Import-Module ActiveDirectory
$users= Import-Csv -Path “C:\Output\DisableADUsers91718C.csv”
$DisabledDate = Get-Date
$LeaveDate = Get-Date -Format “dddd dd MMMM yyyy”
$DisabledBy = Get-ADUser “$env:username” -properties Mail
$DisabledByEmail = $DisabledBy.Mail
$LegalHoldUser = Get-ADuser -Filter * -SearchBase ‘ou=LegalHold,dc=xxx,dc=com’ -Properties * | Select-object -Expand SamAccountName
$ADgroups = Get-ADPrincipalGroupMembership -Identity $Users | where { ($.Name -ne ‘Domain Users’) -and ($.Name -ne ‘DisabledUsers’) }
$TargetOU = “ou=Disabled Users,dc=xxx,dc=com”
foreach ($user in $users)
{
$SamAccountName = $User.SamAccountName
Set-ADUser $User.SamAccountName -Description “Disabled by $($DisabledBy.name) on $DisabledDate per Ticket INC0065513”
If ($LegalHoldUser -contains $SamAccountName)
{
Remove-ADPrincipalGroupMembership -Identity $User.SamAccountName -MemberOf $ADgroups -Confirm:$false
Add-ADGroupMember -Identity “DisabledUsers” -Members $User.SamAccountName
Disable-ADAccount -Identity $($User.SamAccountname)
}
else
{
Remove-ADPrincipalGroupMembership -Identity $User.SamAccountName -MemberOf $ADgroups -Confirm:$false
Add-ADGroupMember -Identity “DisabledUsers” -Members $User.SamAccountName
Get-AdUser $SamAccountName | Move-ADObject -targetpath $TargetOU
Disable-ADAccount -Identity $($User.SamAccountname)
}
}
@Frederick, you have posted only the code, please describe your issue with the error you get.
Requesting you to format the code, please refer below links.
Hi Kvprasoon,
I’m sorry about that. The issue I’m having is: When just copying it and pasting it in Windows Powershell, I get this error: Cannot convert ’ ’ to the type ‘Microsoft.ActiveDirectory.Management.ADPrincipal’ required by parameter ‘Identity’. Specified method is not supported.
+ CategoryInfo : InvalidArgument: (
[Get-ADPrincipalGroupMembership], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgument,Microsoft.ActiveDirectory.Management.Commands.GetADPrincipalGroupMembership
+ PSComputerName : GGPDC01
The script itself is suppose to read from a csv file, compare it to a Legal Hold OU and if the users match, then disable the account, remove all groups except domain user, add the disabled users group. If the users in the csv file don’t match the users in the Legal hold OU, then do all the above, but also move them to the diabled Users OU. I have 3 SamAccount
names on my csv file currently, but once I get the script to work, it’ll be 1500 SamAccountNames.
Looks like your issue is at this line.
$ADgroups = Get-ADPrincipalGroupMembership -Identity $Users | where { ($_.Name -ne 'Domain Users') -and ($_.Name -ne 'DisabledUsers') }
You’ve imported your CSV to $Users, which is now a collection of objects. However, the Identity parameter doesn’t work on collections. You’ll need to pass them to the cmdlet one at a time.
Take a look at the docs for the cmdlet and the Identity parameter.
Hi Mark,
So in looking at the docs, should it be -Identity $Users.SamAccountName?
Since SAmAccountName is the header on my csv column, I changed the line to
$ADgroups = Get-ADPrincipalGroupMembership -Identity $Users.SamAccountName | where { ($.Name -ne ‘Domain Users’) -and ($.Name -ne ‘DisabledUsers’) }
and now I get this error:
Cannot convert ‘Aaron.Smith Adam.Abston Adam.Wright’ to the type ‘Microsoft.ActiveDirectory.Management.ADPrincipal’ required by parameter ‘Identity’. Specified method is not supported.
+ CategoryInfo : InvalidArgument: ( [Get-ADPrincipalGroupMembership], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgument,Microsoft.ActiveDirectory.Management.Commands.GetADPrincipalGroupMembership
+ PSComputerName : GGPDC01
You’re still trying to pass a collection to the cmdlet.
Since you’re already looping over the list of users, I would take that line and move it into the loop.
Then, change
$ADgroups = Get-ADPrincipalGroupMembership -Identity $Users
to
$ADgroups = Get-ADPrincipalGroupMembership -Identity $User
