Append Description for the AD User after this script runs

Travis Hahn
Travis Hahn used Ask the Experts™
on
I want to append the description with "Groups Removed <date>"  - I want it to run after the groups are removed.

 # Import the Active Directory module if not already loaded
if (-not (Get-Module ActiveDirectory)){
    Import-Module ActiveDirectory -ErrorAction Stop
}
$user = Read-Host => [ Enter UserName ]
Write-host
Write-host ... $user is member of these AD Groups -fore Yellow
Get-ADPrincipalGroupMembership -Identity  $user | Format-Table -Property name
Write-host ...Removing the Group Membership -fore DarkYellow
$ADGroups = Get-ADPrincipalGroupMembership -Identity  $user | where {$_.Name -ne “Domain Users”}
Remove-ADPrincipalGroupMembership -Identity  $user -MemberOf $ADGroups -Confirm:$false -verbose

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2016

Commented:
$user = Get-ADUser TommyTester
Set-ADUser  $user -description ("Groups Removed:" + (get-date).tostring("yyyy-mm-dd"))

Open in new window

Travis HahnIT Manager

Author

Commented:
So would that pull in the User from the script above?
Top Expert 2016

Commented:
 # Import the Active Directory module if not already loaded
if (-not (Get-Module ActiveDirectory)){
    Import-Module ActiveDirectory -ErrorAction Stop
}
$user = Read-Host => [ Enter UserName ]
Write-host
Write-host ... $user is member of these AD Groups -fore Yellow
Get-ADPrincipalGroupMembership -Identity  $user | Format-Table -Property name
Write-host ...Removing the Group Membership -fore DarkYellow
$ADGroups = Get-ADPrincipalGroupMembership -Identity  $user | where {$_.Name -ne “Domain Users”}
Remove-ADPrincipalGroupMembership -Identity  $user -MemberOf $ADGroups -Confirm:$false -verbose
Set-ADUser  $user -description ("Groups Removed:" + (get-date).tostring("yyyy-mm-dd"))

Open in new window

Travis HahnIT Manager

Author

Commented:
Okay so that did work - how do I Format it so it is dd-mm-yyyy as the format.  What I got was 19-23-2019 when I changed it to "dd-mm-yyyy"

And would there be a way to also add the user id of who ran the script to the AD notes section?
Most Valuable Expert 2018
Distinguished Expert 2018

Commented:
That would need to be an uppercase "MM" for month; "mm" is minutes.
Here's a version that should make things easier; it allows to search and select from a list if more than one account is found:
Import-Module ActiveDirectory -ErrorAction Stop
$user = Read-Host '=> [ Enter UserName, wildcards accepted ]'
$adUser = Get-ADUser -Filter "samAccountName -like '$($user)'"
If ($adUser) {
	If ($adUser.Count -gt 1) {
		$adUser = $adUser | Select-Object -Property SamAccountName, DisplayName, DistinguishedName | Out-GridView -OutputMode Single -Title "Multiple users found, please select one"
		If (-not $adUser) {
			Write-Warning "Operation canceled!"
			Exit
		}
	}
	$memberOf = Get-ADPrincipalGroupMembership -Identity $adUser.SamAccountName | Where-Object {$_.Name -ne 'Domain Users'}
	Write-Host
	Write-Host "... $($adUser.SamAccountName) is member of these AD Groups" -ForegroundColor Yellow
	$memberOf | Sort-Object -Property Name | Format-Table -Property Name
	Write-Host "...Removing the Group Membership" -ForegroundColor DarkYellow
	Remove-ADPrincipalGroupMembership -Identity $adUser.SamAccountName -MemberOf $memberOf -Confirm:$false -Verbose
	Set-ADUser -Identity $adUser.SamAccountName -Description "Groups removed: $(Get-Date -Format 'dd-MM-yyyy') by ${env:UserDomain}\${env:UserName}"
} Else {
	Write-Warning "Found no user matching '$($user)'!"
}

Open in new window

Travis HahnIT Manager

Author

Commented:
ahh yes - thank you for this!

Hopefully the last question.  What about appending the description versus blanking out what is already there?

Or changing it to write to the NOTES field instead
Most Valuable Expert 2018
Distinguished Expert 2018

Commented:
This will write it to "Notes" (which is actually the "info" attribute):
Import-Module ActiveDirectory -ErrorAction Stop
$user = Read-Host '=> [ Enter UserName, wildcards accepted ]'
$adUser = Get-ADUser -Filter "samAccountName -like '$($user)'"
If ($adUser) {
	If ($adUser.Count -gt 1) {
		$adUser = $adUser | Select-Object -Property SamAccountName, DisplayName, DistinguishedName | Out-GridView -OutputMode Single -Title "Multiple users found, please select one"
		If (-not $adUser) {
			Write-Warning "Operation canceled!"
			Exit
		}
	}
	$memberOf = Get-ADPrincipalGroupMembership -Identity $adUser.SamAccountName | Where-Object {$_.Name -ne 'Domain Users'}
	Write-Host
	Write-Host "... $($adUser.SamAccountName) is member of these AD Groups" -ForegroundColor Yellow
	$memberOf | Sort-Object -Property Name | Format-Table -Property Name
	Write-Host "...Removing the Group Membership" -ForegroundColor DarkYellow
	Remove-ADPrincipalGroupMembership -Identity $adUser.SamAccountName -MemberOf $memberOf -Confirm:$false -Verbose
	Set-ADUser -Identity $adUser.SamAccountName -Add @{info="Groups removed: $(Get-Date -Format 'dd-MM-yyyy') by ${env:UserDomain}\${env:UserName}"} 
} Else {
	Write-Warning "Found no user matching '$($user)'!"
}

Open in new window

Travis HahnIT Manager

Author

Commented:
This is great!!!

I did notice that if there is text already in the "info" that the script will fail.  Is there a way to append or replace
Most Valuable Expert 2018
Distinguished Expert 2018
Commented:
This will append to the Notes field; if you want to completely replace it, just remove the $($adUser.info)`r`n in line 21.
Import-Module ActiveDirectory -ErrorAction Stop
$user = Read-Host '=> [ Enter UserName, wildcards accepted ]'
$adUser = Get-ADUser -Filter "samAccountName -like '$($user)'" -Property info
$runningUser = ""
If ($adUser) {
	If ($adUser.Count -gt 1) {
		$selectedUser = $adUser | Select-Object -Property SamAccountName, DisplayName, DistinguishedName | Out-GridView -OutputMode Single -Title "Multiple users found, please select one"
		If ($selectedUser) {
			$adUser = $adUser | Where-Object {$_.SamAccountName -eq $selectedUser.SamAccountName}
		} Else {
			Write-Warning "Operation canceled!"
			Exit
		}
	}
	$memberOf = Get-ADPrincipalGroupMembership -Identity $adUser.SamAccountName | Where-Object {$_.Name -ne 'Domain Users'}
	Write-Host
	Write-Host "... $($adUser.SamAccountName) is member of these AD Groups" -ForegroundColor Yellow
	$memberOf | Sort-Object -Property Name | Format-Table -Property Name
	Write-Host "...Removing the Group Membership" -ForegroundColor DarkYellow
	Remove-ADPrincipalGroupMembership -Identity $adUser.SamAccountName -MemberOf $memberOf -Confirm:$false -Verbose
	Set-ADUser -Identity $adUser.SamAccountName -Replace @{info="$($adUser.info)`r`nGroups removed: $(Get-Date -Format 'dd-MM-yyyy') by ${env:UserDomain}\${env:UserName}"}
} Else {
	Write-Warning "Found no user matching '$($user)'!"
}

Open in new window

Travis HahnIT Manager

Author

Commented:
Thank you!!!!
Travis HahnIT Manager

Author

Commented:
Is it the -Replace that appends?
Most Valuable Expert 2018
Distinguished Expert 2018

Commented:
No, the -Replace means "Replace the current content of the attribute with the new one."
So the attribute is replaced, but with the $($adUser.info)`r`n, the old content will be put into the new string.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial