Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!
Remove group membership from user in AD
I am using this PowerShell script to attempt to remove groups from disabled users, but I am getting an error. I need help to make the script work.
import-module activedirectory
$list = Import-Csv c:\user\DN.csv
foreach ($entry in $list)
$UserDN = $entry.DistinguishedName
Get-ADGroup -LDAPFilter "(member=$UserDN)" | foreach-object {
if ($_.name -ne "Domain Users") {
try {
remove-adgroupmember -identity $_.name -member $UserDN -Confirm:$False} }
catch [ADexcption] {
write-output "Error Deleting User:" $_.name
}
}
Error
Missing statement body in foreach loop.
At C:\Scripts\Exit User.ps1:4 char:1
+ <<<< $UserDN = $entry.DistinguishedName
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : MissingForeachStatement
import-module activedirectory
$list = Import-Csv c:\user\DN.csv
foreach ($entry in $list)
$UserDN = $entry.DistinguishedName
Get-ADGroup -LDAPFilter "(member=$UserDN)" | foreach-object {
if ($_.name -ne "Domain Users") {
try {
remove-adgroupmember -identity $_.name -member $UserDN -Confirm:$False} }
catch [ADexcption] {
write-output "Error Deleting User:" $_.name
}
}
Error
Missing statement body in foreach loop.
At C:\Scripts\Exit User.ps1:4 char:1
+ <<<< $UserDN = $entry.DistinguishedName
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : MissingForeachStatement
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
I think you are complicating this. Use the below script. Why have Disabled users in a file? Just look for them in AD. See below...
What that script will do is find all users that are disabled in AD and then remove all of their group memberships. If the user is only part of domain users then it will skip it.
The above script I have illustrated is more logical and better than calling a file. However if you would rather calling from a file then I will modify the script above to accommodate your requirements.
Will.
Import-module activedirectory
$DisabledUsers = Get-ADUser -filter { enabled -eq $false } -Properties *
ForEach ($User in $DisabledUsers)
{
$UserGroups = Get-ADPrincipalGroupMembership -Identity $User.samaccountname | ? { ($_.name -ne "Domain Users") }
If ($UserGroups -ne $null)
{
Remove-ADPrincipalGroupMembership -Identity $User.samaccountname -MemberOf $UserGroups -Confirm:$false
}
What that script will do is find all users that are disabled in AD and then remove all of their group memberships. If the user is only part of domain users then it will skip it.
The above script I have illustrated is more logical and better than calling a file. However if you would rather calling from a file then I will modify the script above to accommodate your requirements.
Will.
Will,
Would this be ok to run in a domain that has 30,000+ disabled users?
Or would it be better to call from a file?
Thanks for responding. Ultimately I am hoping to have one or more scripts that can complete my process for exiting users.
Disabling the account, moving the users H: drive to a folder for disabled users, removing all memberships, Copying the address of the users Exchange homeMDB and copying it into the notes section of the telephone tab, clearing their manager, and moving the object to the disabled OU. Also, adding the date in the description that the account was disabled.
Would this be ok to run in a domain that has 30,000+ disabled users?
Or would it be better to call from a file?
Thanks for responding. Ultimately I am hoping to have one or more scripts that can complete my process for exiting users.
Disabling the account, moving the users H: drive to a folder for disabled users, removing all memberships, Copying the address of the users Exchange homeMDB and copying it into the notes section of the telephone tab, clearing their manager, and moving the object to the disabled OU. Also, adding the date in the description that the account was disabled.
well if you have that many accounts what you could do is restrict what OU's it searches so that it does not grab accounts that are disabled by default like Shared Mailbox accounts etc. Ultimately if this is not using a file to call from you can have this setup on a scheduled task and run a cleanup procedure every week/month etc.
Everything you have listed in manageable in a single script.
Will.
Everything you have listed in manageable in a single script.
Will.
Will,
Could you show me the script calling from a file, txt if possible
(My server doesn't have excel).
Could you show me the script calling from a file, txt if possible
(My server doesn't have excel).
Below is the script and I am referencing a TXT file.
Note: make sure in the text file you have each users sAMAccountName one on each line.
That should do it.
Will.
Note: make sure in the text file you have each users sAMAccountName one on each line.
Import-module activedirectory
$DisabledUsers = Get-Content "c:\filename.txt"
ForEach ($User in $DisabledUsers)
{
$UserGroups = Get-ADPrincipalGroupMembership -Identity $User | ? { ($_.name -ne "Domain Users") }
If ($UserGroups -ne $null)
{
Remove-ADPrincipalGroupMembership -Identity $User -MemberOf $UserGroups -Confirm:$false
}
}
That should do it.
Will.
Premium Content
You need an Expert Office subscription to comment.Start Free Trial