Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Group Memberships of Users in Specific OU

Posted on 2015-02-23
20
84 Views
Last Modified: 2015-07-01
Hi I am writing a script and have completed a majority of it Im new to Powershell and am using Quest the issue i am experiencing is that i cannot figure out how to get the list of users group Memberships before the users are removed from their respective groups can you assist?

 $Users = Get-Content .\JustinPowerScripts\DisabledUsers.csv | ForEach-Object {
  Get-QADUser $_ | Disable-QADUser | Remove-QADMemberOf  -RemoveAll  
  Start-Sleep -s 5
  Move-QADObject -identity $_ -to OU= , OU=, DC=, DC=
}
0
Comment
Question by:JT3865
  • 8
  • 7
  • 3
  • +1
20 Comments
 
LVL 4

Expert Comment

by:Rich Leclair
ID: 40626061
Same basic code as the last question regarding group memberships from a specific group of users. please see code below for searching the ou structure via get-aduser. http://blogs.technet.com/b/heyscriptingguy/archive/2012/10/30/powertip-single-line-powershell-command-to-list-all-users-in-an-ou.aspx

$users = get-aduser -filter * -SearchBase "ou=TestOU,ou=TestOU,dc=Domain,dc=com" | select -ExpandProperty Name

foreach ($user in $users){
Get-ADPrincipalGroupMembership -identity $user | select Name | export-csv -NoTypeInformation -path c:\output\$user-Groups.csv}

Open in new window

0
 

Author Comment

by:JT3865
ID: 40626304
Having an issue with  "$users = get-aduser -filter * -SearchBase "ou=Marked_for_Deletion,ou=Disabled_Users,dc=bhb,dc=bm"

Throws an get-aduser  : Directory object not found message
0
 
LVL 4

Expert Comment

by:Rich Leclair
ID: 40626310
This would be the OU structure that you want to build, is there an OU called "Marked_for_Deletion"?
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:JT3865
ID: 40626315
Yes
0
 
LVL 4

Expert Comment

by:Rich Leclair
ID: 40626325
if you run the command below do you find the one you are looking for?

Get-ADOrganizationalUnit -filter * | select DistinguishedName

Open in new window

0
 

Author Comment

by:JT3865
ID: 40626334
Yes I had them misplaced however, it is now saying that the string is missing a Terminator
0
 
LVL 4

Expert Comment

by:Rich Leclair
ID: 40626335
Can you post the actual error?
0
 

Author Comment

by:JT3865
ID: 40626339
Sure- PS C:\Users\adjustin.\Desktop> $users = get-aduser -filter * -SearchBase ou=Disabled_Users,ou=Marked_for_Deletion,dc=,dc=" | select -ExpandProperty Name

foreach ($user in $users){
Get-ADPrincipalGroupMembership -identity $user | select Name | export-csv -NoTypeInformation -path c:\Users\adjustin.\desktop\$user-Groups.csv}
}
The string is missing the terminator: ".
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : TerminatorExpectedAtEndOfString
0
 
LVL 4

Expert Comment

by:Rich Leclair
ID: 40626344
can you check the file path does the "adjustin" folder actually have a .? c:\Users\adjustin.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40626353
You are missing the " quotes on the beginning of the ou=Disabled. It should be like below...

$users = get-aduser -filter * -SearchBase "ou=Disabled_Users,ou=Marked_for_Deletion,dc=,dc=" | select -ExpandProperty Name

Will.
0
 
LVL 4

Expert Comment

by:Rich Leclair
ID: 40626363
Good Catch Will, I glazed right over that once I saw the . in the file path!
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40626441
@Rich - Thanks!

I just answered another open question that references exactly what you are trying to do but I am using the native built-in cmdlets using the active directory module. This should work for you.

Remove Groups Based on Active Directory OU
Import-Module activedirectory
$FindGroups = get-aduser -Filter * -SearchBase "ou=testou,dc=domain,dc=com" | Get-ADPrincipalGroupMembership
ForEach ($user in $FindGroups) {
Remove-ADPrincipalGroupMembership -Identity $user -MemberOf $FindGroups -Confirm:$false
}

Open in new window


Will.
0
 

Author Comment

by:JT3865
ID: 40626468
Thanks Rich!
0
 

Author Comment

by:JT3865
ID: 40626565
Question...I've written this script in Quest powershell

$Users = Get-Content .\JustinPowerScripts\DisabledUsers.csv | ForEach-Object {
  Get-QADUser $_ | Disable-QADUser | Remove-QADMemberOf  -RemoveAll  
  Start-Sleep -s 5
  Move-QADObject -identity $_ -to /Marked_for_Deletion/Disabled_Users
}

I need to combine the previous powershell script to get all the users group memberships into a csv and then remove them and disable the user will it work like that or will i need to rewrite?
0
 
LVL 4

Expert Comment

by:Rich Leclair
ID: 40626577
if the rest of the script works then maybe try just adding the get-adprincipalgroupmembership into the above script.

$Users = Get-Content .\JustinPowerScripts\DisabledUsers.csv | ForEach-Object {
   Get-ADPrincipalGroupMembership -identity $user | select Name | export-csv -NoTypeInformation -path c:\output\$user-Groups.csv
   Get-QADUser $_ | Disable-QADUser | Remove-QADMemberOf  -RemoveAll  
   Start-Sleep -s 5
   Move-QADObject -identity $_ -to bhb.bm/Marked_for_Deletion/Disabled_Users
 }

Open in new window

0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40626581
Why do you require this using Quest cmdlets?

The difficult part I have already provided an answer for remove the security group memberships to all of the users in the OU. If you want to disable them after the group memberships have been removed just use the below script.

Import-Module activedirectory
$ADusers = Get-ADUser -Filter * -SearchBase "ou=testou,dc=domain,dc=com"
$FindGroups = get-aduser -Filter * -SearchBase "ou=testou,dc=domain,dc=com" | Get-ADPrincipalGroupMembership
ForEach ($user in $FindGroups) {
Remove-ADPrincipalGroupMembership -Identity $user -MemberOf $FindGroups -Confirm:$false
}

ForEach ($Account in $ADUsers) {
Set-ADuser -Identity $Account -Enabled $false
}

Open in new window


Will.
0
 

Author Comment

by:JT3865
ID: 40626611
Will,

I doesn't really matter unfortunately i've only been learning with Quest and wasn't sure the trade over for Quest to Standard Powershell but i appreciate the help nonetheless.
0
 

Author Comment

by:JT3865
ID: 40626741
Thanks Guys!
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40861251
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question