I have the following line of code in a PowerShell file, intended to remove a user from all Active Directory groups beginning with an # symbol;
Get-ADGroup -Filter 'name -like "#*"' | Remove-ADGroupMember -Members $UserID
It actually works fine, and successfully removes them from the correct groups, however the script locks my admin account every time it's run. Weird!
From trawling the internet for a while, I suspect it's something to do with it 'using up' my Kerberos authentication tokens (it uses too many, as it runs for every single AD group beginning with #), or it thinks I'm trying to do something malicious because I'm sending such a large amount of commands in a short time?
Is there a way for me to amend this line of code, so that instead of running Remove-ADGroupMember for every single # group in the Active Directory, it only runs for the groups that the user is a member of? Or any other ideas?
Thank you.
Try this:
$groups = Get-ADPrincipalGroupMembership $user | where {$_.name -like "#*"} | select -expandproperty name
foreach($group in $groups){
Remove-ADGroupMember -identity $group -Members $user
}
It will only looking for the groups that the $user is a member in so you should be fine token wise.
Don't forget to change $user with user name or fill the variable beforehand.
Hmm, I don't have an AD infrastructure at home, but it looks like your example has nothing defining $UserID.
Related
Following situation: You have ForeignSecurityPrincipals in your AD Groups. But Remove-ADGroupMember cannot remove them, since it does not support removing "ForeignSecurityPrincipal". Using the DOMAIN\SamAccountName Method is not available as well, since that old domain does not exist any more. On top you are not allowed to use external modules since that company does not want external modules.
I needed this functionality today for a mass-cleanup job, as written without needing extra modules, and without having the old AD available since it was already killed. Found nothing, so I developed this solution and share it.
You have to get the DOMAINSID first, which should be simple. My example uses -Server since the "adminforest" is not the same as the forest of the groups to be modified. It searches all groups from the given OU, selects all groups with members matching the DOMAINSID, and then removes each member matching the DOMAINSID from those groups.
Don't forget to set $WhatIf=$false, else it runs in "we test only" mode.
$Groups = Get-ADGroup -Server other.domain.local -Filter * -SearchBase "OU=Groups,OU=SubOU,OU=Subsidary,DC=OTHER,DC=DOMAIN,DC=LOCAL" -Properties *
$GroupsWithForeignMembers = #($Groups.Where({$_.member -like "*S-1-5-21-2631234548-991234592-3812345124*"}))
$WhatIf=$true
foreach ($Group in $GroupsWithForeignMembers) {
$MemberForeign= #((Get-ADGroup -Server bk.bwl.net -Identity $Group.SamAccountName -Properties member).member.Where({$_ -like "*S-1-5-21-2631234548-991234592-3812345124*"}))
foreach ($Member in $MemberForeign) {
"Removing $Member from $($Group.SamAccountName)" | Tee-Object -Append "GROUPS-cleanup.log"
Set-ADObject -Server other.domain.local -Identity $Group -Remove #{member=$Member} -Verbose -WhatIf:$WhatIf
}
}
Our application allows the customer to authenticate to their own domain via Ldap but we keep a cached copy of those logons and accounts in "myserver" ADSI. Due to limitations with another part of our application I have a need to delete several thousand of those cached accounts from myserver ADSI
Keep in mind that this is NOT FOR MY DOMAIN but for the customer's domain. And no, I'm not trying to delete accounts in THEIR domain, just our cached copies in ADSI.
The following line of code does NOT throw an error but it also does NOT delete the acct (neither does piping it to "remove-aduser"
Get-ADObject -Server "myserver:3890" -SearchBase "CN=fqdn.customer.org,CN=Authentication Sources,O=Enterprise,CN=DifferentDirectory" -filter {name -eq "testuser"} | remove-adobject
Side note: I can query this tree of the default naming context just fine
Get-ADObject -Server "myserver:3890" -filter 'objectclass -like "*"' -SearchBase "CN=fqdn.customer.org,CN=Authentication Sources,O=Enterprise,CN=DifferentDirectory"
or I can use -ldapfilter switch to get pertinent info about a specific account.
It's a weird situation since I'm NOT dealing with accounts in my own domain. Many other variations on this theme throw errors referencing my own domain, partitions, etc. I've worked through all of those I think. The above examples SHOULD work in my opinion.
Final note: I CAN delete the user in the ADSIEDIT gui but as mentioned, they have given me a list of thousands of accts that need removing. There's gotta be a way?!
I figured it out (I’m feeding it a list of $users)
Get-ADObject -Server “myserver:3890” -SearchBase “CN=fqdn.customer.org,CN=Authentication Sources,O=Enterprise,CN=DifferentdirectoryDirectory” -Filter * | Where-Object {$_.name -eq “$user”} | Remove-ADObject -confirm:$false
Im looking to run a script that will be run on MOST of our users, minus about 25 exceptions.
The plan was to run the script on everyone that WASNT in a group that i made, which would have these 25 users. However, I cant figure out how to run a Get-ADGroupMember that targets everyone except that group.
I tried something like:
$users = Get-ADGroupMember -ne 'GPO TEST'
but that obviously doesnt work.
Anyone have an idea?
You can find users that are not a member of a group:
$groupDN = (Get-ADGroup <groupname> | Select-Object -ExpandProperty DistinguishedName)
Get-ADUser -LDAPFilter "(!memberOf=$groupDN)"
This may be the wrong approach, but I have used the last couple of days experimenting with the foreach in PowerShell (I use Ver. 5 of PowerShell).
What I am looking for is a way to add a list of computers that I already have into a list of AD groups that I already have. So I used Get-Content for importing the 2 .txt files, and I also learned that AD groups in PowerShell uses -Identity instead of name I don't know the reason for that decision. But nevertheless I came up with this:
$Apps = Get-Content C:\Scripts\Apps.txt
$Computers = Get-Content C:\Scripts\Computers.txt
foreach ($App in $Apps) {
Add-ADGroupMember $Apps -Identity $Computers
}
My problem is that it works of I only have 1 AD group in the Apps.txt file. If I add more groups PowerShell goes all red on me, and then my computer starts crying.
In Computers.txt I have listed the computer accounts with a $ at the end, and they are on seperate lines, like this:
PC1$
PC2$
In Apps.txt the AD groups are on seperated lines without any commas or semmicolons or anything.
Change $Apps to $App in the line Add-ADGroupMember $Apps -Identity $Computers
and also the -Identity parameter is the AD Group name. You also will need to use the -Members parameter for the users. E.g.
Add-ADGroupMember -Identity $App -Members $Computers
Admittedly, I am not a PowerShell monster, so I'm going to punt...
I am working with a client who is pulling a list of all his user shares on his CIFS server to help redirect AD HomeDirectory paths in a major file server migration. This list is being compared to the list of AD users home directories as AD currently sees them.
The problem is that some user directories use old NT Usernames (NAMEI$) and some use SAMAACCOUNTNAME$. To Additionally complicate, the share SERVER differs in AD due to an elaborate history of DNS aliases over the past 10-15 years - so even though all the users home directories currently exist on SERVERA they could be mapped to OLDSERVER3, OLDERSERVER01, or OLDESTSERVERNT4 - resulting in home directories that are all over the map.
I need to write a script that can use the SAMACCOUNTNAME from a list, then change all the server information in the home directory to \NEWSEVERNAME\CURRENTSHARE$ - hopefully using something like this:
Use UserList
From UserList, get-ADuser -Identity $_ -HomeDrive "U:" -HomeDirectory
in HomeDirectory replace \\*\ with \\NewServer\ while leaving the Share$ untouched.
Set-ADuser -Identity $_ -HomeDrive "U:" -HomeDirectory
I'm fairly certain that this can be accomplished with regular expressions, for/each loops, etc... but I can't put it together.
Thank you for your help!
I went through the same migration a short while ago. Here is what you can use to set the new server while leaving the share folder untouched.
Import-Module activedirectory
$samAccountNameList = get-content "c:\userIds.txt"
$newServer = "newFps01"
foreach ($user in $samAccountNameList) {
$adProperties = get-aduser -Identity $user -Properties homeDirectory, homeDrive
$homeDrive = $adProperties.HomeDrive
# Split original homedirectory path and grab just the share folder portion
$shareFolder = ($adProperties.homeDirectory).Split("\")[3]
$newHomeDirectory = "\\$newServer\$shareFolder"
set-aduser -Identity $user -HomeDrive $homeDrive -HomeDirectory $newHomeDirectory
}