Mohammed Wasay

Tag: lists

  • Remove disabled users from Distribution Lists & Security Groups in Active Directory

    One of my clients had several disabled users showing up in distribution lists and security groups and this was creating unnecessary noise in email, alerts, etc. I highly encourage all administrators to keep their AD neat and tidy.

    The following PowerShell script searches for disabled users in Groups and Distribution Groups and removes them:

    # This script removes all disabled users from all security and distribution groups in the specified "searchOU"

Import-Module ActiveDirectory

$searchOU = "OU=Groups,DC=domain,DC=local"

$adgroup = Get-ADGroup -Filter 'GroupCategory -eq "Security" -or GroupCategory -eq "Distribution"' -SearchBase $searchOU
$adgroup | ForEach-Object{ $group = $_
	Get-ADGroupMember -Identity $group -Recursive | %{Get-ADUser -Identity $_.distinguishedName -Properties Enabled | ?{$_.Enabled -eq $false}} | ForEach-Object{ $user = $_
		$uname = $user.Name
		$gname = $group.Name
		Write-Host "Removing $uname from $gname" -Foreground Yellow
		Remove-ADGroupMember -Identity $group -Member $user -Confirm:$false
	}
}

    Hope this helps!

  • Remove group membership of disabled accounts

    Majority of the system administrators I’ve met forget this very important rule. When an account is not needed remove its membership from the security/ distribution groups, otherwise you get disabled account showing up in groups, and that looks ugly.

    You will need Quest ActiveRoles for Powershell installed to get this working.

    Depending on the size of your organization you may need to increase the limit of results to 3000 or more. Default is 1000

    Set-QADPSSnapinSettings -DefaultSizeLimit 3000

    Next, create a list of accounts that you will be modifying so we know what we will be removing.

    Get-QADUser -disabled | Out-File C:\_Scripts\disabled_user_stripped_groups.txt

    Once you have the list saved. Execute the following:

    $dUsers = Get-QADUser -disabled;
foreach ($user in $dUsers )
{
foreach( $grp in (Get-QADMemberOf $user ))
{
Remove-QADGroupMember $grp $user;
}
}

    Membership is stripped from groups, where the user account is disabled.