Delete a windows group in Active Directory

scripting active-directory powershell

I am doing a cleanup of some AD groups that are no longer used. One of the AD groups I could not delete because it seems that a member has this group set as the primary group (which I assume someone did by accident). Is there an easy way to find out who has this group set as primary?


You'll need to get the primaryGroupToken value of the group in question:

  1. Use adsiedit to examine the group you want to get delete. Make note of the primaryGroupToken attribute's value.

  2. Create a Saved Query in Active Directory Users and Computers using the following "Custom Search" where XXX= the value you found for primaryGroupToken:

    (&(objectCategory=person)(objectClass=user)(primaryGroupID=XXX))

  3. Refresh the query to see who shows up

Alternatively - If all users are expected to be members of Domain Users as their primary group, just define the query using(513 is the typical value for Domain Users):

(&(objectCategory=person)(objectClass=user)(!primaryGroupID=513))

Additional Links:

http://support.microsoft.com/default.aspx?scid=kb;en-us;321360 http://support.microsoft.com/default.aspx?scid=kb;en-us;297951

Great Question!


Just by giving the privileges

To delete windows group in Active directory

  1. Open notepad

  2. Copy and paste below text to notepad

  3. Save the file with .ps1 extension.

---------- SCRIPT STARTS HERE--------------

VERSION 2

4/19/2010

script to modify termed users

1.pull termed users from CSV

remove user group membership

2.Clear Manager property

3.Hide from GAL

4.move to disabed OU

5.rename csv to completed date, move to completed

$groupmembershiplog="c:\removeADAttributes\group_membership_log.csv" $erroractionpreference = "SilentlyContinue" $termfile=Test-Path -Path "C:\removeADAttributes\termed_employees.csv" If ($termfile -eq "True") { $inputcsv="C:\removeADAttributes\termed_employees.csv" $completeddir="C:\removeADAttributes\completed\" $date=Get-Date -format d

import-CSV $inputcsv | foreach-object { $username=$_.account

export groups to file

$groups=(Get-QADUser $username).memberof Add-Content $groupmembershiplog $username","$groups

remove groups

$groups | Get-QADGroup | where {$_.name -ne "domain users"} | Remove-QADGroupMember -Member $name Set-QADUser -Identity $username -objectattributes @{"Manager"="$null"} $currentuser=Get-QADUser -Identity $username -SizeLimit 1 $currentOU=$currentuser.parentcontainer $currentOU = $currentOU.Split('/') $currentOU = $currentOU[1] Move-QADObject -identity $username -NewParentContainer "domainname.com/$ou/Disabled Accounts" }

import-CSV $inputcsv | foreach-object { $username=$.account Add-PSSnapin Microsoft.Exchange.Management.PowerShell.Admin Set-Mailbox -Identity $username -HiddenFromAddressListsEnabled $true } import-CSV $inputcsv | foreach-object { $username=$.account Add-Content "C:\removeADAttributes\removeADAttributes_log.csv" $date","$username }

Move-Item $inputcsv -Destination $completeddir $todaydate=$date.replace("/","_") $newfilename=$todaydate+".csv" Rename-Item "C:\removeADAttributes\completed\termed_employees.csv" -NewName $newfilename

} else { $date=Get-Date -format d Add-Content "C:\removeADAttributes\removeADAttributes_log.csv" $date",no term user, no term user" exit }

---------- SCRIPT ENDSS HERE------------

Hope this scripts will be useful for you

Related

How do you keep aprised of important software updates?
How to configure linux file descriptor limit with fs.file-max and ulimit
Deploy software with no .msi in AD
Does a VM eat up RAM even when the VM is not active?
Why is Python recursion so expensive and what can we do about it?
Why did HTTPS become the standard method instead of S-HTTP?
Ident Authentication with pgAdmin III
Upgrading PEAR from 1.9.0 to 1.9.1 fails
How Can I Configure nginx to Use Pretty URLs for Static Sites?
Install .msi from script, detect when install is done
How to force s3fs mount on boot
How do I block an IP address or network block with Varnish VCL?