PowerShell - add an exclusion into Remove-ADGroupMember command?-CodePudding

When somebody leaves my organization, we remove all AD group memberships apart from the PrimaryGroup which is Domain Users. We often process these in batches, so pull the affected usernames from a CSV file.

I have the following code, and while it does the job of deleting all group memberships, I get an error for each user:

The user cannot be removed from a group because the group is currently the user's primary group

Whilst it does the job, how can I "clean up" the process to avoid this message each time? Is there a way to exclude Domain Users from the groups it removes the user from, or should I do this another way?

$users = Import-Csv "c:\temp\leavers.csv"

foreach ($user in $users) {

Get-ADPrincipalGroupMembership -identity $user.username | foreach {Remove-ADGroupMember $_ -Members $user.username -Confirm:$false}

}

CodePudding user response：

You can use Where-Object for filtering those groups that are not in an array of groups to exclude. In case you only want to filter for 1 specific group, you would use -NE instead of -NotIn in below example.

$groupToExclude = 'Domain Users', 'someOtherGroup'
$users = Import-Csv "c:\temp\leavers.csv"
foreach ($user in $users) {
    try {
        Get-ADPrincipalGroupMembership -Identity $user.username | 
            Where-Object Name -NotIn $groupToExclude |
                Remove-ADGroupMember -Members $user.username -Confirm:$false
    }
    catch {
        Write-Warning $_.Exception.Message
    }
}

CodePudding user response：

If you get the ADUser object before the ADGroup memberships, you can get the PrimaryGroup of the user and ensure that the list of groups to remove from are not its PrimaryGroup:

$users = Import-Csv "c:\temp\leavers.csv"

foreach ($user in $users) {
  $primaryGroup = ( Get-ADUser $user.UserName -Properties PrimaryGroup ).PrimaryGroup
  
  Get-ADPrincipalGroupMembership -Identity $user.UserName | Where-Object {
    $_ -ne $primaryGroup
  } | ForEach-Object {

    Remove-ADGroupMember $_ -Members $user.username -Confirm:$False -WhatIf
  }
}

Since this has the potential to be a very destructive command, I have included a safeguard in the example above. Remove the -WhatIf parameter from Remove-ADGroupMember to actually perform the removal.