Remove all ex-employees from ALL distribution groups

问题

So, today I was assigned the task of removing all the ex employees on the domain (they have their own folder in AD) from all their DL's. Is there any way to do this quickly, or at least quicker than checking each individually and going to member of > remove all?

Thanks

Edit to add more information:

There are 822 users that need there "member of" tab updated to remove them from all distribution lists. This would take my team of 5 (helpdesk) roughly a week to sift through on top of our already HUGE workload. The rough path to the folder with all the ex-employees is:

BusinessName.local\MyBusiness\Users\Ex-Employees\

If any other information is needed I would be more than happy to provide it.

Edit 2: There's over 250 DL's in the system, so I can't provide a list, for both confidentiality and funcationality reasons.

回答1:

Added Script If you want to use Powershell scripting here is the code

Add-Type -AssemblyName System.DirectoryServices.AccountManagement

$directorySearcher = New-Object System.DirectoryServices.DirectorySearcher
$directorySearcher.SearchRoot = "LDAP://OU=YourOU,DC=YourDomain,DC=com"
$directorySearcher.PageSize = 1000
$directorySearcher.Filter = "(&(objectCategory=User))"
$directorySearcher.SearchScope = "Subtree"

$directorySearcher.PropertiesToLoad.Add("name")

$searchResults = $directorySearcher.FindAll()

foreach ($result in $searchResults)
{$objItem = $result.Properties
    "Name: " + $objItem.name

    $contextType = [System.DirectoryServices.AccountManagement.ContextType]::Domain
    $userPrincipal = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($contextType,$objItem.name)
    $userGroups = $userPrincipal.GetGroups()

    foreach($userGroup in $userGroups){
      if ($userGroup.IsSecurityGroup -eq 0) #Distribution Group Only
      {
        "Removing - " + $userGroup.SamAccountName
        $userGroup.Members.Remove($userPrincipal)
        $userGroup.Save()
      }
    }
}

for .Net here is the code

using System;
using System.Collections;
using System.Linq;
using System.Text;
using System.DirectoryServices;
using System.DirectoryServices.AccountManagement;

namespace RemoveFromDistributionGroups
{
    class Program
    {
        private static string sDomain;
        private static string sDefaultOU;
        private static string sServiceUser;
        private static string sServicePassword;

        static void Main(string[] args)
        {
            try
            {
                Console.Write("Type your Domain (i.e: yourcompany.com) ");
                sDomain = Console.ReadLine();

                Console.Write("Type the OU you want to use: (i.e: OU=yourou,DC=yourcompany,DC=com)");
                sDefaultOU = Console.ReadLine();

                Console.Write(@"Username: (i.e.: YOURDOMAIN\Raymund )");
                sServiceUser = Console.ReadLine();

                Console.Write("Password: ");
                sServicePassword = Console.ReadLine();


                foreach (UserPrincipal user in GetAllUsers())
                {
                    Console.WriteLine("Processing User : " + user.Name);
                    foreach (GroupPrincipal group in GetUserGroups(user))
                    {
                        if (group.IsSecurityGroup == false) //Distribution Group
                        {
                            group.Members.Remove(user);
                            group.Save();
                        }
                    }
                }

                Console.WriteLine("Done! Press a key to exit");
                Console.ReadLine();
            }
            catch (Exception ex)
            {
                Console.WriteLine("Error Encountered : " + ex.Message);
                Console.WriteLine("Press a key to exit");
                Console.ReadLine();
            }
        }
        public static PrincipalContext GetPrincipalContext(string sOU)
        {
            PrincipalContext oPrincipalContext = new PrincipalContext(ContextType.Domain, sDomain, sOU, ContextOptions.Negotiate, sServiceUser, sServicePassword);
            return oPrincipalContext;
        }
        public static ArrayList GetAllUsers()
        {
            ArrayList myItems = new ArrayList();
            PrincipalSearcher oPrincipalSearcher = new PrincipalSearcher();


            UserPrincipal oUserPrincipal = new UserPrincipal(GetPrincipalContext(sDefaultOU));

            oUserPrincipal.SamAccountName = "*";
            oUserPrincipal.Enabled = true;

            oPrincipalSearcher.QueryFilter = oUserPrincipal;
            ((DirectorySearcher)oPrincipalSearcher.GetUnderlyingSearcher()).PageSize = 5000;

            PrincipalSearchResult<Principal> oPrincipalSearchResults = oPrincipalSearcher.FindAll();
            foreach (Principal oResult in oPrincipalSearchResults)
            {
                myItems.Add(oResult);
            }

            return myItems;
        }
        public static ArrayList GetUserGroups(UserPrincipal oUserPrincipal)
        {
            ArrayList myItems = new ArrayList();

            PrincipalSearchResult<Principal> oPrincipalSearchResult = oUserPrincipal.GetGroups();

            foreach (Principal oResult in oPrincipalSearchResult)
            {
                myItems.Add(oResult);
            }
            return myItems;

        }

    }
}

Please also take note that in $directorySearcher.SearchRoot or sDefaultOU you need to use the OU (or what you call folder) where your ex-employees are, I think in your case it is "LDAP://OU=Ex-Employees,OU=Users,OU=MyBusiness,DC=BusinessName,DC=local" if used in Powershell or "OU=Ex-Employees,OU=Users,OU=MyBusiness,DC=BusinessName,DC=local" if used in the .Net code

来源：https://stackoverflow.com/questions/9379922/remove-all-ex-employees-from-all-distribution-groups