Remove all adgroups from OU

by johnkeng at 2012-10-18 13:32:22

Hello all,

I’m looking for a way to remove all group memberships except "Domain User" from accounts moved into a specific OU.

I found this article which accomplishes what I need for individual groups -

http://blogs.technet.com/b/heyscripting … ic-ou.aspx

but this uses VB functions’ I’m unfamiliar with and I’d prefer to accomplish the same task with PowerShell. If possible, I’d like to remove all the groups at once, but if necessary I can run multiple scripts.

Thanks in advance.
by Klaas at 2012-10-19 01:00:07
[quote]Remove all adgroups from OU[/quote]
[quote]remove all group memberships except "Domain User" from accounts[/quote]
[quote]I’d like to remove all the groups at once[/quote]
That’s three different things.

If you have the ADcmdlets ( on a domain controller or a PC with RSAT installed) the easiest way is to collect your groups / users with Get-ADUser or Get-ADGroup or ADGroupMember with the appropriate -Filter or -Searchbase, and pipe that to Remove-ADGroup or Remove-ADGroupMember.

Use Get-Help Remove-ADGroupMember -full | more to read all about the possibilities of this cmdlet.
by johnkeng at 2012-10-19 13:56:14
I found this script written by Shay Levy …

Get-ADGroup -SearchBase "OU=YOUROU,DC=DOMAIN,DC=COM" -Filter* | Foreach-Object{
$Members = Get-ADGroupMember -Identity $_ | Where-Object {$.objectClass -ne ‘computer’}
Remove-ADGroupMember -Identity $
-Members $Members -Confirm:$true
}


…and after some a couple additions accomplished what I wanted.

Get-ADGroup -SearchBase "OU=GROUPS,DC=DOMAIN,DC=COM" -Filter ‘name -ne "Domain Users"’ |
Foreach-Object {
$Members = Get-ADGroupMember -Identity $_ | Where-Object {$.objectClass -ne ‘computer’ -and '$.distinguishedname -like "*OU=Recently Disabled,DC=DOMAIN,DC=COM"’ }
Remove-ADGroupMember -Identity $_ -Members $Members -Confirm:$true
}


Hope this helps someone else.