Import-Module ActiveDirectory
$users = Get-Content -Path .\userlist.txt
$group = "Nitro_Win7"
$members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty Name
foreach ($user in $users){
Remove-ADGroupMember -Identity "Win7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "Win10" -Members $user -Confirm:$false -Verbose
If ($members -contains $user) {
Remove-ADGroupMember -Identity "Nitro_Win7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "Nitro_Win10" -Members $user -Confirm:$false -Verbose
}
}
The list of users are migrating successfully from the "Win7" group to the "Win10" group. However, the second step in the if statement does not seem to be working properly. The goal is to also have users removed from "Nitro_Win7" and added to "Nitro_Win10" if they are a member of "Nitro_Win7". After running, if users are a member of "Nitro_Win7", they stay in "Nitro_Win7". This is not working as hoped. Please help!
Related
I am receiving the following error when running this script:
Get-ADGroupMember : Cannot convert 'System.Object[]' to the type
'Microsoft.ActiveDirectory.Management.ADGroup' required by parameter
'Identity'. Specified method is not supported.
Also, the users move from the Win7 group to the Win10 group, but depending on if they are members of the other groups in the if statements, none of the groups in the if statements are moving for any of the users. Please help.
Just for reference the userlist file contains Active Directory usernames in a text file like this:
jsmith
ksmith
etc.
The grouplist text file contains Active Directory groups like this:
Nitro7
Project7
Visio7
Zoom7
SnagIt7
OneNote7
Code:
Import-Module ActiveDirectory
$users = Get-Content -Path .\userlist.txt
$group = Get-Content -Path .\grouplist.txt
$members = Get-ADGroupMember -Identity $group -Recursive
foreach ($user in $users){
Remove-ADGroupMember -Identity "Win7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "Win10" -Members $user -Confirm:$false -Verbose
If ($members.SamAccountName -contains $user) {
Remove-ADGroupMember -Identity "Nitro7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "Nitro10" -Members $user -Confirm:$false -Verbose
}
If ($members.SamAccountName -contains $user) {
Remove-ADGroupMember -Identity "Project7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "Project10" -Members $user -Confirm:$false -Verbose
}
If ($members.SamAccountName -contains $user) {
Remove-ADGroupMember -Identity "OneNote7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "OneNote10" -Members $user -Confirm:$false -Verbose
}
If ($members.SamAccountName -contains $user) {
Remove-ADGroupMember -Identity "Zoom7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "Zoom10" -Members $user -Confirm:$false -Verbose
}
If ($members.SamAccountName -contains $user) {
Remove-ADGroupMember -Identity "SnagIt7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "SnagIt10" -Members $user -Confirm:$false -Verbose
}
If ($members.SamAccountName -contains $user) {
Remove-ADGroupMember -Identity "Visio7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "Visio10" -Members $user -Confirm:$false -Verbose
}
}
The -Identity property of Get-ADGroupMember is a singleton, not an array.
However, the -Identity property does accept the pipeline for input. So, you may be able to do something like this:
$members = $group | Get-ADGroupMember -Recursive
Although, IMX, some of the AD commands are a bit wonky due to their age. I expect you may need to do something like this:
$members = foreach ($g in $group) { Get-ADGroupMember -Identity $g -Recursive }
The rest of your script has kind of a confused logic, however, so I can't really tell what you're intending to do.
{snip}
Based on your comments, here's what I'd do.
First, I'd change your groups file. Instead of a plain text list of the groups, I'd make it a CSV file with two columns: The old group and the new group.
So, grouplist.csv looks like this:
"OldGroupName","NewGroupName"
"Nitro7","Nitro10"
"OneNote7","OneNote10"
"Project7","Project10"
"SnagIt7","SnagIt10"
"Visio7","Visio10"
"Win7","Win10"
"Zoom7","Zoom10"
Now you have a map for each old group and the group you want to migrate your users to.
Now, we do it like this:
$users = Get-Content .\userlist.txt
$groups = Import-Csv .\grouplist.csv
foreach ($group in $groups) {
$UsersToModify = Get-ADGroupMember $group.OldGroupName -Recursive | Where-Object SamAccountName -in $users
Remove-ADGroupMember -Identity $group.OldGroupName -Members $UsersToModify -Confirm:$false -Verbose -WhatIf
Add-ADGroupMember -Identity $group.NewGroupName -Members $UsersToModify -Confirm:$false -Verbose -WhatIf
}
[Note: Remove the -WhatIf to actually perform the actions.]
For each group, we get a list of the groups members, filter it to the usernames in $users and save that to $UsersToModify. Then, we pass that list of users to the Remove and Add commands. We only need to call it once per each group.
I know you had a special exception for Win7 to Win10, but I don't see where the logic of the script really needs to change to accommodate that. If you want to always add all users in $users to Win10, you could add that manually:
$UsersToAddtoWin10 = $users | Get-ADUser
Add-ADGroupMember -Identity Win10 -Members $UsersToAddtoWin10 -Confirm:$false -Verbose -WhatIf
Import-Module ActiveDirectory
$users = Get-Content -Path .\userlist.txt
foreach ($user in $users){
Remove-ADGroupMember -Identity "View_Win7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "View_Win10" -Members $user -Confirm:$false -Verbose
[array]$grps=Get-ADUser $user -Property memberOf | Select -ExpandProperty memberOf | Get-ADGroup | Select Name
foreach($grp in $grps){
if($grp.Name -match "Nitro7") {
Remove-ADGroupMember -Identity "Nitro7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "Nitro10" -Members $user -Confirm:$false -Verbose
}
If ($grp.Name -match "Project7") {
Remove-ADGroupMember -Identity "Project7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "Project10" -Members $user -Confirm:$false -Verbose
}
If ($grp.Name -match "OneNote7") {
Remove-ADGroupMember -Identity "OneNote7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "OneNote10" -Members $user -Confirm:$false -Verbose
}
If ($grp.Name -match "Zoom7") {
Remove-ADGroupMember -Identity "Zoom7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "Zoom10" -Members $user -Confirm:$false -Verbose
}
If ($grp.Name -match "SnagIt7") {
Remove-ADGroupMember -Identity "SnagIt7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "SnagIt10" -Members $user -Confirm:$false -Verbose
}
If ($grp.Name -match "Visio7") {
Remove-ADGroupMember -Identity "Visio7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "Visio10" -Members $user -Confirm:$false -Verbose
}
}
}
Let's see if this will work for you, considering your $user and $group lists are exactly as you show...
#get your users...
$users = Get-Content -Path .\userlist.txt
#get your groups...
$groups = Get-Content -Path .\grouplist.txt
#for each user...
foreach ($user in $users) {
#get their group memberships, expand the property...
$memberOf = Get-ADUser -Identity $user -Properties MemberOf | Select -ExpandProperty memberof
#for each membership found in $groups that also ends in '7'...
foreach ($membership in ($memberOf | Where-Object {($_ -match ($groups -join "|")) -and ($_ -like '*7')})) {
#remove the user from the matched group...
Remove-ADGroupMember -Identity $membership -Members $user -Confirm:$false
#add the user to a group with the same name, replacing 7 with 10...
Add-ADGroupMember -Identity $membership.Replace("7","10") -Members $user -Confirm:$false
}
}
IMPORTANT
Please note that this -match operator will return any other groups that are contained in $groups that also end in 7. If you have additional group names that match that criteria stored in $groups, you will want more filtering on $memberOf for the $membership iteration.
This script will also replace every instance of the character '7' in $membership (a matched group's DistinguishedName), with '10', in order to add $user to the new group. So, make sure that isn't a problem.
I'm trying to remove the groups from users in other domain.
Example: Me as admin wants to disable an user and remove his groups in other domain.
The problem is I don't know how to use Remove-ADGroupMember -Server in Foreach loop, if I don't use Foreach I can use the -Server option.
Error of Remove-ADGroupmember:
How can I get -Server property within Foreach?
$groups = (Get-Aduser -server ServerY -Identity manusys -Properties MemberOf).memberof
Foreach ($group in $groups) {
Remove-ADGroupMember -identity $group -Members manusys -Confirm:$false -ErrorAction:SilentlyContinue
}
The user account Manusys has these groups:
CN=NO_CamerasAlertMGR,OU=Ordinary Distribution Lists,OU=Distribution Lists,DC=test,DC=com
CN=NO_CamerasAlertCM,OU=Ordinary Distribution Lists,OU=Distribution Lists,DC=test,DC=com
CN=NO_CamerasReport,OU=Ordinary Distribution Lists,OU=Distribution Lists,DC=test,DC=com
CN=NO_CamerasReport_CM,OU=Ordinary Distribution Lists,OU=Distribution Lists,DC=test,DC=com
CN=NO_CamerasReport_MGR,OU=Ordinary Distribution Lists,OU=Distribution Lists,DC=test,DC=com
The Server param is available to use with Remove-ADGroupMember, using it within foreach doesn't change this.
Don't just rely on the ISE auto-prompts, referring to the documentation (remove-adgroupmember) will always show you what parameters are available.
The problem you are actually seeing, is that the ISE no longer prompts/shows the commands parameters once you've used one of the Common Parameters (Confirm & ErrorAction in your code, but there are others)...
You can see this with the command by itself - it will continue to prompt for params:
Remove-ADGroupMember -identity $group -Members manusys
But add a CommonParam, and it will not provide its own params anymore:
Remove-ADGroupMember -identity $group -Members manusys -Confirm:$false
So to fix your original issue, add the Server param to Remove-ADGroupMember:
$groups = (Get-Aduser -server ServerY -Identity manusys -Properties MemberOf).memberof
Foreach ($group in $groups) {
Remove-ADGroupMember -server ServerY -identity $group -Members manusys -Confirm:$false -ErrorAction:SilentlyContinue
}
I have a .csv file with the group names and the SAM of the users I want to delete from the 10 groups.
How does this work? I am a PowerShell beginner.
Save the user list as csv and use something like
$users = import-csv C:\csvpath\users.csv
Foreach ($user in $users){
Remove-adgroupmember -identity "groupname1" -members $user.username -Confirm:$false
Remove-adgroupmember -identity "groupname2" -members $user.username -Confirm:$false
}
You could of course also get the groupnames from another csv to get a cleaner code
$users = import-csv C:\csvpath\users.csv
$groups = import-csv C:\csvpath\groups.csv
Foreach ($user in $users){
Foreach ($group in $groups) {
Remove-adgroupmember -identity $group.name -members $user.username -Confirm:$false
}
}
script should delete a ADUser of all of his Groupmemberchips (including memberships in forestdomain and other childdomains), deactivate it and move it into another OU.
environment:
forest-domain: forest.com
child-domains: child1.forest.com
child2.forest.com
child3.forest.com
script is running in child1.forest.com
this is the script so far:
$username="testuser"
$groups=Get-ADPrincipalGroupMembership -Identity $username | where {$_.name -notlike "Domain Users"}
$getuser=Get-ADUser -Identity $username | select DistinguishedName
$userpath=$getuser.DistinguishedName
foreach ($group in $groups) {
Remove-ADGroupMember -Identity $group -member $username -Confirm:$false
}
Disable-ADAccount -Identity $username
Move-ADObject "$userpath" -TargetPath "OU=Deaktivierte Benutzer,DC=child1,DC=forest,DC=com"
actually it successfull deletes all group-memberchips of child1.forest.com but not of forest.com or child2.forest.com
This code is working properly:
$User=Get-ADUser "testuser" -server "child1.forest.com"
$Group=Get-ADGroup "SomeGroup" -server "forest.com"
Remove-ADGroupMember $Group -Members $user -server "forest.com" -Confirm:$false
I tried to combine these script-snippets but not yet successful.
I have an idea... to read the domain of the OU and pass it into the loop, but I dont get it working to read the OU in a way that I can use it.
Can someone help please?
found a solution, I query if the group exist in server:
$found=0
$servers=#("forest.com","child1.forest.com","child2.forest.com","child3.forest.com")
$username="testuser"
$user=Get-ADUser -Identity $username
$groups=Get-ADPrincipalGroupMembership -Identity $user | where {$_.name -notlike "Domain Users"}
foreach ($group in $groups) {
foreach ($server in $servers) {
$groupname=$group.name
$groupserver=Get-ADGroup $groupname -server $server
if($groupserver)
{
$group=Get-ADGroup $groupname -server $server
Remove-ADGroupMember $Group -Members $user -Confirm:$false -ErrorAction SilentlyContinue
$found=1
}
if ($found -eq 1){break}
}
}
$names = Import-CSV C:\PowerShell\TerminatedEmployees.csv
$Date = Get-Date
foreach ($name in $names)
{
Get-ADPrincipalGroupMembership -Identity "$($name.TextBox37)" | select Name | Out-File "C:\Powershell\ADUserMemberships\$($name.TextBox37)Memberships.txt"
$ADgroups = Get-ADPrincipalGroupMembership -Identity "$($name.TextBox37)" | where {$_.Name -ne "Domain Users"}
Remove-ADPrincipalGroupMembership -Identity "$($name.TextBox37)" -MemberOf $ADgroups -Confirm:$false
Disable-ADAccount -Identity "$($name.TextBox37)"
Get-ADUser -Identity "$($name.TextBox37)" | Move-ADObject -TargetPath "OU=DisabledAccounts,OU=XXX,DC=XXX,DC=XXXX,DC=XXX"
Set-ADUser -Identity "$($name.TextBox37)" -Description "Disabled $Date"
}
This is an already working script I have. However, I realized I need to check 2 properties on the AD user to determine if they need to need to go through my foreach statement. Both properties need to be met. If they are then there's no reason for the AD users to be processed.
The AD user is already disabled.
The AD user already resides in the Disabled OU.
I'm thinking this needs to be done in an If -And statement. But does this need to be done before the foreach or inside the foreach?
Start out by retrieving the user account with Get-ADUser and then inspect the Disabled property + compare the Disabled OU to the DistinguishedName of the user:
$names = Import-CSV C:\PowerShell\TerminatedEmployees.csv
$Date = Get-Date
$DisabledOU = "OU=DisabledAccounts,OU=XXX,DC=XXX,DC=XXXX,DC=XXX"
foreach ($name in $names)
{
$ADUser = Get-ADUser -Identity "$($name.TextBox37)"
if(-not($ADUser.Enabled) -and $ADUser.DistinguishedName -like "*,$DisabledOU")
{
# no need to proceed, skip to next name in foreach loop
continue
}
$ADGroups = Get-ADPrincipalGroupMembership -Identity "$($name.TextBox37)"
$ADGroups |Select-Object Name |Out-File "C:\Powershell\ADUserMemberships\$($name.TextBox37)Memberships.txt"
# no need to call Get-ADPrincipalGroupMembership again
$ADgroups = $ADGroups | where {$_.Name -ne "Domain Users"}
Remove-ADPrincipalGroupMembership -Identity "$($name.TextBox37)" -MemberOf $ADgroups -Confirm:$false
Disable-ADAccount -Identity "$($name.TextBox37)"
$ADUser | Move-ADObject -TargetPath $DisabledOU
Set-ADUser -Identity "$($name.TextBox37)" -Description "Disabled $Date"
}