If NOT in group A remove from group B

Hi!

So im working on this script that will check if the user in target_group exist in source_group, if not it will be removed. But i cant get i to work 100%, any ideas is greatly appreciated.

(Also posted in: https://social.technet.microsoft.com/Forums/scriptcenter/en-US/06699a08-9052-4565-b390-2f4d76a0e1c6/if-not-in-group-a-remove-from-group-b?forum=ITCG )

#Source and target groups
$source_group = Get-ADGroup "CN=All_Users,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=se" 
$target_group = Get-ADGroup "CN=GroupOfUsers,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=se"

#Get members
$source_members = Get-ADGroupMember -Identity $source_group -Recursive 
$target_members = Get-ADGroupMember -Identity $target_group -Recursive

#Compare members
$Result = Compare-Object $source_members $target_members -Property "sAMAccountName"


#If in the target but not the source => remove them


if($result)
{

$remove = $result | ?{$_.SideIndicator -eq "=>"}
if($remove)
{
foreach($account in $remove.sAMAccountName)
{
$users_remove += @(Get-ADUser $account)
}
Remove-ADGroupMember -Identity $target_group -Members $users_remove -confirm:$false -WhatIf
}
}

When you crosspost the same question at the same time to different forums you should at least post links to the other forums along with your question to avoid people willing to you help making their work twice or more.

https://social.technet.microsoft.com/Forums/en-US/06699a08-9052-4565-b390-2f4d76a0e1c6/if-not-in-group-a-remove-from-group-b?forum=ITCG

Thanks

[quote quote=215805]When you crosspost the same question at the same time to different forums you should at least post links to the other forums along with your question to avoid people willing to you help making their work twice or more.

https://social.technet.microsoft.com/Forums/en-US/06699a08-9052-4565-b390-2f4d76a0e1c6/if-not-in-group-a-remove-from-group-b?forum=ITCG

Thanks

[/quote]

Of course, didnt actually cross my mind at that time. Will edit the post.

Too late for now. Do it next time please.

Thanks.

I love compare-object but I’ve learned not to depend on it for this type of thing. I think what you’re needing is to compare a name to an array of names. I’ve put the source/group names into variables for ease of future expansion. See the following

#Source and target groups
$source_group_name = "Source"
$target_group_name = "Target"

$source_group = Get-ADGroup -filter {samaccountname -like $source_group_name}
$target_group = Get-ADGroup -filter {samaccountname -like $target_group_name}

#Get members
$source_members = Get-ADGroupMember -Identity $source_group.distinguishedname
$target_members = Get-ADGroupMember -Identity $target_group.distinguishedname

#initialize slow array *** Performance/time concern on large datasets ***
$removedusers = @()

#If in the target but not the source => remove them
foreach($member in $target_members){
    if($member.samaccountname -notin $source_members.samaccountname){
        "{0} does not exist in {1} and will be removed" -f $member.samaccountname,$target_group.name
        Remove-ADGroupMember -Identity $target_group.DistinguishedName -Members $member.samaccountname -WhatIf
        $removedusers += $(new-object -TypeName PSObject -property @{
        SamAccountName = $member.samaccountname
        DistinguishedName = $member.DistinguishedName
        GroupRemovedFrom = $target_group.DistinguishedName
        })
    }
}

if ($removedusers){write-output $removedusers}

I hope this helps!

Wow thanks, works perfect! Really appreciate it. Been scratching my head all day on this :).

[quote quote=215838]Wow thanks, works perfect! Really appreciate it. Been scratching my head all day on this :).

[/quote]

You are welcome. Too many frustrated hours learning not to share. :slight_smile: