Active Directory Group Memberships Manipulation for Automation Purpose

Hi Powershell Gurus,

There is a task I am in need of accomplishing from an automated scripting perspective. Here is the scenario I am trying to automate.

There are three security groups “types” which are essentially associated with one another by the way they are named, each located within their own organizational unit in ADUC. There is no nesting with these AD security groups either, just an FYI.

The first group, when user memberships are added, those same users are to have their memberships removed from associated groups two and three. Then once the memberships from groups two and three are confirmed removed, the first group’s membership is removed. From there, I am going to think about setting up emails when one of these scenarios has to kick off with success/failure results, but that is not my priority right now.

It seems like using a ForEach & IF statement is where I need to be focusing on primarily, despite my limited powershell knowledge.

#My idea is to declare variables that specify the canonical name of the OU where each type of security group resides. Not sure if that is 100% necessary.
$ADGroup1OU = canonical name
$ADGroup2OU = canonical name
$ADGroup3OU = canonical name

#My starting point thought was going with these cmdlets using the pipeline, just as a simple example.
Get-ADGroupMember -Identity ADGroup1ClientA | Remove-ADGroupMember

Thanks for your time in looking at my post.

Welcome to the forum. :wave:t4:


Wait what? When you add a user account to group 1 you want to remove it from group 1 and 2 and 3? Why do you need to add it to the group 1 in the first place then? … or did I get something wrong?

That’s a good start. You may read the help topic about

It can remove a given user from one OR MORE groups at a time. :wink:

BTW: When you post code, sample data, console output or error messages please format it as code using the preformatted text button ( </> ). Simply place your cursor on an empty line, click the button and paste your code.

Thanks in advance

How to format code in <---- Click :point_up_2:t4: :wink:

I know, it’s odd. So, there are many groups used for different clients that fall under the “type” of security group I labeled here as “Group1”. You can think of it like Group1ClientA, Group1ClientB, Group1ClientC, etc. The purpose of this “type” of group (Group1) is to remove existing memberships of corresponding groups (Group2 & Group3), which grant access to different items.

So, when a user no longer needs memberships to Group2ClientA & Group3ClientA, they are meant to be placed into Group1ClientA for removal from Group2ClientA & Group3ClientA. Once done, their membership to Group1ClientA has to be removed.

It still does not make any sense to me why you need to add the user to a certain group to remove it from some others … :man_shrugging:t4: anyway … what’s your actual question? This taks is pretty straight forward I think.

  • Query Group1ClientA
  • for each found user run Remove-ADPrincipalGroupMembership -MemberOf Group2ClientA, Group3ClientA
    Thats all.

Thank you for your input on this, I really appreciate it.

The full question is this:

Am I able to query / analyze all of my “Group1” types of security groups for any added members and then process removing those members from the correct associated “Group2” & “Group3” security groups?

Example Scenario:
When user objects are added as members to any “Group1” security groups:

Group1ClientA ==> then remove from Group2ClientA & Group3ClientA ==> When complete, remove membership from Group1ClientA

Group1ClientB ==> then remove from Group2ClientB & Group3ClientB ==> When complete, remove from Group1ClientB

Group1ClientC ==> then remove from Group2ClientC & Group3ClientC ==> When complete, remove membership from Group1ClientC

Group1ClientD ==> then remove from Group2ClientD & Group3ClientD ==> When complete, remove membership from Group1ClientD

Again - yes. And I already descibed how to do in my last reply. :man_shrugging:t4: