remove all ad group membership for one user except domain user

This topic contains 6 replies, has 4 voices, and was last updated by  David Schmidtberger 5 months ago.

  • Author
    Posts
  • #67341

    Siddra
    Participant

    Hi

    I am looking for a powershell command to remove all ad group membership for one user except domain user

    I have found the below code but it used quest cmdlets which im not sure what they are.

    Get-QADUser -samaccountName *type-in-username-here* | Remove-QADMemberOf -RemoveAll
    For example: Get-QADUser -samaccountName SmithJ | Remove-QADMemberOf -RemoveAll

    I want to amend the above code to remove all groups except domain users. I have look and researched everywhere but cannot seem to find anything.

  • #67342

    Graham Beer
    Participant

    Hi,

    These are the quest AD module right ? I've not used them for a while so can't remember if they have a 'Filter' Parameter. But you can use a where clause. This is pseudocode, but something like this:

    Get-QADUser -samaccountName * | 
        where {$_ -ne "Domain User"} | 
        Remove-QADMemberOf -RemoveAll
    
  • #67375

    Ron
    Participant

    Assuming you want to use the ActiveDirectory commandlets instead of Quest.

    Untested:

    Get-ADUser "SamAccountName" -Properties MemberOf | Select -Expand MemberOf | %{Remove-ADGroupMember $_ -member "SamAccountName"}

    Domain Users is not part of MemberOf.

  • #70988

    Siddra
    Participant

    Get-ADUser "SamAccountName" -Properties MemberOf | Select -Expand MemberOf | %{Remove-ADGroupMember $_ -member "SamAccountName"}

    Where it says samaccountname do I need to substitute it for a user i.e.

    Get-ADUser "j.bloggs" -Properties MemberOf | Select -Expand MemberOf | %{Remove-ADGroupMember $_ -member "j.bloggs"}

    and how would I do it for multiple users based on a csv file with one column containing a list of samaccountnames.

    Thanks

  • #71032

    David Schmidtberger
    Participant

    well i've had to implement something similar, been quite awhile since i've dealt with it but here is a snippet of what i have

    assuming you have a csv file with just a single column, with a header of networkid you could use the following

    $users = import-csv input.csv
    foreach ($user in $users)
    	{
    	$adgroups = Get-ADPrincipalGroupMembership -Identity $user.networkid
    	foreach ($singlegroup in $adgroups)
    	{
    		if ($singlegroup.SamAccountName -notlike "*Domain Users*")
    		{
    		    Remove-ADPrincipalGroupMembership -Identity $user.networkid -MemberOf $singlegroup.SamAccountName -confirm:$false
    		}
    	}			
    }
    
  • #71072

    Siddra
    Participant

    thanks David – Ill give that a go

    $user.networkid – what do you mean by the network id

  • #71083

    David Schmidtberger
    Participant

    networkid just refers the the header of the csv...
    you can change that to whatever the header of your csv is

You must be logged in to reply to this topic.