Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cavern of COBOL > Powershell Megathread: Verb-Noun Scripting is the future
 
  • Post
  • Reply
psylent
Nov 29, 2000

Pillbug
I'm incredibly new to Powershell, as a senior helpdesk monkey I can see how it's going to be incredibly helpful.

I've got a shitload of user accounts (100+) of people that have left the company that I need to clean up/archive. My first step is to move them all into a "To be Terminated" OU. I then need to remove them from all Security/Distribution lists (except Domain Users) - this is where Powershell will come in handy as I'd prefer to run a quick script rather than go into each user and remove the groups manually!

It looks like I need a script that will strip group memberships based on the object's OU. With a bit of Googling, I found this one but am having a bit of trouble deciphering it:
code:
Get-ADGroup -SearchBase "OU=YOUROU,DC=DOMAIN,DC=COM" -Filter* | Foreach-Object{ 
$Members = Get-ADGroupMember -Identity $_ | Where-Object {$_.objectClass -ne 'computer'} 
Remove-ADGroupMember -Identity $_ -Members $Members -Confirm:$true 
}
Can anyone help me out?

* # ¿ Dec 16, 2011 00:25
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ May 17, 2024 01:23
  • Quote
psylent
Nov 29, 2000

Pillbug
That's definitely what I need :)

I'll keep looking!

* # ¿ Dec 19, 2011 00:38
  • Quote
psylent
Nov 29, 2000

Pillbug

adaz posted:

code:
$users = Get-ADUser -filter * -SearchBase "OU=YourDeleteOU,DC=Your,DC=Domain,DC=Com"

foreach($user in $users) {
   $deObj = [ADSI]"LDAP://$($user.distinguishedName)" 
   foreach($group in $deObj.MemberOf) {
       Remove-ADGroupMember -identity $group -members $user.name 
  }
 
}
DO you have like a spreadsheet or text file of the users? You can automate the moving to a different OU as well with that.
Thanks so much for this, really appreciated.

As it turns out we're running Exch2010 here, but our DCs are still running bloody 2003 so I can't run the script. :(

* # ¿ Dec 21, 2011 00:13
  • Quote
psylent
Nov 29, 2000

Pillbug
Hi guys, I'm slowly working my through CBT Nuggets intro to Powershell so forgive any ignorance on my part.

I'm trying to build a script that prompts for a username and once it has does three things:
1. Changes the description to "Terminated - $DATE" in the format YYYY.MM.DD
2. Moves the object to a particular OU
3. Strips the object of all group memberships

I've got the commands for the steps 1 and 2, except for adding the date in automatically, I'll need help there - but stripping the object is a bit of a mystery at this point.

Any pointers will be much appreciated.

code:
$username = read-host "Enter user name"
Get-ADUser $username| Move-ADObject -TargetPath 'OU=Users,OU=Disabled,OU=Administration,OU=Infrastucture,DC=MYCOMPANY,DC=local'

Set-ADUser $username -Description
* # ¿ Dec 9, 2013 01:57
  • Quote
psylent
Nov 29, 2000

Pillbug
Here's the finished product:

code:
#get UserName
$termuser = read-host "Enter user name"

#Exports Group Memberships to CSV
$target = "\\SERVER\users$\_archived\" + $termuser + ".csv"
Get-ADPrincipalGroupMembership $termuser | select name | Export-Csv -path $target
write-host "* Group Memberships archived to" $target

#Move to "Disabled Users" OU
Get-ADUser $termuser| Move-ADObject -TargetPath 'OU=Users,OU=Disabled,OU=Administration,DC=COMPANY,DC=local'
write-host "* " $termuser "moved to Mailboxes To Be Archived"

#Change Description to "Terminated YYYY.MM.DD - CURRENT USER"
$terminatedby = $env:username
$termDate = get-date -uformat "%Y.%m.%d"
$termUserDesc = "Terminated " + $termDate + " - " + $terminatedby
set-ADUser $termuser -Description $termUserDesc 
write-host "* " $termuser "description set to" $termUserDesc

#removes from all distribution groups
$dlists =(Get-ADUser $termuser -Properties memberof | select -expand memberof)
foreach($dlist in $dlists){Remove-ADGroupMember $termuser -Identity $dlist -Confirm:$False}
write-host "* Removed from all distribution and security groups"

#moves home drive to archive
move-item \\SERVER\users$\$termuser \\SERVER\users$\_archived\$termuser
write-host "* Home Drive archived to \\SERVER\users$\_archived\$termuser"

#disable user
Disable-ADAccount -Identity $termuser

write-host "*** " $termuser "account has been disabled ***"
* # ¿ Dec 11, 2013 04:59
  • Quote
  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cavern of COBOL > Powershell Megathread: Verb-Noun Scripting is the future