0

script should delete a ADUser of all of his Groupmemberchips (including memberships in forestdomain and other childdomains), deactivate it and move it into another OU.

environment:

forest-domain: forest.com
child-domains: child1.forest.com
               child2.forest.com
               child3.forest.com

script is running in child1.forest.com

this is the script so far:

$username="testuser"
$groups=Get-ADPrincipalGroupMembership -Identity $username | where {$_.name -notlike "Domain Users"}

$getuser=Get-ADUser -Identity $username | select DistinguishedName
$userpath=$getuser.DistinguishedName

foreach ($group in $groups) {
   Remove-ADGroupMember -Identity $group -member $username -Confirm:$false
}

Disable-ADAccount -Identity $username
Move-ADObject "$userpath" -TargetPath "OU=Deaktivierte Benutzer,DC=child1,DC=forest,DC=com"

actually it successfull deletes all group-memberchips of child1.forest.com but not of forest.com or child2.forest.com

This code is working properly:

$User=Get-ADUser "testuser" -server "child1.forest.com"
$Group=Get-ADGroup "SomeGroup" -server "forest.com"
Remove-ADGroupMember $Group -Members $user -server "forest.com" -Confirm:$false

I tried to combine these script-snippets but not yet successful. I have an idea... to read the domain of the OU and pass it into the loop, but I dont get it working to read the OU in a way that I can use it.

Can someone help please?

christoph.mue
  • 71
  • 12
  • Use `Get-ADGroup` in your `Remove-ADGroupMember` loop and verify you're able to pick up the remote group itself. That part should work. And don't use `$username` as the member identifier, it's not unique across the forest, instead try using `$userpath`. – Chris Dent Aug 04 '16 at 10:27
  • hello chris, thank you very much for your reply! exacty thats it what I want to do. How can I query the servername of a AD-Group? this part I dont understand. – christoph.mue Aug 05 '16 at 21:15
  • You don't necessarily need to. If everything is in the same forest you can, to an extent, rely on one domain controller referring you to another. If Get-ADGroup works well for the group in the remote domain you should also be able to use Remove-ADGroupMember. – Chris Dent Aug 05 '16 at 21:16
  • I understand what you mean, but I do not get it to work. I changed the loop to this: `$adgroup=Get-ADGroup $group $grouppath=$adgroup.DistinguishedName Remove-ADGroupMember -Identity $grouppath -member $username -Confirm:$false` but still get the error cannot find object because it looks for the group in child1 and not in forest – christoph.mue Aug 11 '16 at 12:12

1 Answers1

0

found a solution, I query if the group exist in server:

$found=0
$servers=@("forest.com","child1.forest.com","child2.forest.com","child3.forest.com")
$username="testuser"
$user=Get-ADUser -Identity $username
$groups=Get-ADPrincipalGroupMembership -Identity $user | where {$_.name -notlike "Domain Users"}

foreach ($group in $groups) {

    foreach ($server in $servers) {        
        $groupname=$group.name
        $groupserver=Get-ADGroup $groupname -server $server

        if($groupserver)
        {
            $group=Get-ADGroup $groupname -server $server
            Remove-ADGroupMember $Group -Members $user -Confirm:$false -ErrorAction SilentlyContinue
            $found=1
        }
        if ($found -eq 1){break}
    }

}
christoph.mue
  • 71
  • 12