Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, September 10, 2013 12:51 PM
REMOVE USERS MEMBERSof FROM ALL GROUPS EXCEPT DOMAIN USEr wihth powsershell
All replies (15)
Tuesday, September 10, 2013 4:50 PM ✅Answered | 5 votes
I am being nice today, not sure why lol, but for the future, do your own research and your own code. We are here to help with issues and general questions, NOT to do your work. The below script should do all except #3 as I don't understand why you want to add the user to a group after you take all group memberships away. Also it assumes your csv file is in the following format:
UserName
user1
user2
user3
$csvFile = "path to csv file"
$disabledUsersOU = "OU=blah,DC=domain,DC=com"
Import-Csv $csvFile | ForEach-Object {
# Disable the account
Disable-ADAccount -Identity $_.UserName
# Retrieve the user object and MemberOf property
$user = Get-ADUser -Identity $_.UserName -Properties MemberOf
# Move user object to disabled users OU
$user | Move-ADObject -TargetPath $disabledUsersOU
# Remove all group memberships (will leave Domain Users as this is NOT in the MemberOf property returned by Get-ADUser)
foreach ($group in ($user | Select-Object -ExpandProperty MemberOf))
{
Remove-ADGroupMember -Identity $group -Members $user
}
}
If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.
Wednesday, September 11, 2013 12:37 PM ✅Answered
You can read this Powershell Tutorial to get an understanding of Powershell itself. That tutorial is for version 2 of PS, I have not ventured out to PS v3 yet.
To learn the AD cmdlets, you can do the following to list all AD cmdlets
# Need to import the module in order to have access
# to the AD cmdlets
Import-Module ActiveDirectory
# List all AD cmdlets
Get-Command *-AD*
You can then look at the list of available cmdlets, if you see something that may interest you, read the help file for the cmdlet to understand its usage
Get-Help <cmdlet name> -Detailed
The -Detailed switch will make sure to give you a very detailed overview of the cmdlet.
If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.
Tuesday, September 10, 2013 12:57 PM
Ask a search engine the question and you'll get an answer:
http://stackoverflow.com/questions/11364238/remove-groups-from-member-of-tab-from-user-properties
Don't retire TechNet! - (Maybe there's still a chance for hope, over 11,610+ strong and growing)
Tuesday, September 10, 2013 1:40 PM
Hi,
use this script:
$allusers=get-aduser -filter *
foreach ($user in $allusers)
{
$dgs = get-adgroup -Filter * |? {$_.name -ne "Domain Users" } | ? {(Get-ADGroupMember -Identity $_ | ? {$_.name -eq "$user"})} | select -ExpandProperty name
foreach ($dg in $dgs)
{
Remove-ADGroupMember -identity $dg -members $user -confirm:$false
}
}
If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer. MCITP - Exchange 2010 | MCITP - Windows Server 2008 R2
Tuesday, September 10, 2013 1:47 PM
Hi,
use this script:
$allusers=get-aduser -filter * foreach ($user in $allusers) { $dgs = get-adgroup -Filter * |? {$_.name -ne "Domain Users" } | ? {(Get-ADGroupMember -Identity $_ | ? {$_.name -eq "$user"})} | select -ExpandProperty name foreach ($dg in $dgs) { Remove-ADGroupMember -identity $dg -members $user -confirm:$false } }If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer. MCITP - Exchange 2010 | MCITP - Windows Server 2008 R2
This will work, but it will remove all group memberships for every single user in AD. I recommend caution here.
Don't retire TechNet! - (Maybe there's still a chance for hope, over 11,610+ strong and growing)
Tuesday, September 10, 2013 2:10 PM
Yea........... it will remove all user's membership .
we need to modify here :
get-aduser -filter { }
OR
we need to prompt a user name and store in a variable , like this :
$username=read-host "Enter the user name :"
then with some modification will required in above script.......
OR,
we can make a list of .csv file of all users for which we have to remove Group membership , like this
$alluser=import-csv c:\users.csv
then proceed with above script ........
Many options .. but we need to design script as per our need ..........
If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer. MCITP - Exchange 2010 | MCITP - Windows Server 2008 R2
Tuesday, September 10, 2013 3:26 PM
Hi
The above script is not working for me.
I have the users list in csv file and its not removing the memberof of user mentioned in csv file.
Tuesday, September 10, 2013 3:32 PM
Hi
The above script is not working for me.
I have the users list in csv file and its not removing the memberof of user mentioned in csv file.
Please post your entire script. Everything above does not take input.
Are you looking to have someone do this work for you or do you have a specific question?
Don't retire TechNet! - (Maybe there's still a chance for hope, over 11,610+ strong and growing)
Tuesday, September 10, 2013 3:47 PM
Well I need to do below task with power shell:
1# DISABLE THE USER ACCOUNT and MOVE USER TO AN DISABLED OU.
Import-Csv .\user.csv | % {Disable-ADAccount -Identity $_; Get-ADUser $_ | Move-ADObject -TargetPath "OU=Permanent,OU=Disabled,OU=techno,OU=HR,DC=contoso,DC=com"}
2#REMOVE USERS MEMBERS FROM ALL GROUPS EXCEPT DOMAIN USER
3#ADD A GROUP TO THE USER
I have disable user and move to in disable OU..
Now i need point 2 and 3..
Tuesday, September 10, 2013 3:47 PM
Hi
The above script is not working for me.
I have the users list in csv file and its not removing the memberof of user mentioned in csv file.
Which one script you are using ?
Post here your entire script.
script at my first post is working fine without any issue.
If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer. MCITP - Exchange 2010 | MCITP - Windows Server 2008 R2
Tuesday, September 10, 2013 3:58 PM
The link I initially posted does #2, have you looked at it? For #3, use Add-ADGroupMember.
http://technet.microsoft.com/en-us/library/ee617210.aspx
Don't retire TechNet! - (Maybe there's still a chance for hope, over 11,610+ strong and growing)
Wednesday, September 11, 2013 8:55 AM
Hi Clayman
Thanks for your help and created script for me..
Its working as charm................
You helped me a lot...............
I want to learn power-shell like you in terms of AD............
Please guide me or provide me coaching for 1 hour ..
I am very much to eager power-shell....
Wednesday, September 11, 2013 12:49 PM
There's good learning resources here too:
http://technet.microsoft.com/en-us/scriptcenter/dd793612.aspx
Don't retire TechNet! - (Maybe there's still a chance for hope, over 11,760+ strong and growing)
Thursday, October 20, 2016 8:31 AM
hy, how can i modifie this script to remove group include Domain Users an put in a new gruoup set by me.
Thx a lot!
Friday, October 21, 2016 7:40 AM
Thx for the prompt answer, in my case ther are some users that has an atoher group set primary, and i need to remove from that group.
Thx for explication.