Remove AD group members from incorrect groups

This topic contains 3 replies, has 2 voices, and was last updated by  Rob Simmers 4 years, 4 months ago.

  • Author
    Posts
  • #9470

    thickgit
    Participant

    Oops!

    We have about 500 receptionists spread across our various external branches. All receptionists are members of the 'Receptionists' AD group.

    Some dimwit (not me!) managed to add about half of the receptionists to another Active Directory group which will give them access to some VERY sensitive information. Heads will definitely roll if this gets out.

    So, as it stands, we have about 250 receptionists who are members of the 'Receptionists' group and also members of the 'Sensitive' group.

    I need to get the 250 receptionists out of the 'Sensitive' group.

    Can anyone help?

    Cheers.

    TG

  • #9473

    Rob Simmers
    Participant

    There are a couple of ways of doing it, but it would depend on what attributes you have in AD. Try something like this (not tested):


    #REQUIRES QUEST AD Commandlets
    # Collect the members of the good group
    $good = Get-QADGroupMember -Identity ReceptionistGroup
    # Collect the members of the bad group
    $bad = Get-QADGroupMember -Identity SensitiveGroup
    # Compare the good group to the bad and provide users that are members of both groups
    # Then loop through and remove them from the other group
    Compare-Object $good $bad -Property Name -ExcludeDifferent -IncludeEqual | foreach{ Remove-QADGroupMember -Identity SensitiveGroup -Member $_.Name}

  • #9481

    thickgit
    Participant

    Rob,

    Thank you very much for that. Unfortunately I don't have the Quest AD Commandlets installed, but I was able to adapt your excellent suggestion to generate a csv list of 'offending' accounts, using just the regular Active Directory module commandlets.

    Fortunately (thanks to you) I've discovered that there were a number of test accounts and also disabled accounts on the list, so the overall figure is considerably less than I originally thought. Only (?!) 143 users across the estate have (had) access to the very sensitive information (patient medical history).

    We've removed a handful of users to check there are no adverse effects (nobody seems to know how or why they got added in the first place). Then I'll proceed with the last part of your snippet to remove the rest.

    Thanks again for your help. This would have been classed as a major security breach.

  • #9482

    Rob Simmers
    Participant

    Glad you were able to figure it out with the example provided.

You must be logged in to reply to this topic.