Removing AD Group Membership (PowerShell) - windows

I have a script for people who leave my organization. It basically creates a user backup folder and file before changing the password, removing the manager, backing up all member of groups, removing all group memberships, disabling the account and moving to different OU.
The part that i seem to be stuck on is the membership removals. This is what i have for that task:
Get-ADPrincipalGroupMembership -Identity "$Username" | % {Remove-ADPrincipalGroupMembership -Identity "$Username" -MemberOf $_}
This DOES work but I am prompted to confirm Yes or No to each group. When i add:
-confirm $false
at the end, none of the groups are removed. How can I get it to not ask for confirmation while still removing the groups?
Thank You!

This worked for me:
Get-ADPrincipalGroupMembership -Identity "$Username" | % {Remove-ADPrincipalGroupMembership -Identity "$Username" -MemberOf $_ -Confirm:$False}
No prompts and all of the removals worked just fine.
I wonder if there is a way to suppress the error message thrown up with respect to the user's Primary Group -- DomainMembers, in our case. I'm perfectly happy with the result (the command won't remove the user from his primary group, while the user is removed from all others), but the error message just looks ugly.`

Related

Trying to back up my Bitlocker Key to ADDS Through Script

I'm trying to automatize the process of storing BitLocker Keys to ADDS.
I wanna be able to run the following script at logon, in order to do that, as the OS is deployed through WDS which already encrypts the drive:
$BitVolume = Get-BitLockerVolume -MountPoint $env:SystemDrive
$RecoveryKey = $BitVolume.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
Backup-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryKey.KeyProtectorID
BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryKey.KeyProtectorID
I always get access denied as this has to run as admin...
Is there any command I can use prior the code to run it as admin?
I've googled but I found no useful info to actually do this...
As for the access denied part... as was already sated, you need to start your PowerShell session as an admin. However, as a point of note about your code, you are only targeting the system/os volume... which may not be the only volume that's encrypted. If you want to programmatically backup all of the encrypted volumes, may I suggest one of the two following options...
One-liner:
Get-BitLockerVolume | where {$_.VolumeStatus -like "FullyEncrypted"} | foreach {foreach($Key in $_.KeyProtector){if($Key -like "RecoveryPassword"){Backup-BitLockerKeyProtector -MountPoint $_.mountpoint -KeyProtectorId $key.KeyProtectorId}}}
Or, if you prefer something a little bit easier to read...
Script Block:
foreach ($BLV in Get-BitLockerVolume){
if ($BLV.VolumeStatus -like "FullyEncrypted"){
foreach ($Key in $BLV.KeyProtector) {
if ($Key -like "RecoveryPassword") {
Backup-BitLockerKeyProtector -MountPoint $BLV.MountPoint -KeyProtectorId $Key.KeyProtectorId
}#if
}#foreach
}#if
}#foreach
Neither is super eloquent... but, with this method it will grab all of the encrypted volumes on the system and add them to AD. You would need to modify the code slightly to add the AAD backup option you cited of course.
P.S. I'm only responding because I recently had to solve this problem of multi-volume backups as a one-liner solution and figured I would share it since your post was a top search result when I looked for a pre-canned solution. Cheers! :)

Powershell script assistance please [duplicate]

This question already has an answer here:
Add a where-object on a table construct?
(1 answer)
Closed 3 years ago.
I'm currently stuck getting a PowerShell error when trying to run a script I have written (Read stolen from the internet)
What I am trying to achieve is to search for a specific users e-mail address within one of the multiple O365 distribution Groups and then remove that user from the group if the group is one that meets the criteria.
The groups are all prefixed with the text "EX_SIG" and I am able to identify the one group the user is a member of but I'm struggling to then translate this into remove the user from the identified group.
I am a complete PowerShell newbie so any help would be appreciated.
Code:
$UAC_email = "sarah.connor#skynet.com"
$UAC_EX_GROUP = Get-DistributionGroup -identity "EX_SIG*" | where { (Get-DistributionGroupMember $_.name | foreach {$_.PrimarySmtpAddress}) -contains "$UAC_email"} | FT name -HideTableHeaders
Remove-DistributionGroupMember -Identity $UAC_EX_GROUP -Member "$UAC_email"
Error:
Cannot bind argument to parameter 'Identity' because it is null.
The FT (Format-Table) cmdlet is likely causing most of your problems. You shouldn't try to use output from formatting cmdlets except with out-* commands.
Format- cmdlets output "typesetting" objects which the host uses to format the display, not usable objects for the pipeline.
$UAC_email = "sarah.connor#skynet.com"
$UAC_EX_GROUP = Get-DistributionGroup -identity "EX_SIG*" | where { (Get-DistributionGroupMember $.name | foreach {$.PrimarySmtpAddress}) -contains "$UAC_email"}
Remove-DistributionGroupMember -Identity $UAC_EX_GROUP -Member "$UAC_email"
Try this as it is a lot cleaner than the code you posted but should accomplish your goal.
$UAC_email = "sarah.connor#skynet.com"
#Get list of distribution groups where identity matches "EX_SIG*" and the email address your looking for is in the list of the group members's primary smtp addresses
$UAC_EX_GROUPS = (Get-DistributionGroup -Identity "EX_SIG*") | Where-Object{(Get-DistributionGroupMember -Identity $_.Name).PrimarySmtpAddress -contains $UAC_email}
#Iterate over returned groups and remove the member from the group. I put a WHATIF in there so you can verify the output before just running it. You can also pipe this directly before the closing '}' in the previous command but it's less readable that way
$UAC_EX_GROUPS | Remove-DistributionGroupMember -Identity $_.Name -Member $UAC_email -WhatIf

Adding bulk Msol Users to Msol Group

I am trying to add a bulk of users from a CSV file to a MsolGroup via PowerShell. I have only the username of the users. (User.name)
This is what I tried:
1. Read the CSV file with the userName and get the Msol user object from it:
$group | % {Get-MsolUser -UserPrincipalName $_.name}
2. Add these ObjectID's to the requested MsolGroup:
$group | % {Get-MsolUser -UserPrincipalName $_.name} | % {Add-MsolGroupMember -GroupObjectId 86bbcf6b-feb6-4fe3-a9db-eb1e0b81ed55 -GroupMemberObjectId $_.objectid
This is the Error I get:
Add-MsolGroupMember : You cannot update mail-enabled groups using this
cmdlet. Use Exchange Online to perform this operation.
Is there a better way to do it? What am I doing wrong?
As noted in the error message, this cmdlet will only work against "regular" security groups. For mail-enabled security groups, use the Exchange remote PowerShell and Add-DistributionGroupMember
Refer documentation
We could use
$group | % {Get-MsolUser -UserPrincipalName $.name} | % {Add-DistributionGroupMember -Identity "86bbcf6b-feb6-4fe3-a9db-eb1e0b81ed55" -Member $.objectid

Add a user to a domain group and set the user privileges to certain folder

I have a user in my workplace domain, I want to add him to a specific domain group then assign him some privileges on a specific folder.
I wonder how this can be done using command line or a more automated process than doing it step by step as I do this quite often.
I'm using AD on Windows 10
Looks like dsmod group can be used but I don't know how.
If I have a user with username userh01 in domain mydom how I can add him automatically to group mydomgroup1?
I've tried this command:
dsmod group "mydomgroup1" -addmbr "userh01"
but I get this error
dsmod failed:Value for 'Target object for this command' has incorrect format.
Any advice?
Maybe using powershell to add memeber to a domain group is an alternative way.
here below th script for example
Add-ADGroupMember -Identity "Groupmane" -Memebers "Username to add"
Add-ADGroupMember -Identity "mymdomgroup1" -Memebers "userh01"
ps:you may need to import active diretory modul. before using Add-ADGroupMeber parameter use this command 'Import-Module ActiveDirectory' at begining
for different syntax and detailed description to add-adgroupmember parameter follow this link
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee617210(v=technet.10)

Server 2012 Powershell Check Members of a Group

I have users and groups in the Users folder of a Windows 2012 Server. I want to check if a user is a member of a group and if not, add to the group. To list the members of a group, I've tried everything including:
get-adgroupmember -identity "cs99group"
which produces the error
get-adgroupmember : Cannot find an object with identity: 'cs99group' under: ...
The following works perfectly
get-adgroupmember -identity "Administrators"
Of course the Administrators group is in the Builtin folder and cs99group is in the Users folder. What am I doing wrong?
Can you try with the parameter -recursive added?
Does the command Get-AdGroup work?
If so, try Get-AdGroup "cs99group" | get-adgroupmember

Resources