Removing specific groups from AD users

This topic contains 0 replies, has 1 voice, and was last updated by Profile photo of Forums Archives Forums Archives 5 years, 6 months ago.

  • Author
    Posts
  • #6316

    by siliconron at 2013-04-04 14:04:18

    Hello everyone,

    I have been wreaking my brain on this script all day. Here is the background. I have an OU that contains users who I need to remove their groups memberships. This was not a problem when I wanted to remove all of the groups memeberships, but some decisions made above me head has changed this. I now need to remove all of the group memberships except a select few. I have tried so many ways to get this to work. Here is what I currently have. The problem seems to be if($group -in $groups ) statement. It never is true, even though the output of the else statement shows the group is listed on the groups variable. One I get this working I believe I can figure out the rest. If you can think of a better approach to this then I am all ears. 😀

    Thank You!!


    $groups = get-adgroup -filter {name -ne "Domain Users" -and name -ne "prod_const-faculty"} | Format-Table -Property distinguishedname

    $comusers = get-aduser -filter * -searchbase "OU=Test OU,DC=lc,DC=local" -properties memberof

    foreach ($user in $comusers)
    {
    foreach($group in $user.memberof)
    {

    if($group -in $groups )
    { echo user $user.name is in $group }
    else { ECHO $group is not in $groups for user $user.name }

    }

    }

    by coderaven at 2013-04-04 18:35:11

    When you are storing data in a variable, do not format it because at that point you are storing format data and not the objects.
    $groups = get-adgroup -filter {name -ne "Domain Users" -and name -ne "prod_const-faculty"} | select distinguishedname
    $comusers = get-aduser -filter * -searchbase "OU=Test OU,DC=lc,DC=local" -properties memberof
    foreach ($user in $comusers)
    {
    foreach($group in $user.memberof)
    {

    if($groups -contains $group.distinguishedname )
    { write-host user $user.name is in $group }
    else { write-host $group is not in $groups for user $user.name }
    }
    }

    I have not tested that but it should get you pretty close.

    by siliconron at 2013-04-05 13:47:15

    Thank you Allen! I added the format command for testing at one point and then I completely overlooked it. :S

    It tool a little bit of work today, but I got everything working as intended. Here is the script in case anyone finds it useful.
    import-module ActiveDirectory

    $groups = get-adgroup -filter * | where-object { $_.Distinguishedname -notlike "*OU=PortalProd,OU=User Groups,DC=lc,DC=local" -and $_.Distinguishedname -notlike "*OU=Portaltest,OU=User Groups,DC=lc,DC=local" -and $_.name -ne "Domain Users" -and $_.name -ne "Retirees" -and $_.name -ne "Retired Employees" -and $_.name -ne "EllucianTeam" } | Select-Object -Property distinguishedname

    $comusers = get-aduser -filter * -searchbase "OU=Community Users,DC=lc,DC=local" -properties memberof

    foreach ($user in $comusers)
    {
    foreach($group in $user.memberof)
    {

    if($groups.distinguishedname -contains $group )
    { Remove-ADGroupMember -Identity "$group" -Members "$user" -Confirm:$false
    ECHO "Removing $user from $group"
    }

    }

    }

    $End_Time = Get-Date -Format T

    $Minute = (New-TimeSpan -Start $Start_Time -End $End_Time).Minutes

    $Second = (New-TimeSpan -Start $Start_Time -End $End_Time).Seconds

    Write-Host Start at $Start_Time, End At $End_Time, Took About $Minute Minutes $second Seconds

You must be logged in to reply to this topic.