我正在尝试在我们的 Active Directory 中收集所有禁用的用户,并尝试从他们的所有组中删除禁用的用户。主要用于清理目的。我有点卡在我的剧本上。我不知道该放什么之后Remove-ADPrincipalGroupMembership:
$disabled_users = Get-AdUser -SearchBase "Ou=Users, Ou=test, DC=testdomain, DC=io" -Filter
"enabled -eq 'false'"
foreach($person in $disabled_users) {
Get-ADPrincipalGroupMembership $person | Remove-ADPrincipalGroupMembership #stuckhere
}
改为使用添加另一个选项Remove-ADGroupMember:
Get-ADPrincipalGroupMembership $person | Remove-ADGroupMember -Members $person
Remove-ADGroupMember将distinguishedNames用户的成员身份作为管道值,因此您只需指定要删除的组的成员。
Get-ADPrincipalGroupMembership只返回组,导致Remove-ADPrincipalGroupMembership自动填充-Identity组名。您必须在-Identity.
由于第一个问题,Remove-ADPrincipalGroupMembership不接受来自管道的多个组。它应该正常,但[ADGroup]返回的对象Get-ADPrincipalGroupMembership似乎绊倒了它。要修复,请使用ForEach循环,或使用两步过程:
# two steps:
$groups = Get-ADPrincipalGroupMembership $person
Remove-ADPrincipalGroupMembership -Identity $person -MemberOf $groups -WhatIf
# OR foreach loop:
Get-ADPrincipalGroupMembership $person |
Foreach {
Remove-ADPrincipalGroupMembership -Identity $person -MemberOf $_
}
请注意,您无法删除 AD 用户的主要组(通常是“域用户”),因此您可能需要添加过滤器:
$groups = Get-ADPrincipalGroupMembership $person |
Where Name -notlike 'Domain Users'
Remove-ADPrincipalGroupMembership -Identity $person -MemberOf $groups