As a best practice, when a user leaves the company, other than just disabling the account I like to strip away all group memberships (security and distribution). Of course, you never know when you might need to know what access groups or distribution lists they were a member of, so this script fixes that without compromising the primary goal of removing the user from all groups.
This first block of code will export all group memberships to a file in c:\temp and remove that user from all groups (except Domain Users). Ensure you change the $username variable in the script to the correct name. The output text file will be the same as their username (eg: user-y.txt) and progress is printed to the screen for each group removed as “removed User X from Accounting_Users”.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
# Username of person to be removed $username = "user-y"; # Get all group memberships $groups = get-adprincipalgroupmembership $username; # Loop through each group foreach ($group in $groups) { # Exclude Domain Users group if ($group.name -ne "domain users") { # Remove user from group get-adgroup $group | remove-adgroupmember $username; # Write progress to screen write-host "removed" $username "from" $group.name; # Define and save group names into filename in c:\temp\username $grouplogfile = "c:\temp\" + $username + ".txt"; $group.name >> $grouplogfile } } |
This second block of code will read from a previously exported group membership list (like was performed above) and add these group memberships to a user you define. Useful when User X replaces User Y. Progress of the group changes is printed to the screen as “added User X to Accounting_Users”.
Ensure you set the correct $username variable in this script to be the new username that you want to add groups to. And also change the $oldgroupfile variable to point to the text file of groups that was previously exported.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
# Username of new user, to which you want to add groups to $username = "user-x"; # Location of old dump of group names (one per line) $oldgroupfile = "c:\temp\user-y.txt"; # get contents of group dump file $groups = get-content $oldgroupfile; # Loop through each entry/group name in the file foreach ($groupname in $groups) { # Add new user to the group get-adgroup $groupname | add-adgroupmember -members $username; # Write progress to screen write-host "added" $username "to" $groupname; } |
This script helps me accomplish what I want
to do. Thanks a lot for taking the time to write. Keep up the good work.
Thank you
Is there a way to remove all users within a particular OU (e.g. “Old Users”) from all group memberships (except Domain Users)??
There sure is – using the script from above, you need to get all users from a specific OU with the SearchBase parameter in get-aduser, and loop through each user. EG:
$users = get-aduser -searchbase “ou=OldUsers,DC=kamal,DC=local”;
foreach ($user in $users) {
$username = $user.samaccountname;
### Insert group removal script from above that loops through all groups that this user belongs to
}
When i do this i find that the $Username variable isnt passed through to the remove AD group member. I am doing the following:
$csvFile = “C:\scripts\Balmoral\test.csv”
Import-Csv $csvFile | ForEach-Object {
$users = Get-ADUser -Identity $_.SamAccountName
}
foreach ($user in $users) {
$username = $user.samaccountname;
# Get all group memberships
$groups = Get-ADPrincipalGroupMembership $username
foreach ($group in $groups) {
# Exclude Domain Users group
if ($group.name -ne “domain users”) {
# Remove user from group
Get-ADGroup $group | Remove-ADGroupMember $username -WhatIf;
# Write progress to screen
Write-Host “removed” $username “from” $group.name;
}
}
}
The error/message is:
cmdlet Remove-ADGroupMember at command pipeline position 2
Supply values for the following parameters:
Members[0]:
Do you know why?
A lot going on here.
I would start with checking the contents of $users (to make sure they are objects and contain the correct data from AD). There may be problems with your original CSV file – hard to say without seeing the contents.
Maybe remove the CSV and test it with just a single user account (to make sure the second half of the script works as expected)?
Is there a way to remove the groups, disable the user, then put it a log file or csv?
Definitely. Use this to disable the account:
disable-adaccount -identity $user.samaccountname;
For logging, it really depends on how much detail you want to put in. Figure out what you want in the log file at any particular step and assign it to a variable. Eg:
$logoutput = “User: ” + $user.samaccountname + ” disabled on ” + $timestamp;
Then send (append) that data to a file with (making sure you’re within the same foreach loop):
$logoutput >> c:\log\mylogfile.txt;
HI,
when i run the first script, am getting below error:
Remove-ADGroupMember : Cannot validate argument on parameter ‘Identity’. The argument is null. Supply a non-null argument and try the command again.
COuld you please assist here
Sorry – typo in the script – fixed now. Give it another go.
hi,
I’m using this code to strip users from all groups but is there a way to remove users from just 2 groups say ‘GroupA’ and ‘GroupB’?
$Users = Get-ADUser -Filter * -SearchBase “OU=Disabled_Accounts,OU=Sale Staff,DC=XXX,DC=YYY,DC=ZZZ” -Properties MemberOf
$Users | Foreach-Object {
$Groups = $_.MemberOf
foreach ($Group in $Groups) {
Remove-ADGroupMember $Group -Member $_ -Confirm:$True
}
}
Sure thing. There are a few ways to do it, but using your code, put an if statement around the remove-adgroupmember command.
EG:
foreach ($group in $groups) {
if (($group -eq “cn=GroupA,OU=Groups,DC=XXX,DC=YYY,DC=ZZZ”) -or ($group -eq “cn=GroupB,OU=Groups,DC=XXX,DC=YYY,DC=ZZZ”)) {
remove-adgroupmember $group -member $_ -confirm:$true
}
}