Mark Minasi's Tech Forum
Register Calendar Latest Topics Chat
 
 
 


Reply
  Author   Comment  
malguire

Still Checking the Forum Out
Registered:
Posts: 2
Reply with quote  #1 
Is there a way in Group Policy to remove groups from a user account in AD?  We are looking for a way to set a user account group membership back to just domain users and remove all other groups the user was a member of.
0
jsclmedave

Administrator
Registered:
Posts: 417
Reply with quote  #2 
Making this change on the AD User Object is pretty easy.  Not sure if it is something you would want to do via a GP.

Is there a reason you are looking at GP for this User..?

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
malguire

Still Checking the Forum Out
Registered:
Posts: 2
Reply with quote  #3 
Should have put more details in my initial post.  We are trying to find a way to remove all groups from user accounts except for the "Domain Users" account.  The accounts are people that go from faculty, staff or student OU's into our Alumni OU.  So I was looking to be able to setup a GP on that OU that would automatically remove the other groups from these accounts as they are moved into this OU.  It would just be one less thing that we would have to remember to do manually (which is how we do it now).
0
gpoguy

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 48
Reply with quote  #4 
This is definitely not a job for Group Policy. If this is a one time operation then you can script it using PowerShell. If it's an ongoing need, then some kind of identity management system is what you need here, but Group Policy was not designed, nor is it a good idea, to try to use, for example, Restricted Groups policy to manage AD groups and there is no mechanism you can use to manage AD user accounts using GP. So, I would at look at something like an automated AD provisioning solution. Check out Cayosoft (www.cayosoft.com)---I think this falls into their realm.

Darren

__________________
Darren Mar-Elia
MS-Group Policy MVP
Founder--SDM Software (https://sdmsoftware.com)
Need Group Policy Training? Check out my Group Policy Fundamentals course: http://pluralsight.com/courses/group-policy-fundamentals
0
Phil-n-JaxFL

Avatar / Picture

Grumpy Old Men
Registered:
Posts: 75
Reply with quote  #5 

I wrote this script to find all accounts 90 days or older that have not logged in (of course, you must remove any service accounts or ones you want to keep):
#Written by Phil Robeson

#Script to get a list of inactive users over a 90 day period

get-aduser -filter * -searchscope subtree -searchbase "dc=<yourDomain>,dc=com" -properties DisplayName,lastlogontimestamp | ? {(((Get-date) - ([datetime]::FromFileTime($_.lastlogontimestamp))).TotalDays -gt 90)} | Where-Object{$_.Enabled} | select samaccountname | export-csv -path "c:\users\<yourUsername>\desktop\InactiveAccounts.csv"

Open the InactiveAccounts.csv, remove anything and everything that you do not want disabled and moved to your disabled OU (this includes, "SamAccountName" and any service accounts or any others...ONLY have the user accounts you want disabled and moved in this csv):

#Written by Phil Robeson.

#Takes a list of users from the InactiveAccounts.csv file and disables those accounts and then moves them to your disabled user accounts OU.

$users= Get-Content -Path c:\users\<yourUseraccount>\desktop\InactiveAccounts.csv

foreach ($user in $users){

    get-aduser $user | Disable-ADAccount

    $DN=Get-ADUser $user

    Move-ADObject -identity $DN.distinguishedname -TargetPath "OU=Disabled Accounts,DC=<yourDomain>,DC=com"

    }

Now we clear the groups:

#Written by Phil Robeson.

#This script will clear all groups from the user's account with the exception of Domain Users:

$MyDomainDisabledaccount = [adsi]"LDAP://OU=DisabledAccounts,DC=<yourDomain>,DC=com"

$disabledaccounts = $MyDomainDisabledaccount.children

foreach ($userObject in $disabledaccounts){

        foreach ($group in $userObject.memberof)

            {

                $group = [ADSI]"LDAP://$group"

                $group.remove("LDAP://$($userobject.distinguishedName)") 

            }}


__________________
Phil
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation: