Author Posts

March 27, 2017 at 11:02 am

Hi

I am looking for a powershell command to remove all ad group membership for one user except domain user

I have found the below code but it used quest cmdlets which im not sure what they are.

Get-QADUser -samaccountName *type-in-username-here* | Remove-QADMemberOf -RemoveAll
For example: Get-QADUser -samaccountName SmithJ | Remove-QADMemberOf -RemoveAll

I want to amend the above code to remove all groups except domain users. I have look and researched everywhere but cannot seem to find anything.

March 27, 2017 at 11:21 am

Hi,

These are the quest AD module right ? I've not used them for a while so can't remember if they have a 'Filter' Parameter. But you can use a where clause. This is pseudocode, but something like this:

Get-QADUser -samaccountName * | 
    where {$_ -ne "Domain User"} | 
    Remove-QADMemberOf -RemoveAll

March 27, 2017 at 1:10 pm

Assuming you want to use the ActiveDirectory commandlets instead of Quest.

Untested:

Get-ADUser "SamAccountName" -Properties MemberOf | Select -Expand MemberOf | %{Remove-ADGroupMember $_ -member "SamAccountName"}

Domain Users is not part of MemberOf.

May 18, 2017 at 12:44 pm

Get-ADUser "SamAccountName" -Properties MemberOf | Select -Expand MemberOf | %{Remove-ADGroupMember $_ -member "SamAccountName"}

Where it says samaccountname do I need to substitute it for a user i.e.

Get-ADUser "j.bloggs" -Properties MemberOf | Select -Expand MemberOf | %{Remove-ADGroupMember $_ -member "j.bloggs"}

and how would I do it for multiple users based on a csv file with one column containing a list of samaccountnames.

Thanks

May 18, 2017 at 8:27 pm

well i've had to implement something similar, been quite awhile since i've dealt with it but here is a snippet of what i have

assuming you have a csv file with just a single column, with a header of networkid you could use the following

$users = import-csv input.csv
foreach ($user in $users)
	{
	$adgroups = Get-ADPrincipalGroupMembership -Identity $user.networkid
	foreach ($singlegroup in $adgroups)
	{
		if ($singlegroup.SamAccountName -notlike "*Domain Users*")
		{
		    Remove-ADPrincipalGroupMembership -Identity $user.networkid -MemberOf $singlegroup.SamAccountName -confirm:$false
		}
	}			
}

May 19, 2017 at 7:15 am

thanks David – Ill give that a go

$user.networkid – what do you mean by the network id

May 19, 2017 at 12:01 pm

networkid just refers the the header of the csv...
you can change that to whatever the header of your csv is