How To Remove all Group Membership From Active Directory User Account Except Domain User Group Using PowerShell
Table of Contents
Many times it happens that a few users left the company/organization. However, for some reason, you still need to keep their account active so they can still communicate through email, but meanwhile, you don’t want them to have any access to certain share folders or resources. In these kinds of circumstances, Group Membership comes very handy, and mostly you will need to remove all the group’s membership except Domain User group membership to keep the account active for the time being but without any permission.
If you need to remove/modify group membership for one user, it’s not an issue at all, and in a few clicks, you can achieve that, but if you need to remove/modify group membership for hundreds of accounts, then it will take few days to complete through GUI.
In these kinds of circumstances, Powershell always comes to the rescue. This blog post will show how to remove all the group membership from the Active Directory account without removing the Domain User Group.
Removing Group Membership Using Active Directory Group
To proceed, we will need the User’s Samaccount Name from Active Directory. There are servals ways to get it from the Active Directory, and I will show you the most commonly used ways to get the Samaccount Name.
Getting Samaccount Name From AD Group Membership And Removing Group Membership
If you manage your Inactive users through Active Directory groups, it becomes very easy to get the Samaccount names of all the inactive users. Execute the below-mentioned command in your Powershell console to get the Samaccount name of all the members of the Active Directory group called Inactive Accounts. In the below example variable, \$SamAccountNames will hold the Samaccountname of the users who are members of the Active Directory Group called Inactive Accounts.
After getting the Samaccount Names we will run Foreach Loop to stores all the group membership of the user in a variable called $ADGroups excluding Domain Users group and in the next line we will remove all its Group Memberships except Domain Users group.
Powershell Code Example:
# Getting Samaccount names of all the inactive users from the group called Inactive Accounts
$SamAccountNames = (Get-ADGroupMember -Identity "Inactive Accounts").samaccountname
# Running Foreach loop through all the user’s Samaccount names and saving their group membership information “excluding Domain Users group” in the variable called $AdGroups
ForEach-Object ($SamaccountName in $SamAccountNames) {
$ADGroups = Get-ADPrincipalGroupMembership -Identity $SamaccountName | where {$_.Name -ne “Domain Users”}
# Removing group membership from a user account
Remove-ADPrincipalGroupMembership -Identity $SamaccountName -MemberOf $ADGroups -Confirm:$false -verbose
}
Getting Samaccount Name From Email Addresses And Remove Group Membership
Most of the time, you will receive the information in a Text/CSV file, and mostly you will receive the user’s email address only. In this second example, I will show you how to get the Samaccount name from the email address provided in text or CSV files.
First, we need to import the content of the text file by running the below PowerShell command, and after that, we will save the imported data into the variable called \$Emails.
Once we have users’ email addresses saved in a variable, we will run Foreach Loop and get the Samaccount name of the user and save it in a Variable called $SamaccountName. After getting the Samaccount name from the email address, everything is the same as mentioned above.
Powershell Code Example:
# Getting user's email addresses from a text file and saving them in a variable called $Emails.
$Emails = Get-content -Path “c:\users.txt”
# Running Foreach loop and getting user’s Samaccount names from their email addresses and saving them in a variable called $Samaccountname
ForEach-Object (Email in Emails) {
$SamaccountName = (Get-ADUser -Filter {EmailAddress -eq $Email} -Properties *).samaccountname
# Saving group information.
$ADGroups = Get-ADPrincipalGroupMembership -Identity $SamaccountName | where {$_.Name -ne “Domain Users”}
# Removing group membership.
Remove-ADPrincipalGroupMembership -Identity $SamaccountName -MemberOf $ADGroups -Confirm:$false -verbose
}
You are free to modify anything you want in the script and if you want to learn more awesome stuff feel free to share and bookmark our blog MSAGURU