForEach-Object {
  Get-QADUser $_ | Disable-QADUser | Remove-QADMemberOf  -RemoveAll  
  Start-Sleep -s 5
  Move-QADObject -identity $_ -to /Marked_for_Deletion/Disabled_Users
}

I need to combine the previous powershell script to get all the users group memberships into a csv and then remove them and disable the user will it work like that or will i need to rewrite?
0
 
LVL 4

Expert Comment

by:Rich Leclair
ID: 40626577
if the rest of the script works then maybe try just adding the get-adprincipalgroupmembership into the above script.

$Users = Get-Content .\JustinPowerScripts\DisabledUsers.csv | ForEach-Object {
   Get-ADPrincipalGroupMembership -identity $user | select Name | export-csv -NoTypeInformation -path c:\output\$user-Groups.csv
   Get-QADUser $_ | Disable-QADUser | Remove-QADMemberOf  -RemoveAll  
   Start-Sleep -s 5
   Move-QADObject -identity $_ -to bhb.bm/Marked_for_Deletion/Disabled_Users
 }

Open in new window

0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40626581
Why do you require this using Quest cmdlets?

The difficult part I have already provided an answer for remove the security group memberships to all of the users in the OU. If you want to disable them after the group memberships have been removed just use the below script.

Import-Module activedirectory
$ADusers = Get-ADUser -Filter * -SearchBase "ou=testou,dc=domain,dc=com"
$FindGroups = get-aduser -Filter * -SearchBase "ou=testou,dc=domain,dc=com" | Get-ADPrincipalGroupMembership
ForEach ($user in $FindGroups) {
Remove-ADPrincipalGroupMembership -Identity $user -MemberOf $FindGroups -Confirm:$false
}

ForEach ($Account in $ADUsers) {
Set-ADuser -Identity $Account -Enabled $false
}

Open in new window


Will.
0
 

Author Comment

by:JT3865
ID: 40626611
Will,

I doesn't really matter unfortunately i've only been learning with Quest and wasn't sure the trade over for Quest to Standard Powershell but i appreciate the help nonetheless.
0
 

Author Comment

by:JT3865
ID: 40626741
Thanks Guys!
0
 
LVL 36

Expert Comment

by:Seth Simmons
ID: 40861251
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Loops Section Overview

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question