脚本应删除其所有Groupmemberchips的ADUser(包括forestdomain和其他子域中的成员身份),停用它并将其移动到另一个OU中。
环境:
forest-domain: forest.com
child-domains: child1.forest.com
child2.forest.com
child3.forest.com
脚本在child1.forest.com
中运行到目前为止这是脚本:
$username="testuser"
$groups=Get-ADPrincipalGroupMembership -Identity $username | where {$_.name -notlike "Domain Users"}
$getuser=Get-ADUser -Identity $username | select DistinguishedName
$userpath=$getuser.DistinguishedName
foreach ($group in $groups) {
Remove-ADGroupMember -Identity $group -member $username -Confirm:$false
}
Disable-ADAccount -Identity $username
Move-ADObject "$userpath" -TargetPath "OU=Deaktivierte Benutzer,DC=child1,DC=forest,DC=com"
实际上它成功删除了child1.forest.com的所有group-member芯片,但没有删除forest.com或child2.forest.com
此代码正常运行:
$User=Get-ADUser "testuser" -server "child1.forest.com"
$Group=Get-ADGroup "SomeGroup" -server "forest.com"
Remove-ADGroupMember $Group -Members $user -server "forest.com" -Confirm:$false
我尝试合并这些脚本片段但尚未成功。 我有一个想法...读取OU的域并将其传递到循环中,但我没有让它以我能够使用它的方式读取OU。
有人可以帮忙吗?
答案 0 :(得分:0)
找到了一个解决方案,我查询该组是否存在于服务器中:
$found=0
$servers=@("forest.com","child1.forest.com","child2.forest.com","child3.forest.com")
$username="testuser"
$user=Get-ADUser -Identity $username
$groups=Get-ADPrincipalGroupMembership -Identity $user | where {$_.name -notlike "Domain Users"}
foreach ($group in $groups) {
foreach ($server in $servers) {
$groupname=$group.name
$groupserver=Get-ADGroup $groupname -server $server
if($groupserver)
{
$group=Get-ADGroup $groupname -server $server
Remove-ADGroupMember $Group -Members $user -Confirm:$false -ErrorAction SilentlyContinue
$found=1
}
if ($found -eq 1){break}
}
}