Remove group membership from user in AD

I am using this PowerShell script to attempt to remove groups from disabled users, but I am getting an error. I need help to make the script work.

import-module activedirectory
$list = Import-Csv c:\user\DN.csv
foreach ($entry in $list)
$UserDN = $entry.DistinguishedName
Get-ADGroup -LDAPFilter "(member=$UserDN)" | foreach-object {
if ($_.name -ne "Domain Users") {
try {
remove-adgroupmember -identity $_.name -member $UserDN -Confirm:$False} }
catch [ADexcption] {
write-output "Error Deleting User:" $_.name
}
}

Error

Missing statement body in foreach loop.
At C:\Scripts\Exit User.ps1:4 char:1
+  <<<< $UserDN = $entry.DistinguishedName
    + CategoryInfo          : ParserError: (:) [], ParseException
    + FullyQualifiedErrorId : MissingForeachStatement
davidthegnome2003Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
I think you are complicating this. Use the below script. Why have Disabled users in a file? Just look for them in AD. See below...

Import-module activedirectory
$DisabledUsers = Get-ADUser -filter { enabled -eq $false } -Properties *

ForEach ($User in $DisabledUsers)
    {
        $UserGroups = Get-ADPrincipalGroupMembership -Identity $User.samaccountname  | ? { ($_.name -ne "Domain Users") }

    If ($UserGroups -ne $null)
    
        {

        Remove-ADPrincipalGroupMembership -Identity $User.samaccountname -MemberOf $UserGroups -Confirm:$false
        
}

Open in new window


What that script will do is find all users that are disabled in AD and then remove all of their group memberships. If the user is only part of domain users then it will skip it.

The above script I have illustrated is more logical and better than calling a file. However if you would rather calling from a file then I will modify the script above to accommodate your requirements.

Will.
davidthegnome2003Author Commented:
Will,

Would this be ok to run in a domain that has 30,000+ disabled users?

Or would it be better to call from a file?

Thanks for responding.  Ultimately I am hoping to have one or more scripts that can complete my process for exiting users.

Disabling the account, moving the users H: drive to a folder for disabled users, removing all memberships, Copying the address of the users Exchange homeMDB and copying it into the notes section of the telephone tab, clearing their manager, and moving the object to the disabled OU. Also, adding the date in the description that the account was disabled.
Will SzymkowskiSenior Solution ArchitectCommented:
well if you have that many accounts what you could do is restrict what OU's it searches so that it does not grab accounts that are disabled by default like Shared Mailbox accounts etc. Ultimately if this is not using a file to call from you can have this setup on a scheduled task and run a cleanup procedure every week/month etc.

Everything you have listed in manageable in a single script.

Will.
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Download eBook now!
davidthegnome2003Author Commented:
Will,

Could you show me the script calling from a file, txt if possible
(My server doesn't have excel).
Will SzymkowskiSenior Solution ArchitectCommented:
Below is the script and I am referencing a TXT file.

Note: make sure in the text file you have each users sAMAccountName one on each line.

Import-module activedirectory
$DisabledUsers = Get-Content "c:\filename.txt"

ForEach ($User in $DisabledUsers)
    {
        $UserGroups = Get-ADPrincipalGroupMembership -Identity $User  | ? { ($_.name -ne "Domain Users") }

    If ($UserGroups -ne $null)
    
        {

        Remove-ADPrincipalGroupMembership -Identity $User -MemberOf $UserGroups -Confirm:$false
        
    }

}

Open in new window


That should do it.

Will.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
davidthegnome2003Author Commented:
Thank you very much. You sure know your stuff with PowerShell, Will!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.