Home / server / Questions / 278179
Accepted
Kip
Asked: 2011-06-09 02:08:59 +0800 CST

Active Directory Housekeeping - Remove groups from disabled users

  • 772

I am struggling to find a decent way to do this. For one reason or another (not important, it is what it is) we have a rather a lot of users who are disabled but are still a member of all of their pre-disable groups. This is causing a few issues such as distribution list failures, difficulty enumerating ACL's etc.

Does anyone know of an easy way to bulk remove groups from users that are disabled? For ease, they all exist in one container now so if its something that can be done on container level, that's useful. Also, I know we could delete the accounts, but for auditing and cross linking with our HR system, that is not possible.

windows active-directory

3 Answers

  1. Best Answer

    This sample batch file will do what you're asking. You'll need to edit the dsquery command to use your specific StartNode OU -- The OU=SomeOU,DC=example,DC=com bit:

    @ECHO OFF
REM Get list of disabled users in the domain
FOR /F "usebackq delims=;" %%A IN (`dsquery user "OU=SomeOU,DC=example,DC=com" -disabled -limit 0`) DO ( 
    echo User: %%A
    REM Enumerate user's group memberOf, exclude "Domain Users" group
    FOR /F "usebackq delims=;" %%B IN (`dsget user %%A -memberof ^| find /V "Domain Users"`) DO (
        ECHO Group: %%B
        REM Remove user %%A from Group %%B
        dsmod group %%B -rmmbr %%A
    )
)
    • 3

  2. Using Powershell and the Quest AD cmdlets available here, the following PowerShell script should do the trick - 

    $users =  Get-QADUser -Disabled
foreach ($user in $users)
{
    Remove-QADMemberOf -Identity $user -RemoveAll
}
    • 1

  3. I recently wanted to remove groups from (almost all) disabled users so I wrote my own set of functions in PowerShell v3 (which doesn’t require third-party software).

    For composability and re-use, I first wrote a function to remove the specified user from all groups (aside from their primary group). I could add an option to specify the group type (Security or Distribution) but I don’t need that functionality at the moment.

    Function Remove-UserFromGroups ($User) {
    $PrimaryGroup = (Get-ADUser $User -Properties PrimaryGroup).PrimaryGroup
    Get-ADPrincipalGroupMembership $User |
        ForEach-Object {
            If ($_.distinguishedName -ne $PrimaryGroup) {
                Write-Output "Removing ‘$($User.Name)’ from ‘$_’"
                Remove-ADGroupMember $_ -Members $User  # -Confirm:$False
            }
        }
}

    I then used this function to remove all disabled users from all groups (other than their primary group). I use a search base so that an OU can be specified and I also have a list of default/system users who should not have their group membership changed.

    Function Remove-DisabledUsersFromGroups (
    $SearchBase = 'OU=department,DC=example,DC=com',
    $ExcludedUsers = @('krbtgt', 'SUPPORT_388945a0', 'Guest')
) {
    Get-ADUser -Filter { Enabled -eq $False } -SearchBase $SearchBase  |
        Where { $_.Name -notin $ExcludedUsers } |
        ForEach-Object {
            Remove-UserFromGroups $_
        }
}
    • 0