Remove a list users from a list of groups

Hey everyone, 
I am new to the community and new to Active Roles. 
I have been able to create a couple of scripts for bulk add/remove users and groups, but am having issues with creating a script to launch that will remove a list of users (CSV) from a list of groups (CSV) 

I am able to target one group at a time and call on a user list to crawl through it and remove them if they are in it, the drawback it that I have to do a list one group at a time. This is fine if I have only 3 or 4, but the maintenance is getting bigger and I'd have to target a lot of groups and a lot of users. I'd like to be able to scale this to look at a user attribute change and do this automatically via workflow in the future. e.g. User status changes to terminated, therefore remove from all these groups.  

# Target group Update to the Object DN:
$strGroupName = "CN=ROLE_SCJ_ONEDRIVE_UPLOAD-LIMIT-75,OU=Groups,OU=GlobalApps,DC=global,DC=scj,DC=loc"
#
import-module ActiveRolesManagementShell
Connect-QADService -service usracipn146 -proxy
$list = Get-content H:\ScriptLibrary\RemoveUsers.csv
Foreach($user in $list)
{remove-qadgroupmember -identity $strGroupName -member $user}

What I need to do is remove the list of users from a list of groups. 

I thought it would be as simple as this: 

$list2 = Get-Content H:\ScriptLibrary\GroupsTest.csv
$list = Get-content H:\ScriptLibrary\RemoveUsersTest.csv
Foreach($qadgroup in $list2)
{Foreach($user in $list)
{remove-qadgroupmember -identity $qadgroup -member $user}}

What occurs with the above, it outputs the user information and takes no action on the group and loops. I've tried changing the $qadgroup to $qadobject and so on, tried to update the list to contain the group DN. 
I am able to bulk delete groups (ROLES) from a list without changing the group name to a DN so I don't quite understand why in this list of groups, I don't have to change anything in the group name for it to be identified and just delete it from the directory

$files = Get-Content -Path H:\ScriptLibrary\deletegroup.csv
ForEach ($file in $files) {Remove-QADObject global\$file -Force}


What I have in the list are samaccountname for the $users and group name for the groups

Parents
  • Read up on Deprovisioning Policies.  

    Within them, there is a built-in rule where you can specify the groups to remove a user from when a Deprovision action takes place.

    My sense is that you could leverage a revised version your bulk actions script to trigger deprovisioning of the users and then the deprovisioning policy linked to the OU where the users reside will take care of the membership removal (and whatever other things you would like to do). 

    Here's a snippet to trigger the deprovisioning...

    Foreach($user in $list)
    {

    Deprovision-QADUser -identity $user

    }

  • Hey JonnyQuest! Thank you!

    I think that would work if the user has left the org, but if the user is still here with us and I have bulk remove from groups as part of clean ups, let's say. 
    I may not always want to deprovision a user, but that helps me for creating a termination workflow. But...I don't want to remove everything from them. 
    Only a specific set of groups. 

Reply
  • Hey JonnyQuest! Thank you!

    I think that would work if the user has left the org, but if the user is still here with us and I have bulk remove from groups as part of clean ups, let's say. 
    I may not always want to deprovision a user, but that helps me for creating a termination workflow. But...I don't want to remove everything from them. 
    Only a specific set of groups. 

Children
  • Couple of points:

    1) The group removal rule in a provisioning policy is NOT "all or nothing" - you can specify which groups to remove the user from
    2) Question:  Does the list of groups change all the time or, do you have one or more standard lists of groups that you remove users from?

    I have a couple of ideas but the answer to 2) can guide us on the implementation approach -


  • Hey JonnyQuest, 
    Thanks again for taking the time to look at this for me. 
    1. Got it and I explored that option and have a plan to implement this with my engineers. 
    2. The groups should not change but could for point 1. So one place to maintain the objects is preferred. 

    This will be used not just for type-cast "terminated users" I would like to have this for user admins to perform clean ups of groups if the business presents us with this question: I need this list of users removed from this list of groups. 

    To help with what I was thinking, here is what I thought it would look like, but it doesn't work: 

    $List2 = Get-Content H:\ScriptLibrary\GroupsTest.csv
    $list = Get-content H:\ScriptLibrary\RemoveUsersTest.csv
    Foreach($QADObject in $list2)
    {

    Foreach($user in $list)
    {Remove-QADGroupMember -identity $QADObject -member $user}

    }

  • How does the "not working" manifest itself - e.g. is there an error message? 

    What do the internals of those ".csv" files look like - is there only a single column or are there multiple columns?

    And back to my point 1) You can create as many deprovisioning polices as you want and link them to different OUs so for example if you have an Employees OU and a Contractors OU, you can specify different policies for each to handle different group removal use cases (other behaviour differences too)

  • Hey JonnyQuest, 

    Each list has one column. 

  • Also, can you elaborate a bit on the "cleanups of groups" - what drives these cleanups?  For example,  do you have some business rules that determine when a person should be added or removed from a particular group?  Maybe some groups have time limited memberships?  On that last point, Active Roles also supports the notion of "temporal" (temporary) group memberships so the removal of a user can be scheduled.

  • Each list has one column

    OK, and what about my question on the nature of the "not working"?

  • Hello, 

    So...by not working, means the console has an output that gives me back the users in the users (CSV) but does not remove them from the group in the groups list and then loops that output. I keep getting the user information from the 3 users I put in there to test. 

    Clean up of groups: I know about temporal settings and use this often to both add and remove people from the groups we manage. But that is not always known. The business has come to us and said, "I need any users in this list removed from this list of groups" and user admins do this manually or by script one group at a time, regardless of account type (C or E) or what OU. 

    I will be handed a list of users by some identity attribute (samaccountname, UPN or email) and a list of groups to remove them from. 


  • Thanks for the info on the business requirements / use case.

    Maybe try this for your loops:

    Foreach($user in $list)
    {
          Try
          {
          # The use of $Result below suppresses superfluous messages

          $Result = Remove-QADGroupMember -ErrorAction Stop -identity $QADObject -member $user
          }
          Catch
          {
         Write-Host $("OS reported error: " + $Error[0])
          }
    }


  • Thanks. 
    Suppressing the out put will come in handy, but it won't do anything to remove the users from the group or groups I have listed in that CSV. 

  • No it won't BUT my intent was more to see if the Remove-QADGroupMember itself is throwing an error.  I gather you are not seeing any "OS reported Error" outputs?

    Perhaps try:

    1) Adding Import-Module ActiveDirectory at the top of your script
    2) Swapping in Remove-ADGroupMember instead of using the Quest cmdlet?  You can still use -Identity and -ErrorAction but -Member becomes -Members