I'm trying to remove the groups from users in other domain.
Example: Me as admin wants to disable an user and remove his groups in other domain.
The problem is I don't know how to use Remove-ADGroupMember -Server in Foreach loop, if I don't use Foreach I can use the -Server option.
Error of Remove-ADGroupmember:
How can I get -Server property within Foreach?
$groups = (Get-Aduser -server ServerY -Identity manusys -Properties MemberOf).memberof
Foreach ($group in $groups) {
Remove-ADGroupMember -identity $group -Members manusys -Confirm:$false -ErrorAction:SilentlyContinue
}
The user account Manusys has these groups:
CN=NO_CamerasAlertMGR,OU=Ordinary Distribution Lists,OU=Distribution Lists,DC=test,DC=com
CN=NO_CamerasAlertCM,OU=Ordinary Distribution Lists,OU=Distribution Lists,DC=test,DC=com
CN=NO_CamerasReport,OU=Ordinary Distribution Lists,OU=Distribution Lists,DC=test,DC=com
CN=NO_CamerasReport_CM,OU=Ordinary Distribution Lists,OU=Distribution Lists,DC=test,DC=com
CN=NO_CamerasReport_MGR,OU=Ordinary Distribution Lists,OU=Distribution Lists,DC=test,DC=com
The Server param is available to use with Remove-ADGroupMember, using it within foreach doesn't change this.
Don't just rely on the ISE auto-prompts, referring to the documentation (remove-adgroupmember) will always show you what parameters are available.
The problem you are actually seeing, is that the ISE no longer prompts/shows the commands parameters once you've used one of the Common Parameters (Confirm & ErrorAction in your code, but there are others)...
You can see this with the command by itself - it will continue to prompt for params:
Remove-ADGroupMember -identity $group -Members manusys
But add a CommonParam, and it will not provide its own params anymore:
Remove-ADGroupMember -identity $group -Members manusys -Confirm:$false
So to fix your original issue, add the Server param to Remove-ADGroupMember:
$groups = (Get-Aduser -server ServerY -Identity manusys -Properties MemberOf).memberof
Foreach ($group in $groups) {
Remove-ADGroupMember -server ServerY -identity $group -Members manusys -Confirm:$false -ErrorAction:SilentlyContinue
}
Related
I run the following code to remove disabled users from a list of 9874 groups:
$user = get-aduser <userid> -Server "<server from another domain>"
foreach ($Group in $Groups) {
Write-Host "Removing $user from $group" -Foreground Green
Remove-ADGroupMember -Identity $group -Members $user -Confirm:$false
}
It's a bottle neck for me as it checks/removes the account from each group. Is there a way to speed this up with more efficient PS code?
If memberOf is the only thing are you interested in for a given user, you can run the following. It only loads the memberOf property and removes the user from each of these. Gives you a bit of a performance boost since its not loading all the account properties.
Get-ADUser <userid> -Server "<server from another domain>" -Properties MemberOf `
| Select -Expand MemberOf | % {
Remove-ADGroupMember $_ -member <userid>"
}
Import-Module ActiveDirectory
$users = Get-Content -Path .\userlist.txt
$group = "Nitro_Win7"
$members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty Name
foreach ($user in $users){
Remove-ADGroupMember -Identity "Win7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "Win10" -Members $user -Confirm:$false -Verbose
If ($members -contains $user) {
Remove-ADGroupMember -Identity "Nitro_Win7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "Nitro_Win10" -Members $user -Confirm:$false -Verbose
}
}
The list of users are migrating successfully from the "Win7" group to the "Win10" group. However, the second step in the if statement does not seem to be working properly. The goal is to also have users removed from "Nitro_Win7" and added to "Nitro_Win10" if they are a member of "Nitro_Win7". After running, if users are a member of "Nitro_Win7", they stay in "Nitro_Win7". This is not working as hoped. Please help!
script should delete a ADUser of all of his Groupmemberchips (including memberships in forestdomain and other childdomains), deactivate it and move it into another OU.
environment:
forest-domain: forest.com
child-domains: child1.forest.com
child2.forest.com
child3.forest.com
script is running in child1.forest.com
this is the script so far:
$username="testuser"
$groups=Get-ADPrincipalGroupMembership -Identity $username | where {$_.name -notlike "Domain Users"}
$getuser=Get-ADUser -Identity $username | select DistinguishedName
$userpath=$getuser.DistinguishedName
foreach ($group in $groups) {
Remove-ADGroupMember -Identity $group -member $username -Confirm:$false
}
Disable-ADAccount -Identity $username
Move-ADObject "$userpath" -TargetPath "OU=Deaktivierte Benutzer,DC=child1,DC=forest,DC=com"
actually it successfull deletes all group-memberchips of child1.forest.com but not of forest.com or child2.forest.com
This code is working properly:
$User=Get-ADUser "testuser" -server "child1.forest.com"
$Group=Get-ADGroup "SomeGroup" -server "forest.com"
Remove-ADGroupMember $Group -Members $user -server "forest.com" -Confirm:$false
I tried to combine these script-snippets but not yet successful.
I have an idea... to read the domain of the OU and pass it into the loop, but I dont get it working to read the OU in a way that I can use it.
Can someone help please?
found a solution, I query if the group exist in server:
$found=0
$servers=#("forest.com","child1.forest.com","child2.forest.com","child3.forest.com")
$username="testuser"
$user=Get-ADUser -Identity $username
$groups=Get-ADPrincipalGroupMembership -Identity $user | where {$_.name -notlike "Domain Users"}
foreach ($group in $groups) {
foreach ($server in $servers) {
$groupname=$group.name
$groupserver=Get-ADGroup $groupname -server $server
if($groupserver)
{
$group=Get-ADGroup $groupname -server $server
Remove-ADGroupMember $Group -Members $user -Confirm:$false -ErrorAction SilentlyContinue
$found=1
}
if ($found -eq 1){break}
}
}
I have Kerio Connect server and it doesn't allow group inheritance. So I need to create one group for mail and another group for AD with similar users.
I wrote:
Import-Module ActiveDirectory
Get-ADGroupMember -Identity Sales.Department |select SamAccountName |ForEach-Object {Add-ADGroupMember -Identity sales.mail -Members $_.SamAccountName}
And I need to make it for all groups with expression *.Department and mail groups with *.mail
Retrieve the group members of sales.department using Get-ADGroup and then add the group members to sales.mail using Add-ADGroupMember
$MemberList = (Get-ADGroup -Identity "sales.department" -Properties member).member
Add-ADGroupMember -Identity "sales.mail" -Members $MemberList
For that pupose you better use the Add-ADPrincipalGroupMembership cmdlet instead of the Add-ADGroupMember: For me is working fine:
Get-ADGroupMember -Identity Source-Group-Name |select SamAccountName |ForEach-Object {Add-ADPrincipalGroupMembership -Identity $_.SamAccountName -MemberOf Target-Group-Name}
First up, I am not a script writer, so I apologise if this sounds like a real newbie question.
I am trying to write a Powershell query to list all user accounts within a certain OU sub-tree who do not belong to at least one of 4 groups.
As far as I can tell you cannot query this directly on the AD User object, so you need to iterate through the groups to get the membership, but I'm not clear on how to go about this across multiple groups.
I have put together a script that can find all users, add them to a temporary group and then remove them if they belong to one of the four other groups, but this looks like a horrible way to approach it, so I am hoping someone has a better solution.
Here's what I currently have (don't laugh) :-(
Import-Module ActiveDirectory
$groupname = "TempGroup"
$excludegroup1 = "Group1"
$excludegroup2 = "Group2"
$excludegroup2 = "Group4"
$excludegroup2 = "Group4"
$users = Get-ADUser -Filter * -SearchBase "ou=xxx,dc=xxx,dc=xxx" -SearchScope Subtree
foreach($user in $users)
{
Add-ADGroupMember -Identity $groupname -Member $user.samaccountname -ErrorAction SilentlyContinue
}
$members = Get-ADGroupMember -Identity $groupname
$excludemembers = Get-ADGroupMember -Identity $excludegroup1
foreach($member in $excludemembers)
{
Remove-ADGroupMember -Identity $groupname -Member $member.samaccountname
}
$members = Get-ADGroupMember -Identity $groupname
$excludemembers = Get-ADGroupMember -Identity $excludegroup2
foreach($member in $excludemembers)
{
Remove-ADGroupMember -Identity $groupname -Member $member.samaccountname
}
$members = Get-ADGroupMember -Identity $groupname
$excludemembers = Get-ADGroupMember -Identity $excludegroup3
foreach($member in $excludemembers)
{
Remove-ADGroupMember -Identity $groupname -Member $member.samaccountname
}
$members = Get-ADGroupMember -Identity $groupname
$excludemembers = Get-ADGroupMember -Identity $excludegroup4
foreach($member in $excludemembers)
{
Remove-ADGroupMember -Identity $groupname -Member $member.samaccountname
}
All help gratefully accepted.
All users, computers, groups and contacts (and possibly other objects) in Active Directory have a property called memberof. This property contains the distinguished names of all groups from the whole forest that this entity is a member of, as the attribute's name implies.
Given this information, you can now construct an ldap search query to find all entities that are not members of at least one of those groups:
(!(|(memberof=CN=Group1,dc=domain,dc=com)(memberof=CN=Group3,dc=domain,dc=com)(memberof=CN=Group3,dc=domain,dc=com)))
Other conditions may be included as necessary.
If you need to obtain the distinguished names of those groups first, you can either hard-code them in your filter or do a normal Powershell search for the groups and then read their distinguished names.
You can use the ldap query via the command's -LDAPFilter parameter.
In case anyone is interested, this is the code I have now. It uses a group, which it flushes each run, because then I can simply double-click a user to get into their object and add them to the group they're missing from.
Import-Module ActiveDirectory
$groupname = "NotInGroups"
$members = Get-ADGroupMember -Identity $groupname
foreach($member in $members)
{
Remove-ADGroupMember -Identity $groupname -Member $member.samaccountname
}
$users = Get-ADUser -Filter {((memberof -notlike "CN=Group1,DC=domain,DC=local") -AND (memberof -notlike "CN=Group2,DC=domain,DC=local") -AND (memberof -notlike "CN=Group3,DC=domain,DC=local") -AND (memberof -notlike "CN=Group4,DC=domain,DC=local"))} -SearchBase "ou=users,dc=domin,dc=local" -SearchScope Subtree
foreach($user in $users)
{
Add-ADGroupMember -Identity $groupname -Member $user.samaccountname -ErrorAction SilentlyContinue
}