by johnkeng at 2012-10-18 13:32:22
Hello all,by Klaas at 2012-10-19 01:00:07
I’m looking for a way to remove all group memberships except "Domain User" from accounts moved into a specific OU.
I found this article which accomplishes what I need for individual groups -
http://blogs.technet.com/b/heyscripting … ic-ou.aspx
but this uses VB functions’ I’m unfamiliar with and I’d prefer to accomplish the same task with PowerShell. If possible, I’d like to remove all the groups at once, but if necessary I can run multiple scripts.
Thanks in advance.
[quote]Remove all adgroups from OU[/quote]by johnkeng at 2012-10-19 13:56:14
[quote]remove all group memberships except "Domain User" from accounts[/quote]
[quote]I’d like to remove all the groups at once[/quote]
That’s three different things.
If you have the ADcmdlets ( on a domain controller or a PC with RSAT installed) the easiest way is to collect your groups / users with Get-ADUser or Get-ADGroup or ADGroupMember with the appropriate -Filter or -Searchbase, and pipe that to Remove-ADGroup or Remove-ADGroupMember.
UseGet-Help Remove-ADGroupMember -full | more
to read all about the possibilities of this cmdlet.
I found this script written by Shay Levy …
Get-ADGroup -SearchBase "OU=YOUROU,DC=DOMAIN,DC=COM" -Filter* | Foreach-Object{
$Members = Get-ADGroupMember -Identity $_ | Where-Object {$.objectClass -ne ‘computer’}
Remove-ADGroupMember -Identity $ -Members $Members -Confirm:$true
}
…and after some a couple additions accomplished what I wanted.Get-ADGroup -SearchBase "OU=GROUPS,DC=DOMAIN,DC=COM" -Filter ‘name -ne "Domain Users"’ |
Foreach-Object {
$Members = Get-ADGroupMember -Identity $_ | Where-Object {$.objectClass -ne ‘computer’ -and '$.distinguishedname -like "*OU=Recently Disabled,DC=DOMAIN,DC=COM"’ }
Remove-ADGroupMember -Identity $_ -Members $Members -Confirm:$true
}
Hope this helps someone else.