One of my clients had several disabled users showing up in distribution lists and security groups and this was creating unnecessary noise in email, alerts, etc. I highly encourage all administrators to keep their AD neat and tidy.
The following PowerShell script searches for disabled users in Groups and Distribution Groups and removes them:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# This script removes all disabled users from all security and distribution groups in the specified "searchOU" Import-Module ActiveDirectory $searchOU = "OU=Groups,DC=domain,DC=local" $adgroup = Get-ADGroup -Filter 'GroupCategory -eq "Security" -or GroupCategory -eq "Distribution"' -SearchBase $searchOU $adgroup | ForEach-Object{ $group = $_ Get-ADGroupMember -Identity $group -Recursive | %{Get-ADUser -Identity $_.distinguishedName -Properties Enabled | ?{$_.Enabled -eq $false}} | ForEach-Object{ $user = $_ $uname = $user.Name $gname = $group.Name Write-Host "Removing $uname from $gname" -Foreground Yellow Remove-ADGroupMember -Identity $group -Member $user -Confirm:$false } } |
Hope this helps!