Quicktip: Removing Users From Group Membership via Powershell

This script is a little more powerful than some of the other ones I’ve posted. Mainly because if you screw this one up you may be out of a job. It reads a CSV for a list of groups that you want to remove the membership for. Then it queries to see if you dumped the users out (from my previous post), just to make sure you have a backup. Then it gives a poup window and asks if you’re really sure you know what you’re doing. Finally, it removes all membership of those groups.

This is needed in a very specific instance, namely if you’re trying to go thru a massive AD group cleanup like I am, but there are some cool aspects to this code I really like (like the popup)

##import necessary modules and set window
##
import-module activedirectory
[System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")

##import CSV with groups to delete
##needs CN field
##
$Deletes=import-csv d:\groups\groupstodelete.csv

##set output
##
$output="d:\groups\results\results.txt"
date|out-file $output

##Loop thru groups
##
foreach ($GGroup in $deletes){
 ## Reset variables
 ##
 $Testmembers = $Null
 $result=$null

 ##Set variables for groupname and msgbox
 ##
 $Groupname=$GGroup.cn
 $Messagebox="Proceed with removal of users from group `n`n"+$Groupname

##check for the existence of group dump by groupname in csv. if it doesn't exist go to next in loop
 ##if it does, begin processing.
 ##
 $TestMembers=test-path d:\groups\exports\$groupname.csv
 if ($Testmembers){
 "Group dump exists for $Groupname `n`n"|out-file $output -append

##Perform the popup. If Yes is hit, will execute, otherwise will proceed
 ##
 $result = [System.Windows.Forms.MessageBox]::Show($Messagebox,"Confirm deletion", "YesNo" , "Information")
 if ($result -eq "Yes"){
 "Removal has been confirmed for members of $Groupname `n`n"|out-file $output -append
 ##Removing Group members
 ##
 Start-Transcript -path $output -append

## Put a whatif in here just in case you want to test it first.

get-adgroupmember -identity $Groupname|foreach{remove-adgroupmember -identity $Groupname -members $_ -confirm:$false}
 ##get-adgroupmember -identity $Groupname|foreach{write-host $_; remove-adgroupmember -identity $Groupname -members $_ -whatif}

stop-transcript
 }
 else {
 "Removal has NOT been confirmed for members of $Groupname .Continuing. `n`n"|out-file $output -append
 continue
 }
 }
 else {
 "Group dump does not exist for $Groupname, continuing `n`n"|out-file $output -append
 continue
 }
}

Script requires the AD & Quest AD managment Powershell modules to be installed

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s