Announcement

Collapse
No announcement yet.

Removing Group Membership from Multiple AD Accounts

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Removing Group Membership from Multiple AD Accounts

    This is my scenario. I have a folder named "Former Employees" in AD. In that folder are all of my former employees.

    There are 492 accounts in there, give or take one or two.

    I need to remove all "Member Of" groups, both distribution and security groups (except for the group 'domain users' of course) from every account in that folder.

    I'd rather use PowerShell than go through 492 accounts individually.

    What I've found so far while googling my question isn't really helping me. There's some good stuff I'm finding but it's not specific to my project, and by specific, I don't mean exactly what I need. I'm looking for something to get me started.

    My groups are spread out all over my AD structure rather than being in one contained folder as I have multiple locations around the USA and each location has its own OU.

    I'm going to continue googling but if any one has any PS strings they can drop in here, that would be really, really helpful.



    I'd rather check my Facebook than face my checkbook...

    Thanks,
    Todd

  • #2
    I'm thinking something like this will work.
    $csvFile = "path to csv file" $disabledUsersOU = "OU=blah,DC=domain,DC=com" Import-Csv $csvFile | ForEach-Object { # Disable the account Disable-ADAccount -Identity $_.UserName # Retrieve the user object and MemberOf property $user = Get-ADUser -Identity $_.UserName -Properties MemberOf # Move user object to disabled users OU $user | Move-ADObject -TargetPath $disabledUsersOU # Remove all group memberships (will leave Domain Users as this is NOT in the MemberOf property returned by Get-ADUser) foreach ($group in ($user | Select-Object -ExpandProperty MemberOf)) { Remove-ADGroupMember -Identity $group -Members $user } }
    I'd rather check my Facebook than face my checkbook...

    Thanks,
    Todd

    Comment


    • #3
      I edited that script above and it's giving me errors, I removed teh "move" part of it because they're already isolated in their own OU.

      I'm thinking this may help, though this is a broad sweep of disabled accounts.
      Foreach ($user in (Get-QADUser -Disabled -SizeLimit 0)){ (get-qaduser $user).memberof | Get-QADGroup | where {$_.name -ne "domain users"} | Remove-QADGroupMember -member $user }
      I'd rather check my Facebook than face my checkbook...

      Thanks,
      Todd

      Comment


      • #4
        What errors is it giving you, and where? If get as far as the Get-QADGroup, do you get the correct output?
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          It threw an error related to the moving of the accounts. I forgot to take that out.

          As of right now, that doesn't matter, I got laid off this morning.

          I learned a lot but went through hell the last year.

          I'd rather check my Facebook than face my checkbook...

          Thanks,
          Todd

          Comment


          • #6
            Very sorry to hear that, Todd, but in general (and with a long period of hindsight) I find the end result is more positive than negative - although it doesn't feel like it at the time.
            Anything I can do to help, please ask
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              That's what I told my wife. I mean, it's not like I got laid off from the perfect job. This last year was complete hell. Managing and maintaining a system that was severely out of date and a network that had close to 1000 users (dwindled down to 350 as of yesterday) was really a job for a team of probably 4, but I did my best.

              Things will open up to better opportunities, I got a good severance package so I can pretty much pick where i need to be.

              I appreciate the good thoughts from you, thank you!
              I'd rather check my Facebook than face my checkbook...

              Thanks,
              Todd

              Comment

              Working...
              X