Remove user from all AD Group Except domain users - powershell

Get-Aduser -identity $User -Properties Memberof -filter {Memberof Name -Notlike "Domain Users" | ForEach-Object { $_.Memberof | Remove-ADGroupMember -Members $User -Confirm:$false}}
Hey Yall,
Im trying to remove folks from their AD Groups except for the Domain Users Group in AD (Our company is holding on to AD accounts, idk why, but they want to remove their general accesses.
When I use the above code to remove them it says: "Get-ADUser : Parameter set cannot be resolved using the specified named parameters."
Im not sure what way is a better way to do this.

Related

How to disabled Group in AD

I have simple requirement to disable/deactivate group in AD. There are plenty of options for AD users & Computers but did not see anything related to groups.
Basically, We want to remove all member from the group and set group to InActive or disabled. I can think of below approach but not sure if it is right way to do it.
Remove-ADGroup is not option in our case due to some security and audit concerns.
Remove all members from the group and move group to non-operational OU
Remove all members for the group and set enable flag to "false"
Please suggest best way/solution to achieve this.
Thanks
This command will remove an AD Group for you.
Remove-ADGroup
This should help you
Get-ADGroup will get all the groups,
Get-ADGroupMember will get all the member then Move-ADObject will move the group to another OU
$AdGroups = Get-ADGroup -filter * | Select-Object -ExpandProperty Name
foreach($ADgroup in $ADgroups){
Get-ADGroupMember "$ADgroup" | ForEach-Object {Remove-ADGroupMember "$ADgroup" $_ -Confirm:$false}
Move-ADObject -Identity $AGroup -TargetPath "OU=disable,DC=test,DC=local"
}

Powershell Add User to Group A if they are not already a member of Group A AND not a member of Group B as well

I would like to write a script that searches for users and if those users are not members of both Group A and B then they get added to Group B. I have found a lot of conditionals for adding a member to one group if it does not exist in another, but not two groups.
You can just join two condition using -and operator:
get-aduser -filter * -searchbase "dc=domain,dc=local" | where-object {((get-aduser $_.samaccountname -properties memberof).memberof -ne "A") -and ((get-aduser $_.samaccountname -properties memberof).memberof -ne "A")} | ForEach {add-adgroupmember -identity "B" -member $_.samaccountname}
You've identified your use case/goals.
This a common task.
What you are asking, os covered in the PowerShell help files and the examples for the cmdlets:
Get-ADGroupMember (activedirectory) | Microsoft Docs,
Add-ADGroupMember - learn.microsoft.com,
... this is a simple if/then and you can see plenty of examples of this use case online. Search for it on the web and Youtube, 'Powershell AD group management'
Your question is really a duplicate of these stackoverflow Q&A's
Check if a group exists in AD using PowerShell
Check if the user is a member of a list of AD groups

PowerShell export AD users not in specific group + attributes

I need to do an AD export with the info below:
- all enable users NOT present in a specific group
- email address
- account name
and export everything into a csv file
Can u help me please?
Thanks!!!!
You could do something like the following:
$group = 'my group name'
$GroupMembers = Get-ADGroupMember $group -Recursive
Get-ADUser -Filter "Enabled -eq '$true'" -Properties Mail |
Where-Object { $_.SamAccountName -notin $GroupMembers.SamAccountName } |
Select-Object SamAccountName,Mail |
Export-Csv Output.csv -NoType
Get-ADGroupMember with the -Recursive switch will recursively retrieve AD objects that are a member of $group.
Get-ADUser utilizes a filter to only query enabled users. Notice that you must add the Mail property because email address attributes are not in the default display. You can tweak this filter to make the query faster. If you are willing to add a little complexity and do performance testing, it may be faster to build separate Get-ADUser -Filter ... queries than relying on Where-Object. Performance will depend on your AD size and how many members are in the target group.

How can I compare CSV to AD users and disable users not in CSV?

As a process to disable users, I have a CSV where users are identified by employeeID and not username. I need to loop through and compare the CSV to AD users, and any AD user not in the CSV needs to be disabled. This is what I have so far, but it's not working. I'll admit I'm still fairly new to powershell scripting, so any help would be much appreciated.
Import-Module ActiveDirectory
Import-Csv -Path c:\ADTerm.csv | foreach {Get-ADUser -filter * -SearchBase "ou=Test,ou=Logins,dc=domain,dc=com" -Identity $_.employeeID} | Where {$_ -ne $null} | Disable-ADAccount -Identity $_.employeeID
I cant really fit this all in a comment without it looking horrible so lets start with this.
You are combining -Filter and -Identity which most likely wont net the results you are looking for. Use Identity to get one specific user or filter to get one to many. Looking at TechNet for Get-AdUser you will see Identity only matches values to:
DistinguishedName
objectGUID
objectSid
sAMAccountName
In that regard I see you have a column for EmployeeID. I'm guessing that those are not SamAccountName which is one of the values that -Identity supports. I feel that you could do with the following changes.
$IDs = Import-Csv -Path c:\ADTerm.csv | Select-object -ExpandProperty EmployeeID
Get-ADUser -filter * -SearchBase "ou=Test,ou=Logins,dc=domain,dc=com" -Properties EmployeeID |
Where-Object{$_.EmployeeID -and ($IDs -notcontains $_.EmployeeID)} | Disable-ADAccount
Update the get-aduser to get all users in that OU. Get-Aduser does not return the EmployeeID by default so we use -Properties to specify it. Filter all those users that have employeeID but not one in the list. Disable-ADAccount will take the output of Get-AdUser nicely so there is not need to specify the account again.
Depending you might be storing this value as EmployeeNumber in AD. This is also dependent on your having a csv file with a column for EmployeeNumber

Powershell Script to search specific OU in AD and find disabled users that is member of a group

I'm trying to write a script to find disabled users that is member of one or more groups in a specific OU in AD. It will then remove all the groups for all the disabled users. I found this script which removes all groups from users in a csv file, but as i'm looking to run this as a scheduled task I prefer not to process users that already had their groups removed without having to move them to a different OU.
Import-Csv $csvFile | ForEach-Object {
# Disable the account
Disable-ADAccount -Identity $_.samAccountName
# Retrieve the user object and MemberOf property
$user = Get-ADUser -Identity $_.samAccountName -Properties MemberOf
# Remove all group memberships (will leave Domain Users as this is NOT in the MemberOf property returned by Get-ADUser)
foreach ($group in ($user | Select-Object -ExpandProperty MemberOf))
{
Remove-ADGroupMember -Identity $group -Members $user -Confirm:$false
}
}
Any idea on how to filter out the users with more then one group?
I'm using this script to export disabled users that has not logged on for 60 days:
Get-QADUser -searchRoot $OuDomain -searchScope OneLevel -InactiveFor 61 -NotLoggedOnFor 61 -disabled -sizelimit 0
Thx
You seem to have filter by ou part down which is good. You have some thoughts in the beginning of you post but the only actual question is how to filter out the users with more then one group. Not sure if that is a typo or not but I read that as checking the count of groups a user has. A more realistic interpretation of that is filter users that could have at least one of a list of groups. I'm going to cover both.
The Count
I'm sure this is not what you want but just want to cover the base. The following would also work in a Where-Object clause
If((get-aduser $user -Properties MemberOf).MemberOf.Count -gt 0){Process...}
Multiple Groups
I'm sure this was your intention. Locate users that could contain one of serveral groups. This is best handled with regex.
$groupsFilter = "citrix_GateKeeper","barracuda_spam_alerts"
$groupsFilter = "($($groupsFilter -join '|'))"
# $groupsFilter in this example is: (citrix_GateKeeper|barracuda_spam_alerts)
If(((Get-ADUser $user -Properties MemberOf).MemberOf) -match $groupsFilter){Process....}
Create a regex match string based on a string array of multiple groups. If $user is a member of either of those groups then true would be returned.
If nothing here is of any use to you then I would suggest making your question clearer. Hopefully this helps.