This small script remove all Active Directory (AD) groups for users in specific Organizational Unit (OU).
Except group "Domain Users"
Except group "Domain Users"
Example of usage:
[PS].\Remove-ADGroups-for-Users-in-OU.ps1 -OU "OU=Users,OU=Disabled Accounts,DC=myDomain,DC=local" -Confirm:$False
Script can be useful for OU with disabled users accounts.
<# .SYNOPSIS Remove AD Groups for Users in specific OU .DESCRIPTION This script remove all Active Directory (AD) groups for users in specific Organizational Unit (OU). Except group "Domain Users" Needed rights in AD for remove users from groups. For example - Domain Admins .EXAMPLE .\Remove-ADGroups-for-Users-in-OU.ps1 -OU "OU=Users,OU=Disabled Accounts,DC=myDomain,DC=local" -Confirm:$False Description ----------- Remove all groups for users in OU with auto-confirm. #> [CmdletBinding()] Param ( [string]$OU = "OU=Users,OU=Disabled Accounts,DC=myDomain,DC=local", $Confirm = $True ) $ExceptGroup = "Domain Users" Import-Module ActiveDirectory Write-Host Organizational Unit: $OU Write-Host Confirm: $Confirm $users = Get-ADUser -SearchBase $OU -Filter * foreach ($user in $users) { $UserDN = $user.DistinguishedName Get-ADGroup -LDAPFilter "(member=$UserDN)" | foreach-object { if ($_.name -ne $ExceptGroup) { Write-Host Removing $user.SamAccountName from group $_.name Remove-ADGroupMember -identity $_.name -Member $UserDN -Confirm:$Confirm } } }
No comments:
Post a Comment