davidthegnome2003
asked on
Remove group membership from user in AD
I am using this PowerShell script to attempt to remove groups from disabled users, but I am getting an error. I need help to make the script work.
import-module activedirectory
$list = Import-Csv c:\user\DN.csv
foreach ($entry in $list)
$UserDN = $entry.DistinguishedName
Get-ADGroup -LDAPFilter "(member=$UserDN)" | foreach-object {
if ($_.name -ne "Domain Users") {
try {
remove-adgroupmember -identity $_.name -member $UserDN -Confirm:$False} }
catch [ADexcption] {
write-output "Error Deleting User:" $_.name
}
}
Error
Missing statement body in foreach loop.
At C:\Scripts\Exit User.ps1:4 char:1
+ <<<< $UserDN = $entry.DistinguishedName
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : MissingForeachStatement
import-module activedirectory
$list = Import-Csv c:\user\DN.csv
foreach ($entry in $list)
$UserDN = $entry.DistinguishedName
Get-ADGroup -LDAPFilter "(member=$UserDN)" | foreach-object {
if ($_.name -ne "Domain Users") {
try {
remove-adgroupmember -identity $_.name -member $UserDN -Confirm:$False} }
catch [ADexcption] {
write-output "Error Deleting User:" $_.name
}
}
Error
Missing statement body in foreach loop.
At C:\Scripts\Exit User.ps1:4 char:1
+ <<<< $UserDN = $entry.DistinguishedName
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : MissingForeachStatement
ASKER
Will,
Would this be ok to run in a domain that has 30,000+ disabled users?
Or would it be better to call from a file?
Thanks for responding. Ultimately I am hoping to have one or more scripts that can complete my process for exiting users.
Disabling the account, moving the users H: drive to a folder for disabled users, removing all memberships, Copying the address of the users Exchange homeMDB and copying it into the notes section of the telephone tab, clearing their manager, and moving the object to the disabled OU. Also, adding the date in the description that the account was disabled.
Would this be ok to run in a domain that has 30,000+ disabled users?
Or would it be better to call from a file?
Thanks for responding. Ultimately I am hoping to have one or more scripts that can complete my process for exiting users.
Disabling the account, moving the users H: drive to a folder for disabled users, removing all memberships, Copying the address of the users Exchange homeMDB and copying it into the notes section of the telephone tab, clearing their manager, and moving the object to the disabled OU. Also, adding the date in the description that the account was disabled.
well if you have that many accounts what you could do is restrict what OU's it searches so that it does not grab accounts that are disabled by default like Shared Mailbox accounts etc. Ultimately if this is not using a file to call from you can have this setup on a scheduled task and run a cleanup procedure every week/month etc.
Everything you have listed in manageable in a single script.
Will.
Everything you have listed in manageable in a single script.
Will.
ASKER
Will,
Could you show me the script calling from a file, txt if possible
(My server doesn't have excel).
Could you show me the script calling from a file, txt if possible
(My server doesn't have excel).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you very much. You sure know your stuff with PowerShell, Will!
Open in new window
What that script will do is find all users that are disabled in AD and then remove all of their group memberships. If the user is only part of domain users then it will skip it.
The above script I have illustrated is more logical and better than calling a file. However if you would rather calling from a file then I will modify the script above to accommodate your requirements.
Will.