PowerShell Remove Disabled Users From All Groups

As a follow up to my PowerShell Update Accounts from Multiple Domains post I needed to find a way to remove the student accounts which were in a non-active status from all security/distribution groups.  Each student may be in groups from multiple domains as well as the resource domain so each had to be addressed.  To do this I created a function to handle locating the group and using a switch statement to assign the domain controller to use for that particular group.

Let’s walk through it starting with the function:

Function GetGroup


Since the function is called during the meat and potatoes of the script for each domain, it will be passed data and therefore build an array of groups each user is a member of

$userGrps = $other.memberOf

Then for each group in that array, the global catalog is queried to pull the distinguishedName for each

foreach($grp in $userGrps)


$UADGroup = Get-ADGroup -Identity $grp -Server servername.dc.dc:3268 -Properties distinguishedName

$UADGroup | ForEach-Object -Process {

$DNGroup = $UADGroup.distinguishedName

} #end foreach-object

A switch statement using a wildcard is used to assign a domain controller for the domain each group belongs

switch -Wildcard ($DNGroup)


“*,OU=Groups,DC=XX,DC=XX” {$server = “servername.xx.xx”}

“*,DC=Child1,DC=XX,DC=XX” {$server = “servername.child1.xx.xx”}

“*,DC=Child2,DC=XX,DC=XX” {$server = “servername.child2.xx.xx”}

} #end switch

Then using each group with a usable domain controller, the remove-adgroupmember is used to remove the users in the $other array based on their group memberships in the $grp array.  If it is unable to remove the user it will print to the console the user’s DN and group to be removed from and the server that was attempted to troubleshooting.



$grp | Remove-ADGroupMember -Members $other -Server $server -Confirm:$false

} #end try



Write-Host “Cannot remove $other from $UADGroup on $server”

} #end catch


Since this function will be called multiple times, we clean up the variables

$userGrps = $null

$DNGroup = $null

$UADGroup = $null

} #end Function

Now we will query Active Directory for any account in each domain using the ‘Title’ attribute.  You can use any filter to pull a certain subset of accounts but this is what was required for me.  We will also call the function, disable the account and move it to a specific organization unit.


$otherUsers = get-aduser -filter {((Title -eq “Drop”) -or (Title -eq “Cancel”) -or (Title -eq “Back Out”) -or (Title -eq “Suspension”)  -or (Title -eq “Leave of Absence”))} -Properties * -server Child1.XX.XX.XX -SearchBase “OU=Students,DC=XX,DC=XX,DC=XX”

foreach ($other in $otherUsers)



disable-adaccount -identity $other

move-adobject -identity $other -targetpath “OU=DisabledUsers,DC=,DC=XX,DC=XX”


write-host “Resetting otherUsers”

$otherUsers = $null

Repeat that block of code for each domain in the forest starting at #begin

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s