Users remove from all groups

spiceuser-4lcna · 2019-12-31T06:38:22.000Z

Hi,

I need to remove all disabled users from all groups that been disabled more than 30 days. Any ideas?

Neally · 2019-12-31T07:04:21.000Z

What have you tried? That shouldn’t be too hard to do.

spiceuser-4lcna · 2019-12-31T07:17:51.000Z

$users=get-aduser -filter 'enabled -eq $false' -Properties samaccountname,memberof  |
Select-Object samaccountname, @{n=’MemberOf’; e= { ( $_.memberof | ForEach-Object { (Get-ADObject $_).Name }) -join “,” }} 
Foreach ($user in $users)
{ 
Set-ADUser $user.samaccountname -Description ":- $($user.memberof)"
Get-ADGroup -Filter {name -notlike "*domain users*"}  | Remove-ADGroupMember -Members $user.samaccountname -Confirm:$False 
}

i have not received a day that the user has been disabled
30 days

Neally · 2019-12-31T08:48:13.000Z

Do you mean not logged in or literally disabled.
AD does not track changes unless you use some sort of log aggregator to keep track of when an account was disabled. Another possible option is to go off the ‘whenlastchanged’ field, but that gets updated for ANY change in AD, so it wouldn’t be super reliable.

DoctorDNS · 2019-12-31T10:12:43.000Z

Hi, welcome to Spiceworks, and thanks for your query. As a new user here on Spicworks, I urge all new users to read our ‘read before posting;’ post: PLEASE READ BEFORE POSTING! Read if you're new to the PowerShell forum!

You would need to use a few cmdlets to achieve this:

First, you would get all groups Get-ADGroups -Filter *.

For each of those groups, get group membership.

ANd for each member get the ADUser object (Get-ADUser) to see if they are disabled, and of so removing them from that groups.

Please have a go at doing this, then post any issues (and the code that is related).