Script to remove all group memberships broken in 2023

Question

Hi, we've been using this script for some time but after the upgrade to 2023 it's now erroring out as below:

As you can see I've done some logging out of variables, and the issue looks to be that the line $group = $Context.BindToObject($groupPath) is not returning an object. Any suggestions of how to fix?

Thanks,

Allister

Answer 1

Hello Allister,

The issue occurs because you are using Adaxes 2023. The old version of the scripts were not adapted for it. We updated all the three scripts accordingly. Please, clear browser cache, refresh the page and copy the script you need from the article.

Comments

Thanks, I've updated the script and now I'm getting this error: Line 59 is this: $group.Remove($Context.TargetObject.AdsPath)

Cheers, Allister

---

Hello Allister,

For troubleshooting purposes, please, connect to Adaxes service with the credentials of the Adaxes service account and try removing members from the very same groups. Should you face any errors/warnings, please, provide us with screenshots. You can post them here or send to us at support@adaxes.com.

---

Hi, on further investigation I've discovered that the script is in fact removing the AD groups correctly, however it looks like the script is also enumerating the groups from AAD (I've connected it as a managed domain) and trying to remove the user from 'All Users'. I get the same error when trying to manually remove the user from this group: Is there a way to skip the AAD groups? Cheers, Allister

---

Hello Allister,

Yes, it is possible. Use the below script.

$groupNamesToSkip = @("MyGroup1", "MyGroup2", "Department*") # TODO: modify me

function SkipGroup($patterns, $name)
{
    foreach ($pattern in $patterns)
    {
        if ($name -like $pattern)
        {
            return $True
        }
    }

    return $False
}

# Get all groups user is a direct member of
$groupGuids = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")

# Get the Primary Group ID
$primaryGroupId = $NULL
if ($Context.TargetObject.DirectoryType -eq 1)
{
    $primaryGroupId = $Context.TargetObject.Get("primaryGroupID")
}

foreach ($groupGuidBytes in $groupGuids)
{
    # Bind to the group
    $groupGuid = New-Object "System.Guid" (,$groupGuidBytes)
    $groupGuid = $groupGuid.ToString("B")
    $groupPath = "Adaxes://<GUID=$groupGuid>"
    $group = $Context.BindToObject($groupPath)

    if ($group.DirectoryType -eq 1)
    {
        # Skip Primary Group
        if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
        {
            continue
        }

        $groupName = $group.Get("sAMAccountName")
    }
    else
    {
       continue
    }

    # Skip special groups
    if (($groupNamesToSkip -ne $NULL) -and 
        (SkipGroup $groupNamesToSkip $groupName))
    {
        continue
    }

    # Remove user from the group
    $group.Remove($Context.TargetObject.AdsPath)
}

---

Thanks, that's worked