Majority of the system administrators I’ve met forget this very important rule. When an account is not needed remove its membership from the security/ distribution groups, otherwise you get disabled account showing up in groups, and that looks ugly.
You will need Quest ActiveRoles for Powershell installed to get this working.
Depending on the size of your organization you may need to increase the limit of results to 3000 or more. Default is 1000
|
1 |
Set-QADPSSnapinSettings -DefaultSizeLimit 3000 |
Next, create a list of accounts that you will be modifying so we know what we will be removing.
|
1 |
Get-QADUser -disabled | Out-File C:\_Scripts\disabled_user_stripped_groups.txt |
Once you have the list saved. Execute the following:
|
1 2 3 4 5 6 7 8 |
$dUsers = Get-QADUser -disabled; foreach ($user in $dUsers ) { foreach( $grp in (Get-QADMemberOf $user )) { Remove-QADGroupMember $grp $user; } } |
Membership is stripped from groups, where the user account is disabled.