I have written a script to disable and move users listed in a text file, and as part of this script, I would like to remove them from groups that grant them licenses to certain software.
My script removes the users, but gets stuck in a loop telling me that the group has been removed, and I can't figure out why.
I'm not sure what I'm missing here, help?!?
Thank you!
This is the block that's looping:
foreach ($group in $groups){
#Write-Host $group
foreach ($user in Get-ADGroupMember -Identity $group){
If ((Get-ADUser $user.SamAccountName -Properties MemberOf).MemberOf -Contains $group){
Write-Host "$term is a member of $group"
Remove-ADGroupMember -Identity $group -Member $user -Confirm:$false
Write-Host "$term membership of $group removed."
}
else{
Write-Host "$term is not a member of any groups"
}
}
}
This is the whole script if needed (sanitized):
#Import the Active Directory Module for Powershell
import-module activedirectory
#Get List of Terms
$terms = Get-Content "Terms.txt"
#Your name
$admin = Read-Host -Prompt "Please enter your name "
#foreach loop
foreach($term in $terms){
$user = Get-ADUser -Filter {displayName -like $term} -Properties CanonicalName
#Get location of User
$split = $user.DistinguishedName.Split(',')
$path = "$($split[-4])"
$location = $path
$ou = 'OU=Disabled,OU=People,'
$dn = ',DC=some,DC=domain,DC=tld'
$base = $ou + $location + $dn
# disable user
Disable-ADAccount -identity $user
#Add Description
$day = Get-Date -Format g
Set-ADUser $user -Description "Disabled by $admin $day"
Write-Host "$term Disabled by $admin on $day"
#Groups to remove user from on termination
$groups = @('CN=Group,OU=SomeOU,OU=Groups,OU=OU2,DC=some,DC=domain,DC=tld', 'CN=Group,OU=SomeOU,OU=Groups,OU=OU2,DC=some,DC=domain,DC=tld', 'sec_software_license_group1', 'sec_software_license_group2', 'sec_software_license_group3')
foreach ($group in $groups){
#Write-Host $group
foreach ($user in Get-ADGroupMember -Identity $group){
If ((Get-ADUser $user.SamAccountName -Properties MemberOf).MemberOf -Contains $group){
Write-Host "$term is a member of $group"
Remove-ADGroupMember -Identity $group -Member $user -Confirm:$false
Write-Host "$term membership of $group removed."
}
else{
Write-Host "$term is not a member of any groups"
}
}
}
Write-Host 'Disabling and moving '$term
# move user
move-adobject -Identity $user -targetpath $base
write-host $term' is moved to Disabled'
}
Best Answer
So, my first thought is that there is a typo or transposing error that you ran into when sanitizing your script. So, the following is based strictly upon how the post was originally written...
Well, I can't be sure but it looks like this bit needs to go:
It looks as if you're grabbing all users in every group, and then for every user you find, you remove them from the group - which might be fine - except you're not just doing this for termed users - you're doing this for every user in every group you've specified.
As best as I can tell, if you ran this against an account that was in the Domain Admin's group - you would effectively wipe the Domain Admin's security group.
I think the source of your problem may stem from the fact that the $user you define in line 13 is not the same as the $user that you're using in line 37.
I would suggest you replace line 37-46 with this single line:
It addresses a couple of concerns I have with the selection of code it replaces: