Remove group membership of disabled accounts

Majority of the system administrators I’ve met forget this very important rule. When an account is not needed remove its membership from the security/ distribution groups, otherwise you get disabled account showing up in groups, and that looks ugly.

You will need Quest ActiveRoles for Powershell installed to get this working.

Depending on the size of your organization you may need to increase the limit of results to 3000 or more. Default is 1000

Set-QADPSSnapinSettings -DefaultSizeLimit 3000

Next, create a list of accounts that you will be modifying so we know what we will be removing.

Get-QADUser -disabled | Out-File C:\_Scripts\disabled_user_stripped_groups.txt

Once you have the list saved. Execute the following:

$dUsers = Get-QADUser -disabled;
foreach ($user in $dUsers )
{
foreach( $grp in (Get-QADMemberOf $user ))
{
Remove-QADGroupMember $grp $user;
}
}

Membership is stripped from groups, where the user account is disabled.