I'm trying to gather all the disabled users in our Active Directory and trying to remove the disabled users from all their groups. Mostly for cleanup purposes. I'm a bit stuck on my script. I'm not sure what to put after Remove-ADPrincipalGroupMembership
:
$disabled_users = Get-AdUser -SearchBase "Ou=Users, Ou=test, DC=testdomain, DC=io" -Filter
"enabled -eq 'false'"
foreach($person in $disabled_users) {
Get-ADPrincipalGroupMembership $person | Remove-ADPrincipalGroupMembership #stuckhere
}
Get-ADPrincipalGroupMembership
returns only groups, leadingRemove-ADPrincipalGroupMembership
to auto-fill-Identity
with the group name. You'll have to re-use the user object in-Identity
.Because of the first issue,
Remove-ADPrincipalGroupMembership
doesn't accept multiple groups from the pipeline. It should normally, but the[ADGroup]
objects returned byGet-ADPrincipalGroupMembership
seem to trip it up. To fix, use aForEach
loop, or use a two-step process:Note that you can't remove an AD user's primary group (usually 'Domain Users'), so you may want to add a filter: