Добавить 'clean-adgroups.ps1'

2020-09-24 10:26:52 +00:00 · 2020-09-24 10:26:52 +00:00 · 24529586df
commit 24529586df
parent a5fee91ca1
1 changed files with 31 additions and 0 deletions
--- a/clean-adgroups.ps1
+++ b/clean-adgroups.ps1
@ -0,0 +1,31 @@
+$OUs = 'OU=Temp,DC=example,DC=com'
+$primaryGroup = 'Временные пользователи'
+
+$users = $OUs | % {Get-ADUser -Filter {Enabled -eq $FALSE} -SearchBase $PSItem}
+
+function Set-primary-group ($userName, $groupName) {
+    # Add the user to the new group, just in case
+    try {
+        Add-ADGroupMember -Identity $groupName -Members $userName
+    }
+    catch {}
+
+    $groupToken = (Get-ADGroup $groupName -Properties primaryGroupToken).primaryGroupToken
+    Set-ADUser -Identity $userName -Replace @{primaryGroupID=$groupToken}
+}
+
+foreach ($user in $users) {
+#    if ($user.SamAccountName -like "*_*adm*") { Continue }
+
+    $Groups = Get-ADPrincipalGroupMembership -Identity $user #| ? {$_.GroupCategory -eq "Security"}
+#    if (($Groups |measure ).count -eq "1") { Continue }
+
+    Set-primary-group $user.SamAccountName $primaryGroup
+    
+    foreach ($group in $groups) {
+        if ($group.Name -like $primaryGroup) { Continue } 
+        Write-Host "Removing $user from $group.Name" -ForegroundColor Red
+        Remove-ADGroupMember -Identity $group.distinguishedName -Member $user -Confirm:$FALSE -Server $(Get-ADGroup $group -Properties CanonicalName).CanonicalName.Split('/')[0]
+        #Set-ADObject -Identity $group.DistinguishedName -Remove @{member="$($user.DistinguishedName)"} -Server $(Get-ADGroup $group -Properties CanonicalName).CanonicalName.Split('/')[0]
+    }
+}