How do I automate group removal for old/disabled users?


As a best practice, when a user leaves the company, other than just disabling the account I like to strip away all group memberships (security and distribution).  Of course, you never know when you might need to know what access groups or distribution lists they were a member of, so this script fixes that without compromising the primary goal of removing the user from all groups.

This first block of code will export all group memberships to a file in c:\temp and remove that user from all groups (except Domain Users). Ensure you change the $username variable in the script to the correct name. The output text file will be the same as their username (eg: user-y.txt) and progress is printed to the screen for each group removed as “removed User X from Accounting_Users”.



This second block of code will read from a previously exported group membership list (like was performed above) and add these group memberships to a user you define.  Useful when User X replaces User Y.  Progress of the group changes is printed to the screen as “added User X to Accounting_Users”.

Ensure you set the correct $username variable in this script to be the new username that you want to add groups to. And also change the $oldgroupfile variable to point to the text file of groups that was previously exported.


9 Comments How do I automate group removal for old/disabled users?

  1. Davis

    This script helps me accomplish what I want
    to do. Thanks a lot for taking the time to write. Keep up the good work.

    Thank you

  2. David Turner

    Is there a way to remove all users within a particular OU (e.g. “Old Users”) from all group memberships (except Domain Users)??

    1. Kamal

      There sure is – using the script from above, you need to get all users from a specific OU with the SearchBase parameter in get-aduser, and loop through each user. EG:

      $users = get-aduser -searchbase “ou=OldUsers,DC=kamal,DC=local”;

      foreach ($user in $users) {

      $username = $user.samaccountname;

      ### Insert group removal script from above that loops through all groups that this user belongs to

      1. Harry Powell

        When i do this i find that the $Username variable isnt passed through to the remove AD group member. I am doing the following:

        $csvFile = “C:\scripts\Balmoral\test.csv”

        Import-Csv $csvFile | ForEach-Object {

        $users = Get-ADUser -Identity $_.SamAccountName


        foreach ($user in $users) {

        $username = $user.samaccountname;

        # Get all group memberships
        $groups = Get-ADPrincipalGroupMembership $username

        foreach ($group in $groups) {

        # Exclude Domain Users group
        if ($ -ne “domain users”) {

        # Remove user from group
        Get-ADGroup $group | Remove-ADGroupMember $username -WhatIf;

        # Write progress to screen
        Write-Host “removed” $username “from” $;




        The error/message is:

        cmdlet Remove-ADGroupMember at command pipeline position 2
        Supply values for the following parameters:

        Do you know why?

        1. Kamal

          A lot going on here.
          I would start with checking the contents of $users (to make sure they are objects and contain the correct data from AD). There may be problems with your original CSV file – hard to say without seeing the contents.
          Maybe remove the CSV and test it with just a single user account (to make sure the second half of the script works as expected)?

    1. Kamal

      Definitely. Use this to disable the account:

      disable-adaccount -identity $user.samaccountname;

      For logging, it really depends on how much detail you want to put in. Figure out what you want in the log file at any particular step and assign it to a variable. Eg:

      $logoutput = “User: ” + $user.samaccountname + ” disabled on ” + $timestamp;

      Then send (append) that data to a file with (making sure you’re within the same foreach loop):

      $logoutput >> c:\log\mylogfile.txt;

  3. pavan


    when i run the first script, am getting below error:
    Remove-ADGroupMember : Cannot validate argument on parameter ‘Identity’. The argument is null. Supply a non-null argument and try the command again.

    COuld you please assist here


Leave a Reply

Your email address will not be published. Required fields are marked *