从 AD 禁用用户 powershell 脚本中删除所有安全组

问题描述 投票:0回答:1

这有点新,但我目前正在尝试删除除子 OU 的主要组之外的禁用用户的所有组。

目前我的域环境是这样的

-company.example.com (domain) 
 -CompanyName (OU) 
   -Users (OU) >
     -Location 1 (OU)
     -Location 2 (OU)
   ServiceAcct (OU)

目前我的Powershell脚本如下

$searchOU = "OU=CompanyName,DC=company,DC=example,DC=com"
Get-ADGroup -Filter "GroupCategory -eq 'Security'" -SearchBase $searchOU | Sort-Object Name | ForEach-Object {
    $group = $_
    Get-ADGroupMember -Identity $group | Where-Object { $_.objectClass -eq 'user' } | 
    Get-ADUser | Where-Object { $_.Enabled -eq $false} | ForEach-Object {
        Write-Host "Removing $($_.Name) from $($group.Name)" -Foreground Yellow
        Remove-ADGroupMember -Identity $group -Member $_ -Confirm:$false #-whatif
    }
}

这会运行,但问题是一些禁用的用户是服务帐户,需要他们的安全组,因此我需要更精确地定位 CompanyName > Users > Location 1 以避免弄乱服务帐户,但是当我添加子 OU 路径时(位置 1)并运行以下命令:

$searchOU = 'OU=Location1, OU=Users,OU=CompanyName,DC=company,DC=example,DC=com'
Get-ADGroup -Filter "GroupCategory -eq 'Security'" -SearchBase $searchOU | Sort-Object Name | ForEach-Object {
    $group = $_
    Get-ADGroupMember -Identity $group | Where-Object { $_.objectClass -eq 'user' } | 
    Get-ADUser | Where-Object { $_.Enabled -eq $false } | ForEach-Object {
        Write-Host "Removing $($_.Name) from $($group.Name)" -Foreground Yellow
        Remove-ADGroupMember -Identity $group -Member $_ -Confirm:$false #-whatif
    }
}

当我单独运行子 OU 时,什么也没有发生:

$searchOU = "OU=Location1,DC=company,DC=example,DC=com"
Get-ADGroup -Filter "GroupCategory -eq 'Security'" -SearchBase $searchOU | Sort-Object Name | ForEach-Object {
    $group = $_
    Get-ADGroupMember -Identity $group | Where-Object { $_.objectClass -eq 'user' } | 
    Get-ADUser | Where-Object { $_.Enabled -eq $false} | ForEach-Object {
        Write-Host "Removing $($_.Name) from $($group.Name)" -Foreground Yellow
        Remove-ADGroupMember -Identity $group -Member $_ -Confirm:$false #-whatif
    }
}

我收到以下错误

Get-ADGroup : Directory object not found
At line:2 char:1
+ Get-ADGroup -Filter "GroupCategory -eq 'Security'" -SearchBase $searchOU | Sort- ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (:) [Get-ADGroup], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFou 
   ndException,Microsoft.ActiveDirectory.Management.Commands.GetADGroup

在这段代码中我缺少什么才能到达子 OU?

powershell active-directory
1个回答
0
投票

如果您想从特定 OU 中删除所有禁用用户的成员资格,那么 

Get-ADGroup
不应该是您的起点,您应该使用 
Get-ADUser
代替,并带有“禁用”过滤器:

$searchOU = 'OU=Location1,OU=Users,OU=CompanyName,DC=company,DC=example,DC=com'

Get-ADUser -Filter 'Enabled -eq $false' -Properties memberOf -SearchScope $searchOU |
    ForEach-Object {
        Remove-ADPrincipalGroupMembership -Identity $_ -MemberOf $_.MemberOf
        Write-Host "Removed $($_.SamAccountName) from:`n$($_.MemberOf -join "`n")"
    }
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.