Here is quick PowerShell script to remove ALL Group Membership from Disabled user in [easyazon_link identifier=”1449361420″ locale=”US” tag=”wn0d5-20″] Active Directory [/easyazon_link]. We will remove all Group membership from this user except Domain User group. So the user departed company and now for good measure, security and policies, user account is being disabled and all groups removed from his account.
1 2 3 4 5 6 7 8 9 10 11 | # Import the Active Directory module if not already loaded if (-not (Get-Module ActiveDirectory)){ Import-Module ActiveDirectory -ErrorAction Stop } $user = Read-Host => [ Enter UserName ] Write-host Write-host ... $user is member of these AD Groups -fore Yellow Get-ADPrincipalGroupMembership -Identity $user | Format-Table -Property name Write-host ...Removing the Group Membership -fore DarkYellow $ADGroups = Get-ADPrincipalGroupMembership -Identity $user | where {$_.Name -ne “Domain Users”} Remove-ADPrincipalGroupMembership -Identity $user -MemberOf $ADGroups -Confirm:$false -verbose |
Simply enter SamAccountName for the Disabled user and the rest will shown on the screen -> current group membership and what has been removed from the user.Once done, you may move the user into different OU such as DeadPool or whatever you want to call it 🙂