AntiMalware Status

Remove all Group Membership from Disabled user except Domain User Group in PowerShell

Here is quick PowerShell script to remove ALL Group Membership from Disabled user in Active Directory. We will remove all Group membership from this user except Domain User group. So the user departed company and now for good measure, security and policies, user account is being disabled and all groups removed from his account.

# Import the Active Directory module if not already loaded
if (-not (Get-Module ActiveDirectory)){
    Import-Module ActiveDirectory -ErrorAction Stop
$user = Read-Host => [ Enter UserName ]
Write-host ... $user is member of these AD Groups -fore Yellow
Get-ADPrincipalGroupMembership -Identity  $user | Format-Table -Property name
Write-host ...Removing the Group Membership -fore DarkYellow
$ADGroups = Get-ADPrincipalGroupMembership -Identity  $user | where {$_.Name -ne “Domain Users”}
Remove-ADPrincipalGroupMembership -Identity  $user -MemberOf $ADGroups -Confirm:$false -verbose

Simply enter SamAccountName for the Disabled user and the rest will shown on the screen -> current group membership and what has been removed from the user.Once done, you may move the user into different OU such as DeadPool or whatever you want to call it 🙂

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.