hoping to get a little help here – I looked around the site but didn’t see anything quite like this (please direct me if there IS and I missed it).

I need to incorporate a new step in our user offboarding process, which would remove them from any AD Distribution Lists. I would like to set this up as a scheduled task to run once a night against two OU’s where the inactivated user accounts can be found.

I’d like to run this by pointing it at the USERS instead of the OU where the Distro Lists live, because I suspect that we’ll ultimately get the request to remove these users from OTHER types of group as well.

This snippet will remove AD Distro Lists from a single user, but leave all other types of AD groups alone:

#  GroupCategory 0 = Distro List
#  GroupCategory 1 = Security Group

#  GroupScope 0 = DomainLocal
#  GroupScope 1 = Global
#  GroupScope 2 = Universal 

$user = "userlogon"
Get-ADPrincipalGroupMembership -Identity $user|
Where {$_.GroupCategory -eq 0} |
ForEach {Remove-ADPrincipalGroupMembership -Identity $user -MemberOf $_ -Confirm:$false} 

THIS snippet will look at an OU and return some info (just my example for using a variable with -searchbase):

$OUs = 'OU=PendingDeletion,OU=Users,DC=Stuff,DC=Place,DC=net','OU=HoldForReview,OU=Users,DC=Stuff,DC=Place,DC=net'


$OU | ForEach {Get-ADGroup -Filter * -Properties ManagedBy -SearchBase $_ } |
 Select Name, ManagedBy |
 Sort -Property Name
 Out-GridView 

BUT – Does it hold together that in order to complete my objective, I would do something like this?! I'm a bit out of my depth here, any advice for a re-write is appreciated:

$OUs = 'OU=PendingDeletion,OU=Users,DC=Stuff,DC=Place,DC=net','OU=HoldForReview,OU=Users,DC=Stuff,DC=Place,DC=net'
 $user = "*"

$OUs | ForEach {
        Get-ADPrincipalGroupMembership -Identity $user|
        Where {$_.GroupCategory -eq 0} |
        ForEach {Remove-ADPrincipalGroupMembership -Identity $user -MemberOf $_ -Confirm:$false}
              } 

There’s always a couple of ways to do stuff in PoSh, so I’m sure there’s a less-complicated way to do the same thing. If anyone has a different approach please feel free to suggest an alternative.

Thanks for taking a look!

So it sounds like you need three loops.

First, you will need to loop over the OU list to get the Users. We'll store the user objects in $Users

$OUs = 'OU=PendingDeletion,OU=Users,DC=Stuff,DC=Place,DC=net','OU=HoldForReview,OU=Users,DC=Stuff,DC=Place,DC=net'
$Users = ForEach ($OU in $OUs) {
    Get-ADUser -Filter * -SearchBase $OU 
}

Next loop over the users to get the groups that you want to remove. Then loop over the groups to remove each one.

ForEach ($User in $Users) {
    Get-ADPrincipalGroupMembership -Identity $user |
    Where-Object {$_.GroupCategory -eq 0} |
    ForEach-Object {
        Remove-ADPrincipalGroupMembership -Identity $user -MemberOf $_
    }
} 

I think I'd take this a little differently, by getting the group membership of all users, then grouping by AD group, and processing each group that way. Seems like it would be a lot fewer calls to AD. So I'd start out getting all of the users, just like BenH, except I would include their MemberOf property. Then I'd build a list of potential groups and filter down to just the Distribution Lists. I'd make a Hashtable of those as the keys, and make the value an array of each user that is in that group. Then loop through that removing the value of each from the associated key.

$OUs = 'OU=PendingDeletion,OU=Users,DC=Stuff,DC=Place,DC=net','OU=HoldForReview,OU=Users,DC=Stuff,DC=Place,DC=net'
$Users = ForEach ($OU in $OUs) {
    Get-ADUser -Filter * -SearchBase $OU -Properties MemberOf
}
$UsersByGroup = @{}
ForEach($Group in ($Users.MemberOf | Select -Unique | Get-ADGroup | Where{ $_.GroupCategory -eq 0 })) {
    $UsersByGroup.Add($Group.DistinguishedName,($Users | Where{ $Group.DistinguishedName -in $_.MemberOf}))
}
$UsersByGroup.Keys | ForEach{
    Remove-ADGroupMember -Identity $_ -Members $UsersByGroup[$_] -Confirm:$false
}