I have a .csv file with the group names and the SAM of the users I want to delete from the 10 groups.
How does this work? I am a PowerShell beginner.
Save the user list as csv and use something like
$users = import-csv C:\csvpath\users.csv
Foreach ($user in $users){
Remove-adgroupmember -identity "groupname1" -members $user.username -Confirm:$false
Remove-adgroupmember -identity "groupname2" -members $user.username -Confirm:$false
}
You could of course also get the groupnames from another csv to get a cleaner code
$users = import-csv C:\csvpath\users.csv
$groups = import-csv C:\csvpath\groups.csv
Foreach ($user in $users){
Foreach ($group in $groups) {
Remove-adgroupmember -identity $group.name -members $user.username -Confirm:$false
}
}
Related
When somebody leaves my organization, we remove all AD group memberships apart from the PrimaryGroup which is Domain Users. We often process these in batches, so pull the affected usernames from a CSV file.
I have the following code, and while it does the job of deleting all group memberships, I get an error for each user:
The user cannot be removed from a group because the group is currently the user's primary group
Whilst it does the job, how can I "clean up" the process to avoid this message each time? Is there a way to exclude Domain Users from the groups it removes the user from, or should I do this another way?
$users = Import-Csv "c:\temp\leavers.csv"
foreach ($user in $users) {
Get-ADPrincipalGroupMembership -identity $user.username | foreach {Remove-ADGroupMember $_ -Members $user.username -Confirm:$false}
}
You can use Where-Object for filtering those groups that are not in an array of groups to exclude. In case you only want to filter for 1 specific group, you would use -NE instead of -NotIn in below example.
$groupToExclude = 'Domain Users', 'someOtherGroup'
$users = Import-Csv "c:\temp\leavers.csv"
foreach ($user in $users) {
try {
Get-ADPrincipalGroupMembership -Identity $user.username |
Where-Object Name -NotIn $groupToExclude |
Remove-ADGroupMember -Members $user.username -Confirm:$false
}
catch {
Write-Warning $_.Exception.Message
}
}
If you get the ADUser object before the ADGroup memberships, you can get the PrimaryGroup of the user and ensure that the list of groups to remove from are not its PrimaryGroup:
$users = Import-Csv "c:\temp\leavers.csv"
foreach ($user in $users) {
$primaryGroup = ( Get-ADUser $user.UserName -Properties PrimaryGroup ).PrimaryGroup
Get-ADPrincipalGroupMembership -Identity $user.UserName | Where-Object {
$_ -ne $primaryGroup
} | ForEach-Object {
Remove-ADGroupMember $_ -Members $user.username -Confirm:$False -WhatIf
}
}
Since this has the potential to be a very destructive command, I have included a safeguard in the example above. Remove the -WhatIf parameter from Remove-ADGroupMember to actually perform the removal.
I'd propose a slightly different approach - just drop Get-ADPrincipalGroupMembership altogether. For example:
$users = Import-Csv -Path c:\temp\leavers.csv
foreach ($user in $users) {
# Assuming DN is not in the csv...
$distinguishedName = (Get-ADUser -Identity $user.UserName).DistinguishedName
Get-ADGroup -LdapFilter "(member=$distinguishedName)"
# Alternatively, just pipe memberOf property to Get-ADGroup...
(Get-ADUser -Identity $user.UserName -Property MemberOf).MemberOf |
Get-ADGroup
}
That way you don't have to filter out something you insisted on getting (by using above mentioned cmdlet).
I am receiving the following error when running this script:
Get-ADGroupMember : Cannot convert 'System.Object[]' to the type
'Microsoft.ActiveDirectory.Management.ADGroup' required by parameter
'Identity'. Specified method is not supported.
Also, the users move from the Win7 group to the Win10 group, but depending on if they are members of the other groups in the if statements, none of the groups in the if statements are moving for any of the users. Please help.
Just for reference the userlist file contains Active Directory usernames in a text file like this:
jsmith
ksmith
etc.
The grouplist text file contains Active Directory groups like this:
Nitro7
Project7
Visio7
Zoom7
SnagIt7
OneNote7
Code:
Import-Module ActiveDirectory
$users = Get-Content -Path .\userlist.txt
$group = Get-Content -Path .\grouplist.txt
$members = Get-ADGroupMember -Identity $group -Recursive
foreach ($user in $users){
Remove-ADGroupMember -Identity "Win7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "Win10" -Members $user -Confirm:$false -Verbose
If ($members.SamAccountName -contains $user) {
Remove-ADGroupMember -Identity "Nitro7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "Nitro10" -Members $user -Confirm:$false -Verbose
}
If ($members.SamAccountName -contains $user) {
Remove-ADGroupMember -Identity "Project7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "Project10" -Members $user -Confirm:$false -Verbose
}
If ($members.SamAccountName -contains $user) {
Remove-ADGroupMember -Identity "OneNote7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "OneNote10" -Members $user -Confirm:$false -Verbose
}
If ($members.SamAccountName -contains $user) {
Remove-ADGroupMember -Identity "Zoom7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "Zoom10" -Members $user -Confirm:$false -Verbose
}
If ($members.SamAccountName -contains $user) {
Remove-ADGroupMember -Identity "SnagIt7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "SnagIt10" -Members $user -Confirm:$false -Verbose
}
If ($members.SamAccountName -contains $user) {
Remove-ADGroupMember -Identity "Visio7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "Visio10" -Members $user -Confirm:$false -Verbose
}
}
The -Identity property of Get-ADGroupMember is a singleton, not an array.
However, the -Identity property does accept the pipeline for input. So, you may be able to do something like this:
$members = $group | Get-ADGroupMember -Recursive
Although, IMX, some of the AD commands are a bit wonky due to their age. I expect you may need to do something like this:
$members = foreach ($g in $group) { Get-ADGroupMember -Identity $g -Recursive }
The rest of your script has kind of a confused logic, however, so I can't really tell what you're intending to do.
{snip}
Based on your comments, here's what I'd do.
First, I'd change your groups file. Instead of a plain text list of the groups, I'd make it a CSV file with two columns: The old group and the new group.
So, grouplist.csv looks like this:
"OldGroupName","NewGroupName"
"Nitro7","Nitro10"
"OneNote7","OneNote10"
"Project7","Project10"
"SnagIt7","SnagIt10"
"Visio7","Visio10"
"Win7","Win10"
"Zoom7","Zoom10"
Now you have a map for each old group and the group you want to migrate your users to.
Now, we do it like this:
$users = Get-Content .\userlist.txt
$groups = Import-Csv .\grouplist.csv
foreach ($group in $groups) {
$UsersToModify = Get-ADGroupMember $group.OldGroupName -Recursive | Where-Object SamAccountName -in $users
Remove-ADGroupMember -Identity $group.OldGroupName -Members $UsersToModify -Confirm:$false -Verbose -WhatIf
Add-ADGroupMember -Identity $group.NewGroupName -Members $UsersToModify -Confirm:$false -Verbose -WhatIf
}
[Note: Remove the -WhatIf to actually perform the actions.]
For each group, we get a list of the groups members, filter it to the usernames in $users and save that to $UsersToModify. Then, we pass that list of users to the Remove and Add commands. We only need to call it once per each group.
I know you had a special exception for Win7 to Win10, but I don't see where the logic of the script really needs to change to accommodate that. If you want to always add all users in $users to Win10, you could add that manually:
$UsersToAddtoWin10 = $users | Get-ADUser
Add-ADGroupMember -Identity Win10 -Members $UsersToAddtoWin10 -Confirm:$false -Verbose -WhatIf
Import-Module ActiveDirectory
$users = Get-Content -Path .\userlist.txt
foreach ($user in $users){
Remove-ADGroupMember -Identity "View_Win7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "View_Win10" -Members $user -Confirm:$false -Verbose
[array]$grps=Get-ADUser $user -Property memberOf | Select -ExpandProperty memberOf | Get-ADGroup | Select Name
foreach($grp in $grps){
if($grp.Name -match "Nitro7") {
Remove-ADGroupMember -Identity "Nitro7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "Nitro10" -Members $user -Confirm:$false -Verbose
}
If ($grp.Name -match "Project7") {
Remove-ADGroupMember -Identity "Project7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "Project10" -Members $user -Confirm:$false -Verbose
}
If ($grp.Name -match "OneNote7") {
Remove-ADGroupMember -Identity "OneNote7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "OneNote10" -Members $user -Confirm:$false -Verbose
}
If ($grp.Name -match "Zoom7") {
Remove-ADGroupMember -Identity "Zoom7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "Zoom10" -Members $user -Confirm:$false -Verbose
}
If ($grp.Name -match "SnagIt7") {
Remove-ADGroupMember -Identity "SnagIt7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "SnagIt10" -Members $user -Confirm:$false -Verbose
}
If ($grp.Name -match "Visio7") {
Remove-ADGroupMember -Identity "Visio7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "Visio10" -Members $user -Confirm:$false -Verbose
}
}
}
Let's see if this will work for you, considering your $user and $group lists are exactly as you show...
#get your users...
$users = Get-Content -Path .\userlist.txt
#get your groups...
$groups = Get-Content -Path .\grouplist.txt
#for each user...
foreach ($user in $users) {
#get their group memberships, expand the property...
$memberOf = Get-ADUser -Identity $user -Properties MemberOf | Select -ExpandProperty memberof
#for each membership found in $groups that also ends in '7'...
foreach ($membership in ($memberOf | Where-Object {($_ -match ($groups -join "|")) -and ($_ -like '*7')})) {
#remove the user from the matched group...
Remove-ADGroupMember -Identity $membership -Members $user -Confirm:$false
#add the user to a group with the same name, replacing 7 with 10...
Add-ADGroupMember -Identity $membership.Replace("7","10") -Members $user -Confirm:$false
}
}
IMPORTANT
Please note that this -match operator will return any other groups that are contained in $groups that also end in 7. If you have additional group names that match that criteria stored in $groups, you will want more filtering on $memberOf for the $membership iteration.
This script will also replace every instance of the character '7' in $membership (a matched group's DistinguishedName), with '10', in order to add $user to the new group. So, make sure that isn't a problem.
Import-Module ActiveDirectory
$users = Get-Content -Path .\userlist.txt
$group = "Nitro_Win7"
$members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty Name
foreach ($user in $users){
Remove-ADGroupMember -Identity "Win7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "Win10" -Members $user -Confirm:$false -Verbose
If ($members -contains $user) {
Remove-ADGroupMember -Identity "Nitro_Win7" -Members $user -Confirm:$false -Verbose
Add-ADGroupMember -Identity "Nitro_Win10" -Members $user -Confirm:$false -Verbose
}
}
The list of users are migrating successfully from the "Win7" group to the "Win10" group. However, the second step in the if statement does not seem to be working properly. The goal is to also have users removed from "Nitro_Win7" and added to "Nitro_Win10" if they are a member of "Nitro_Win7". After running, if users are a member of "Nitro_Win7", they stay in "Nitro_Win7". This is not working as hoped. Please help!
I'm trying to add multiple users to multiple groups from a csv file and have looked through every post about adding multiple users to multiple groups for the past weeks but due to the nature of csv file I am having trouble executing it correctly.
The data in the csv file looks like this
Username,FACULTY01,FACULTY02,FACULTY03,FACULTY04
"User1,group1,group2,group3"
"User2,group1,,group3,group4"
"User3,,group2,,group4"
There are 20+ groups, each member can be part of 1 to 4 groups found under the faculty headings
I have the following code
Import-Module ActiveDirectory
$csv = Import-csv C:\TestADGroupADD.csv -Header ('Username', 'FACULTY01', 'FACULTY02', 'FACULTY03', 'FACULTY04')
ForEach-Object {
$username = $_.Username
$Faculty = $_."Faculty01,FACULTY02,FACULTY03,FACULTY04"
}
Foreach($Faculty in $csv){
if ($Faculty -eq 'ADMINISTRATION') { Add-ADGroupMember -Identity $Faculty -Member $username }
if ($Faculty -eq 'Accounting') { Add-ADGroupMember -Identity $group -Member $username }
if ($Faculty -eq 'SCIENCE') { Add-ADGroupMember -Identity $group -Member $username }
if ($Faculty -eq 'SALES') { Add-ADGroupMember -Identity $groupe -Member $username }
if ($Faculty -eq 'DEANSFUND') { Add-ADGroupMember -Identity $group -Member $username }
}
I have a feeling I must use a different method to combine the faculties into one variable but I have tried with one and still fails - I am a beginner in PowerShell
Appreciate your help.
You could do something like this:
$faculties = #("FACULTY01", "FACULTY02", "FACULTY03", "FACULTY04")
$csv = Import-csv C:\temp\test.csv -Header (#("UserName") + $faculties)
foreach ($user in $csv | Select-Object -Skip 1)
{
foreach ($faculty in $faculties)
{
if ($user.$faculty)
{
Add-ADGroupMember -Identity $user.$faculty -Member $user.UserName
}
}
}
I would like to add an existing user to a list of groups (text or csv). Something like this but this doesn't work.
$groups = Import-csv ‘C:\temp\temp.csv‘
foreach ($group in $groups) {
Add-ADGroupMember $group -Members firstlast
}
Not sure why your code is not working; try the following:
$groups = Import-Csv "C:\temp\temp.csv"
$groups | ForEach-Object {Add-Adgroupmember -Identity $_ -members "firstlast"}
I am assuming your user's name is "firstlast"