Powershell – How to select a user and remove all groups they are a member of using Powershell (with Quest)

powershell

I've read quite a bit online about this and thought I had found a solution, but it doesn't seem to be working like I would expect.

I am wanting to get a user based on the username I input, then remove all groups that it is a member of. Basically the same thing as going into ADUC, selecting the user, selecting the Member Of tab, highlighting everything (except domain users of course) and selecting remove.

Here's the command I'm trying to use:

Get-QADUser -Name $username | Remove-QADMemberOf -RemoveAll

Others have said online that it works for them, but so far it hasn't for me. It doesn't give an error, it accepts the command just fine, but when I look in ADUC, the groups are still there for the user.

Any suggestions as to what I may be doing wrong?

Executing from Windows 7 with domain admin rights, Exchange cmdlets and Quest snapin loaded.

Thanks!

Best Answer

I am using the following in my Disable user script (only added the part of removing the group membership)

$DisableIni = Read-host "Enter initials of the user you want to disable"
$DisableUser = Get-QADUser $DisableIni

# Check Groupmembership and populate the list to Notes
$groupmemberof=$DisableUser.memberof | Get-QADGroup
      Foreach ($Group in $groupmemberof)
    {$DisNotes = (get-qaduser $DisableIni).notes
    Set-qaduser $DisableIni -notes "$DisNotes $Group;"}

# Remove all memberships from the user except for "Domain Users"
$DisableUser.memberOf | Get-QADGroup | where {$_.name -notmatch '^users|domain users$'} | Remove-QADGroupMember -member $DisableIni

why would i add the groups to notes you might ask, just in case i disabled the wrong user, it is always good to be able to undo ;)

Hope you find it usefull

Related Solutions

PowerShell and Active Directory User Management

The base algorithm of what you're looking for looks something like this (according to me, anyway):

Enumerate all of the group with the right prefix.
Recursively follow their GroupMembers to enumerate any nested groups in them.
1. Once you get a group with no groups as members, stop recursing.
Take the list of users, for each user
1. Enumerate their Group Memberships
2. If any have the right prefix, remove them from it.
3. If any of the remaining groups are in the list of groups enumerated in the previous major step, remove them from that one too.

Now for actual code-like things.

Enumerating all groups with a prefix (untested, there will be bugs):

$RecurseList=dsquery group -name "abc-*"
$TargetList=$RecurseList
foreach $Grp in $RecurseList {
    # Now get the members of that group, do not expand
    $GrpMembers=dsget group "$Grp" -members
    foreach ($Member in $GrpMembers) {
        $isGroup=dsget group $Member
        if ($isGroup.dn -eq $Member) {
            $TargetList.add("$Member")
            RecurseIntoGroup($isGroup.dn)
        }
    }
}

Then when it comes time to talk the CSV list, get the membership of the user, and check to see if that group exists in $TargetList above. If so, remove it.

This is a heck of a lot of work to go through when removing just one user from potentially thousands of groups, but if you're doing a LOT of these then having the pre-built list will save you time.

If you only need to do it for a few users (say, 10 or so), you can walk back up the tree.

$UserGroups = dsquery user -name $Username -memberof
foreach ($uGroup in $UserGroups) {
    if (isConcerning($uGroup)) {
        $ConcerningGroups.add("$uGroup")
    }
}

function isConcerning {
param ($uGroup)

$parentGroups=dsget group $uGroup -memberOf
$found=$False
foreach ($pg in $parentGroup) {
    if ($parentGroup.startswith("abc-")) {
    return($true)
    $found=$true
    } else {
        $concerning=isConcerning($pg)
        if ($concerning) {
            return($true)
            $found=$true
        } 
    }
}
if (-not $found) {
    return($False)
}

And then remove the concerning groups as needed.

Powershell – How to add a to the description field in ADUC using Powershell/Exchange Management Shell

You are getting the error because you cannot set the description field using Set-User. This is an exchange CMDLET which does not allow for modification of that attribute. To modify the description attribute, you will need to use Set-ADUser. This is available in the Active Directory module. You can Import the Active Directory module using Import-module activedirectory. Something like this should help:

Import-Module ActiveDirectory
Set-ADUser -Company $companyname -Department $department -title $title -Manager $manager -officephone $phone -office $office -description $description

You will still need to set the "notes" attribute using Set-User.

Best Answer

Related Solutions

PowerShell and Active Directory User Management

Powershell – How to add a to the description field in ADUC using Powershell/Exchange Management Shell

Related Topic