Powershell – Remove User from Active Directory Groups

active-directorypowershell

I have written a script to disable and move users listed in a text file, and as part of this script, I would like to remove them from groups that grant them licenses to certain software.

My script removes the users, but gets stuck in a loop telling me that the group has been removed, and I can't figure out why.

I'm not sure what I'm missing here, help?!?

Thank you!

This is the block that's looping:

foreach ($group in $groups){
#Write-Host $group
foreach ($user in Get-ADGroupMember -Identity $group){
    If ((Get-ADUser $user.SamAccountName -Properties MemberOf).MemberOf -Contains $group){
        Write-Host "$term is a member of $group"
        Remove-ADGroupMember -Identity $group -Member $user -Confirm:$false
        Write-Host "$term membership of $group removed."
        }
    else{
        Write-Host "$term is not a member of any groups"
        }
}

}

This is the whole script if needed (sanitized):

    #Import the Active Directory Module for Powershell
import-module activedirectory

#Get List of Terms
$terms = Get-Content "Terms.txt"

#Your name
$admin = Read-Host -Prompt "Please enter your name "

#foreach loop
foreach($term in $terms){

$user = Get-ADUser -Filter {displayName -like $term} -Properties CanonicalName

#Get location of User
$split = $user.DistinguishedName.Split(',')
$path = "$($split[-4])"
$location = $path
$ou = 'OU=Disabled,OU=People,'
$dn = ',DC=some,DC=domain,DC=tld'
$base = $ou + $location + $dn

# disable user
Disable-ADAccount -identity $user

#Add Description
$day = Get-Date -Format g
Set-ADUser $user -Description "Disabled by $admin $day"

Write-Host "$term Disabled by $admin on $day"

#Groups to remove user from on termination
$groups = @('CN=Group,OU=SomeOU,OU=Groups,OU=OU2,DC=some,DC=domain,DC=tld', 'CN=Group,OU=SomeOU,OU=Groups,OU=OU2,DC=some,DC=domain,DC=tld', 'sec_software_license_group1', 'sec_software_license_group2', 'sec_software_license_group3')

foreach ($group in $groups){
    #Write-Host $group
    foreach ($user in Get-ADGroupMember -Identity $group){
        If ((Get-ADUser $user.SamAccountName -Properties MemberOf).MemberOf -Contains $group){
            Write-Host "$term is a member of $group"
            Remove-ADGroupMember -Identity $group -Member $user -Confirm:$false
            Write-Host "$term membership of $group removed."
            }
        else{
            Write-Host "$term is not a member of any groups"
            }
    }
}

Write-Host 'Disabling and moving '$term

# move user
move-adobject -Identity $user -targetpath $base

write-host $term' is moved to Disabled'
}

Best Answer

So, my first thought is that there is a typo or transposing error that you ran into when sanitizing your script. So, the following is based strictly upon how the post was originally written...

Well, I can't be sure but it looks like this bit needs to go:

foreach ($user in Get-ADGroupMember -Identity $group){

It looks as if you're grabbing all users in every group, and then for every user you find, you remove them from the group - which might be fine - except you're not just doing this for termed users - you're doing this for every user in every group you've specified.

As best as I can tell, if you ran this against an account that was in the Domain Admin's group - you would effectively wipe the Domain Admin's security group.

I think the source of your problem may stem from the fact that the $user you define in line 13 is not the same as the $user that you're using in line 37.

I would suggest you replace line 37-46 with this single line:

Remove-ADGroupMember -Identity $Group -Member $User -Confirm:$False -ErrorAction:SilentlyContinue

It addresses a couple of concerns I have with the selection of code it replaces:

It's efficient, and
It gets rid of the unnecessary "Write-Host" lines ("-Verbose" exists for a reason), and
It prevents any blood on the screen from appearing if the user isn't a member of any of the special groups.

Related Solutions

PowerShell and Active Directory User Management

The base algorithm of what you're looking for looks something like this (according to me, anyway):

Enumerate all of the group with the right prefix.
Recursively follow their GroupMembers to enumerate any nested groups in them.
1. Once you get a group with no groups as members, stop recursing.
Take the list of users, for each user
1. Enumerate their Group Memberships
2. If any have the right prefix, remove them from it.
3. If any of the remaining groups are in the list of groups enumerated in the previous major step, remove them from that one too.

Now for actual code-like things.

Enumerating all groups with a prefix (untested, there will be bugs):

$RecurseList=dsquery group -name "abc-*"
$TargetList=$RecurseList
foreach $Grp in $RecurseList {
    # Now get the members of that group, do not expand
    $GrpMembers=dsget group "$Grp" -members
    foreach ($Member in $GrpMembers) {
        $isGroup=dsget group $Member
        if ($isGroup.dn -eq $Member) {
            $TargetList.add("$Member")
            RecurseIntoGroup($isGroup.dn)
        }
    }
}

Then when it comes time to talk the CSV list, get the membership of the user, and check to see if that group exists in $TargetList above. If so, remove it.

This is a heck of a lot of work to go through when removing just one user from potentially thousands of groups, but if you're doing a LOT of these then having the pre-built list will save you time.

If you only need to do it for a few users (say, 10 or so), you can walk back up the tree.

$UserGroups = dsquery user -name $Username -memberof
foreach ($uGroup in $UserGroups) {
    if (isConcerning($uGroup)) {
        $ConcerningGroups.add("$uGroup")
    }
}

function isConcerning {
param ($uGroup)

$parentGroups=dsget group $uGroup -memberOf
$found=$False
foreach ($pg in $parentGroup) {
    if ($parentGroup.startswith("abc-")) {
    return($true)
    $found=$true
    } else {
        $concerning=isConcerning($pg)
        if ($concerning) {
            return($true)
            $found=$true
        } 
    }
}
if (-not $found) {
    return($False)
}

And then remove the concerning groups as needed.

Active Directory – How to List All Active Directory Users and Their Group Membership

Install the Quest CMDlets and then run this code:

Add-PSSnapin Quest.ActiveRoles.ADManagement
$memberships = @()

Get-QADGroup -SizeLimit 0 | Foreach-Object {
        $NameGroup = $_.Name
        Write-Host "Working with $NameGroup"
        $membership = Get-QADGroupMember $_.DN -Enabled -SizeLimit 0
        if ($membership -ne $null ) {
        $membership | Add-Member -type NoteProperty -name AuditGroupUserIsMemberOf -value $_.Name
        $memberships += $membership
        }
    }

$memberships | Select-Object AuditGroupUserIsMemberOf, NTAccountname | Export-Csv "GroupsWithUsers.csv"

This will give you a 1 record per group-user connection so expect multiple occurrences of users and groups. If you wan't other fields, you can just edit the Select-Object statement. Use $memberships | gm to see all the possibilities for the users. If you want more fields for the groups, use Get-QADGroup | gm, you will then need to add these by adding a new NoteProperty.

If you don't really care about more options, here is a one-liner you can just mash in the terminal:

Get-QADGroup -sizeLimit 0 | select @{name="Group";expression={$_.name}} -expand members | select Group,@{n='User';e={ (Get-QADObject $_).NTAccountName}} | Export-Csv "MyUsersAndGroups.csv"

Best Answer

Related Solutions

PowerShell and Active Directory User Management

Active Directory – How to List All Active Directory Users and Their Group Membership

Related Topic