How do I automate group removal for old/disabled users?

green

As a best practice, when a user leaves the company, other than just disabling the account I like to strip away all group memberships (security and distribution).  Of course, you never know when you might need to know what access groups or distribution lists they were a member of, so this script fixes that without compromising the primary goal of removing the user from all groups.

This first block of code will export all group memberships to a file in c:\temp and remove that user from all groups (except Domain Users). Ensure you change the $username variable in the script to the correct name. The output text file will be the same as their username (eg: user-y.txt) and progress is printed to the screen for each group removed as “removed User X from Accounting_Users”.

 

 

This second block of code will read from a previously exported group membership list (like was performed above) and add these group memberships to a user you define.  Useful when User X replaces User Y.  Progress of the group changes is printed to the screen as “added User X to Accounting_Users”.

Ensure you set the correct $username variable in this script to be the new username that you want to add groups to. And also change the $oldgroupfile variable to point to the text file of groups that was previously exported.

green

7 Comments How do I automate group removal for old/disabled users?

  1. Davis

    This script helps me accomplish what I want
    to do. Thanks a lot for taking the time to write. Keep up the good work.

    Thank you

    Reply
  2. David Turner

    Is there a way to remove all users within a particular OU (e.g. “Old Users”) from all group memberships (except Domain Users)??

    Reply
    1. Kamal

      There sure is – using the script from above, you need to get all users from a specific OU with the SearchBase parameter in get-aduser, and loop through each user. EG:

      $users = get-aduser -searchbase “ou=OldUsers,DC=kamal,DC=local”;

      foreach ($user in $users) {

      $username = $user.samaccountname;

      ### Insert group removal script from above that loops through all groups that this user belongs to
      }

      Reply
    1. Kamal

      Definitely. Use this to disable the account:

      disable-adaccount -identity $user.samaccountname;

      For logging, it really depends on how much detail you want to put in. Figure out what you want in the log file at any particular step and assign it to a variable. Eg:

      $logoutput = “User: ” + $user.samaccountname + ” disabled on ” + $timestamp;

      Then send (append) that data to a file with (making sure you’re within the same foreach loop):

      $logoutput >> c:\log\mylogfile.txt;

      Reply
  3. pavan

    HI,

    when i run the first script, am getting below error:
    Remove-ADGroupMember : Cannot validate argument on parameter ‘Identity’. The argument is null. Supply a non-null argument and try the command again.

    COuld you please assist here

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *