remove all ad group membership for one user except domain user

This topic contains 6 replies, has 4 voices, and was last updated by Profile photo of David Schmidtberger David Schmidtberger 1 month, 1 week ago.

  • Author
    Posts
  • #67341
    Profile photo of Siddra
    Siddra
    Participant

    Hi

    I am looking for a powershell command to remove all ad group membership for one user except domain user

    I have found the below code but it used quest cmdlets which im not sure what they are.

    Get-QADUser -samaccountName *type-in-username-here* | Remove-QADMemberOf -RemoveAll
    For example: Get-QADUser -samaccountName SmithJ | Remove-QADMemberOf -RemoveAll

    I want to amend the above code to remove all groups except domain users. I have look and researched everywhere but cannot seem to find anything.

  • #67342
    Profile photo of Graham Beer
    Graham Beer
    Participant

    Hi,

    These are the quest AD module right ? I've not used them for a while so can't remember if they have a 'Filter' Parameter. But you can use a where clause. This is pseudocode, but something like this:

    Get-QADUser -samaccountName * | 
        where {$_ -ne "Domain User"} | 
        Remove-QADMemberOf -RemoveAll
    
  • #67375
    Profile photo of Ron
    Ron
    Participant

    Assuming you want to use the ActiveDirectory commandlets instead of Quest.

    Untested:

    Get-ADUser "SamAccountName" -Properties MemberOf | Select -Expand MemberOf | %{Remove-ADGroupMember $_ -member "SamAccountName"}

    Domain Users is not part of MemberOf.

  • #70988
    Profile photo of Siddra
    Siddra
    Participant

    Get-ADUser "SamAccountName" -Properties MemberOf | Select -Expand MemberOf | %{Remove-ADGroupMember $_ -member "SamAccountName"}

    Where it says samaccountname do I need to substitute it for a user i.e.

    Get-ADUser "j.bloggs" -Properties MemberOf | Select -Expand MemberOf | %{Remove-ADGroupMember $_ -member "j.bloggs"}

    and how would I do it for multiple users based on a csv file with one column containing a list of samaccountnames.

    Thanks

  • #71032
    Profile photo of David Schmidtberger
    David Schmidtberger
    Participant

    well i've had to implement something similar, been quite awhile since i've dealt with it but here is a snippet of what i have

    assuming you have a csv file with just a single column, with a header of networkid you could use the following

    $users = import-csv input.csv
    foreach ($user in $users)
    	{
    	$adgroups = Get-ADPrincipalGroupMembership -Identity $user.networkid
    	foreach ($singlegroup in $adgroups)
    	{
    		if ($singlegroup.SamAccountName -notlike "*Domain Users*")
    		{
    		    Remove-ADPrincipalGroupMembership -Identity $user.networkid -MemberOf $singlegroup.SamAccountName -confirm:$false
    		}
    	}			
    }
    
  • #71072
    Profile photo of Siddra
    Siddra
    Participant

    thanks David – Ill give that a go

    $user.networkid – what do you mean by the network id

  • #71083
    Profile photo of David Schmidtberger
    David Schmidtberger
    Participant

    networkid just refers the the header of the csv...
    you can change that to whatever the header of your csv is

You must be logged in to reply to this topic.