OiO.lk Community platform!

Oio.lk is an excellent forum for developers, providing a wide range of resources, discussions, and support for those in the developer community. Join oio.lk today to connect with like-minded professionals, share insights, and stay updated on the latest trends and technologies in the development field.
  You need to log in or register to access the solved answers to this problem.
  • You have reached the maximum number of guest views allowed
  • Please register below to remove this limitation

Removing All security groups from AD disabled users powershell script

  • Thread starter Thread starter jayz
  • Start date Start date
J

jayz

Guest
Kind of new at this, but I'm currently trying to delete all groups from disabled users besides the primary group for sub OU.

Currently my domain environment looks like this

Code:
-company.example.com (domain) 
 -CompanyName (OU) 
   -Users (OU) >
     -Location 1 (OU)
     -Location 2 (OU)
   ServiceAcct (OU)

Currently my Powershell script is the following

Code:
$searchOU = "OU=CompanyName,DC=company,DC=example,DC=com"
Get-ADGroup -Filter "GroupCategory -eq 'Security'" -SearchBase $searchOU | Sort-Object Name | ForEach-Object {
    $group = $_
    Get-ADGroupMember -Identity $group | Where-Object { $_.objectClass -eq 'user' } | 
    Get-ADUser | Where-Object { $_.Enabled -eq $false} | ForEach-Object {
        Write-Host "Removing $($_.Name) from $($group.Name)" -Foreground Yellow
        Remove-ADGroupMember -Identity $group -Member $_ -Confirm:$false #-whatif
    }
}

This runs, but the problem with this is that some disabled users are service accounts and need their security groups, therefore I need to target CompanyName > Users > Location 1 more precisely to avoid messing up service acccounts but when I add the sub OU path (Location 1) and run the following:

Code:
$searchOU = 'OU=Location1, OU=Users,OU=CompanyName,DC=company,DC=example,DC=com'
Get-ADGroup -Filter "GroupCategory -eq 'Security'" -SearchBase $searchOU | Sort-Object Name | ForEach-Object {
    $group = $_
    Get-ADGroupMember -Identity $group | Where-Object { $_.objectClass -eq 'user' } | 
    Get-ADUser | Where-Object { $_.Enabled -eq $false } | ForEach-Object {
        Write-Host "Removing $($_.Name) from $($group.Name)" -Foreground Yellow
        Remove-ADGroupMember -Identity $group -Member $_ -Confirm:$false #-whatif
    }
}

Nothing happens and when I run the sub OU alone:

Code:
$searchOU = "OU=Location1,DC=company,DC=example,DC=com"
Get-ADGroup -Filter "GroupCategory -eq 'Security'" -SearchBase $searchOU | Sort-Object Name | ForEach-Object {
    $group = $_
    Get-ADGroupMember -Identity $group | Where-Object { $_.objectClass -eq 'user' } | 
    Get-ADUser | Where-Object { $_.Enabled -eq $false} | ForEach-Object {
        Write-Host "Removing $($_.Name) from $($group.Name)" -Foreground Yellow
        Remove-ADGroupMember -Identity $group -Member $_ -Confirm:$false #-whatif
    }
}

I get the following error

Code:
Get-ADGroup : Directory object not found
At line:2 char:1
+ Get-ADGroup -Filter "GroupCategory -eq 'Security'" -SearchBase $searchOU | Sort- ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (:) [Get-ADGroup], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFou 
   ndException,Microsoft.ActiveDirectory.Management.Commands.GetADGroup

What am I missing in this code to get to the sub OU?
<p>Kind of new at this, but I'm currently trying to delete all groups from disabled users besides the primary group for sub OU.</p>
<p>Currently my domain environment looks like this</p>
<pre><code>-company.example.com (domain)
-CompanyName (OU)
-Users (OU) >
-Location 1 (OU)
-Location 2 (OU)
ServiceAcct (OU)
</code></pre>
<p>Currently my Powershell script is the following</p>
<pre><code>$searchOU = "OU=CompanyName,DC=company,DC=example,DC=com"
Get-ADGroup -Filter "GroupCategory -eq 'Security'" -SearchBase $searchOU | Sort-Object Name | ForEach-Object {
$group = $_
Get-ADGroupMember -Identity $group | Where-Object { $_.objectClass -eq 'user' } |
Get-ADUser | Where-Object { $_.Enabled -eq $false} | ForEach-Object {
Write-Host "Removing $($_.Name) from $($group.Name)" -Foreground Yellow
Remove-ADGroupMember -Identity $group -Member $_ -Confirm:$false #-whatif
}
}
</code></pre>
<p>This runs, but the problem with this is that some disabled users are service accounts and need their security groups, therefore I need to target CompanyName > Users > Location 1 more precisely to avoid messing up service acccounts but when I add the sub OU path (Location 1) and run the following:</p>
<pre><code>$searchOU = 'OU=Location1, OU=Users,OU=CompanyName,DC=company,DC=example,DC=com'
Get-ADGroup -Filter "GroupCategory -eq 'Security'" -SearchBase $searchOU | Sort-Object Name | ForEach-Object {
$group = $_
Get-ADGroupMember -Identity $group | Where-Object { $_.objectClass -eq 'user' } |
Get-ADUser | Where-Object { $_.Enabled -eq $false } | ForEach-Object {
Write-Host "Removing $($_.Name) from $($group.Name)" -Foreground Yellow
Remove-ADGroupMember -Identity $group -Member $_ -Confirm:$false #-whatif
}
}
</code></pre>
<p>Nothing happens and when I run the sub OU alone:</p>
<pre><code>$searchOU = "OU=Location1,DC=company,DC=example,DC=com"
Get-ADGroup -Filter "GroupCategory -eq 'Security'" -SearchBase $searchOU | Sort-Object Name | ForEach-Object {
$group = $_
Get-ADGroupMember -Identity $group | Where-Object { $_.objectClass -eq 'user' } |
Get-ADUser | Where-Object { $_.Enabled -eq $false} | ForEach-Object {
Write-Host "Removing $($_.Name) from $($group.Name)" -Foreground Yellow
Remove-ADGroupMember -Identity $group -Member $_ -Confirm:$false #-whatif
}
}
</code></pre>
<p>I get the following error</p>
<pre class="lang-none prettyprint-override"><code>Get-ADGroup : Directory object not found
At line:2 char:1
+ Get-ADGroup -Filter "GroupCategory -eq 'Security'" -SearchBase $searchOU | Sort- ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:) [Get-ADGroup], ADIdentityNotFoundException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFou
ndException,Microsoft.ActiveDirectory.Management.Commands.GetADGroup
</code></pre>
<p>What am I missing in this code to get to the sub OU?</p>
Continue reading...
 

Latest posts

B
Replies
0
Views
1
Blundering Ecologist
B
Top