powershell删除其他子域的aduser groupmemberchip
powershell delete aduser groupmemberchip of other childdomain
脚本应删除其所有 Groupmemberchips 的 ADUser(包括 forestdomain 和其他子域中的成员资格),将其停用并将其移至另一个 OU。
环境:
forest-domain: forest.com
child-domains: child1.forest.com
child2.forest.com
child3.forest.com
脚本是 运行 child1.forest.com
这是目前的脚本:
$username="testuser"
$groups=Get-ADPrincipalGroupMembership -Identity $username | where {$_.name -notlike "Domain Users"}
$getuser=Get-ADUser -Identity $username | select DistinguishedName
$userpath=$getuser.DistinguishedName
foreach ($group in $groups) {
Remove-ADGroupMember -Identity $group -member $username -Confirm:$false
}
Disable-ADAccount -Identity $username
Move-ADObject "$userpath" -TargetPath "OU=Deaktivierte Benutzer,DC=child1,DC=forest,DC=com"
实际上它成功删除了 child1.forest.com 的所有组成员芯片,但没有删除 forest.com 或 child2.forest.com
此代码运行正常:
$User=Get-ADUser "testuser" -server "child1.forest.com"
$Group=Get-ADGroup "SomeGroup" -server "forest.com"
Remove-ADGroupMember $Group -Members $user -server "forest.com" -Confirm:$false
我尝试合并这些脚本片段但尚未成功。
我有一个想法...读取 OU 的域并将其传递到循环中,但我无法以我可以使用它的方式读取 OU。
有人可以帮忙吗?
找到解决方案,我查询服务器中是否存在群:
$found=0
$servers=@("forest.com","child1.forest.com","child2.forest.com","child3.forest.com")
$username="testuser"
$user=Get-ADUser -Identity $username
$groups=Get-ADPrincipalGroupMembership -Identity $user | where {$_.name -notlike "Domain Users"}
foreach ($group in $groups) {
foreach ($server in $servers) {
$groupname=$group.name
$groupserver=Get-ADGroup $groupname -server $server
if($groupserver)
{
$group=Get-ADGroup $groupname -server $server
Remove-ADGroupMember $Group -Members $user -Confirm:$false -ErrorAction SilentlyContinue
$found=1
}
if ($found -eq 1){break}
}
}
脚本应删除其所有 Groupmemberchips 的 ADUser(包括 forestdomain 和其他子域中的成员资格),将其停用并将其移至另一个 OU。
环境:
forest-domain: forest.com
child-domains: child1.forest.com
child2.forest.com
child3.forest.com
脚本是 运行 child1.forest.com
这是目前的脚本:
$username="testuser"
$groups=Get-ADPrincipalGroupMembership -Identity $username | where {$_.name -notlike "Domain Users"}
$getuser=Get-ADUser -Identity $username | select DistinguishedName
$userpath=$getuser.DistinguishedName
foreach ($group in $groups) {
Remove-ADGroupMember -Identity $group -member $username -Confirm:$false
}
Disable-ADAccount -Identity $username
Move-ADObject "$userpath" -TargetPath "OU=Deaktivierte Benutzer,DC=child1,DC=forest,DC=com"
实际上它成功删除了 child1.forest.com 的所有组成员芯片,但没有删除 forest.com 或 child2.forest.com
此代码运行正常:
$User=Get-ADUser "testuser" -server "child1.forest.com"
$Group=Get-ADGroup "SomeGroup" -server "forest.com"
Remove-ADGroupMember $Group -Members $user -server "forest.com" -Confirm:$false
我尝试合并这些脚本片段但尚未成功。 我有一个想法...读取 OU 的域并将其传递到循环中,但我无法以我可以使用它的方式读取 OU。
有人可以帮忙吗?
找到解决方案,我查询服务器中是否存在群:
$found=0
$servers=@("forest.com","child1.forest.com","child2.forest.com","child3.forest.com")
$username="testuser"
$user=Get-ADUser -Identity $username
$groups=Get-ADPrincipalGroupMembership -Identity $user | where {$_.name -notlike "Domain Users"}
foreach ($group in $groups) {
foreach ($server in $servers) {
$groupname=$group.name
$groupserver=Get-ADGroup $groupname -server $server
if($groupserver)
{
$group=Get-ADGroup $groupname -server $server
Remove-ADGroupMember $Group -Members $user -Confirm:$false -ErrorAction SilentlyContinue
$found=1
}
if ($found -eq 1){break}
}
}