Hi

 

I have recently disabled and moved a bunch of users and now I have to remove them from the groups they are members of (except for a default group).

I have attempted to do this using set-qaduser but I get the the following error:

 

Set-QADUser : A parameter cannot be found that matches parameter name 'memberof'.
At line:1 char:34
+ set-qaduser "Test User" -memberof  <<<< "users, Domain Users"

 

At the moment I am testing the process with the following command;

 

Set-QADUser "Test User" -includeproperties memberof  "Users, Domain Users"

 

But I plan to take the list of users and put hem into a variable and then run ammend the group membership on each one.

$users = (c:\users.txt)

foreach ($user in $users) { Set-QADUser "$user" -includeproperties memberof  "Users, Domain Users" " }

 

Does anyone have any ideas if what I am trying to do is the right way about it?

Many thanks

 

Lee

Try with Remove-QADGroupMember


foreach($user in (gc c:\users.txt)){
(Get-QADUser $user).memberOf | Get-QADGroup | where {$_.name -notmatch '^users|domain users$'} | Remove-QADGroupMember -member $user
}

That's a different way of looking at it and works perfectly Shay, Thank you.

do you know if it it possible to set boolean values using set-qaduser?

I'm now trying to change the values to hide users from the address book.

The command I have tried is: set-qaduser "*bilson*" -IncludedProperties msExchHideFromAddressLists TRUE

I have tried many variations but I cannot get the syntax quite right, and google is not turning up much.

Is it possible to change a vaue with such a simple command?

Shay

Further to my last post, I have read a post you made to the PowerGui site regarding using the set-mailbox cmdlet. I don't have such a cmdlet and I run Exchange2003 so i'm not sure if that would work.

just a thought.

Lee

Further to my last post I have managed to solve the issue (with the help of Dmitry’s PowerBlog)

The command I needed was:

Set-QADUser "Test User" -oa @{'msExchHideFromAddressLists'=$True}

Thanks for the help you gave me earlier though.

Glad you could resolve it :-)

The set-mailbox cmdlet is a part of exchange 2007 cmdlets. If you don't have Exchange 2007 then you can't use it.

 

 

Shay, can you provide a powershell cmdlet that will capture group membership for $user before running this cmdlet and export to csv file? I need this for HR compliance.

You can capture group membership for a user with (Get-QADUser $user).memberOf, write it to a variable and then remove membership.

This is exactly what I was looking for. I'm glad to see this post.

I do have one prerequisite though. I would like to look for users that have been disabled for a period of time (say 3 months) and export them to the c:\users.txt file. I then want to remove group memberships for these users as I see above. I'm not quite sure how to approach finding the length of time a user has been disabled though. Any suggestions?

There is no attribute that I know of which tells you how long the object is in disbale mode so I'm not sure how to tackle it.

How about using last logon? I know you previously posted this command
Get-QADUser | Select lastname, lastlogon | sort {$_.lastlogon.value.ticks}
to sort by last logon. Can we use this with a time frame? In other words where last logon is greater than 3 months?

It's not the safest thing to do since lastlogon date doesn't neccessaly means it was disabled at that time.