Removing Group Membership from Multiple AD Accounts

Home Forums Microsoft Networking and Management Services Active Directory Removing Group Membership from Multiple AD Accounts

This topic contains 6 replies, has 3 voices, and was last updated by  h0me 1 year, 10 months ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts

  • todd231
    Participant
    April 17, 2017 at 8:55 am #166969

    This is my scenario. I have a folder named “Former Employees” in AD. In that folder are all of my former employees.

    There are 492 accounts in there, give or take one or two.

    I need to remove all “Member Of” groups, both distribution and security groups (except for the group ‘domain users’ of course) from every account in that folder.

    I’d rather use PowerShell than go through 492 accounts individually.

    What I’ve found so far while googling my question isn’t really helping me. There’s some good stuff I’m finding but it’s not specific to my project, and by specific, I don’t mean exactly what I need. I’m looking for something to get me started.

    My groups are spread out all over my AD structure rather than being in one contained folder as I have multiple locations around the USA and each location has its own OU.

    I’m going to continue googling but if any one has any PS strings they can drop in here, that would be really, really helpful.


    h0me
    Member
    April 17, 2017 at 8:59 am #377619

    I’m thinking something like this will work.
    $csvFile = “path to csv file” $disabledUsersOU = “OU=blah,DC=domain,DC=com” Import-Csv $csvFile | ForEach-Object { # Disable the account Disable-ADAccount -Identity $_.UserName # Retrieve the user object and MemberOf property $user = Get-ADUser -Identity $_.UserName -Properties MemberOf # Move user object to disabled users OU $user | Move-ADObject -TargetPath $disabledUsersOU # Remove all group memberships (will leave Domain Users as this is NOT in the MemberOf property returned by Get-ADUser) foreach ($group in ($user | Select-Object -ExpandProperty MemberOf)) { Remove-ADGroupMember -Identity $group -Members $user } }


    h0me
    Member
    April 17, 2017 at 9:18 am #377620

    I edited that script above and it’s giving me errors, I removed teh “move” part of it because they’re already isolated in their own OU.

    I’m thinking this may help, though this is a broad sweep of disabled accounts.
    Foreach ($user in (Get-QADUser -Disabled -SizeLimit 0)){ (get-qaduser $user).memberof | Get-QADGroup | where {$_.name -ne “domain users”} | Remove-QADGroupMember -member $user }


    Ossian
    Moderator
    April 17, 2017 at 11:47 am #191616

    What errors is it giving you, and where? If get as far as the Get-QADGroup, do you get the correct output?


    h0me
    Member
    April 21, 2017 at 1:06 pm #377621

    It threw an error related to the moving of the accounts. I forgot to take that out.

    As of right now, that doesn’t matter, I got laid off this morning.

    I learned a lot but went through hell the last year.


    Ossian
    Moderator
    April 22, 2017 at 12:02 am #191621

    Very sorry to hear that, Todd, but in general (and with a long period of hindsight) I find the end result is more positive than negative – although it doesn’t feel like it at the time.
    Anything I can do to help, please ask


    h0me
    Member
    April 22, 2017 at 11:44 am #377622

    That’s what I told my wife. I mean, it’s not like I got laid off from the perfect job. This last year was complete hell. Managing and maintaining a system that was severely out of date and a network that had close to 1000 users (dwindled down to 350 as of yesterday) was really a job for a team of probably 4, but I did my best.

    Things will open up to better opportunities, I got a good severance package so I can pretty much pick where i need to be.

    I appreciate the good thoughts from you, thank you!

  • Author
    Posts
Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.