Views:

Applies To:

GroupID 10 – GroupID Management Shell

Business Requirement:

In GroupID, the Query Designer is used to define queries for Smart Groups and Dynasties. The Query Designer has an “Include” tab, which is used to add objects to group membership that are otherwise not fetched by the query.

In one of our groups, we have a disabled user as member. Since the user is specified on the “Include” tab in the group’s query, it gets added as a group member every time group membership is updated.

How can we remove this user or any other disabled user from group memberships?

Solution:

We can remove disabled users from the Query Designer's Include list by running a command in GroupID Management Shell. When removed, disabled users will no longer be included in group memberships.

Steps:

  1. Launch GroupID Management Shell.

  2. Type the following commandlet for removing disabled users from the Include list of all the groups at once:

    $c=Get-SmartGroup -MaxItemsToDisplay 0 | Where-Object {$_.IncludeRecipients -ne $null} |Select Name, IncludeRecipients;foreach($i in $c){foreach($j in $i.IncludeRecipients.split(",")){if((Get-ADUser -Identity $j | Where-Object {$_.Enabled -eq $false})){Set-Smartgroup -Identity $i.Name -Remove @{IncludeRecipients = $j}}}}

    This commandlet will remove all the disabled users from the Include list, which is part of the query of all Smart Groups and Dynasties.

  3. Go to GroupID Management Console to verify if changes have been made to Smart Groups’ queries.

    Note:

    This commandlet will take time to process, depending on the number of Smart Groups and Dynasties in your environment. Before running it in your production environment, it is recommended to first run it on some test groups and verify that the results are as per your requirement.
     
    You can get more information by appending your desired attributes to the cmdlet (for example, SearchContainer, Identity, ObjectType, LdapFilter, SmartFilter, etc.). For example, we can restrict it to specific search container:
     
    $c=Get-SmartGroup -SearchContainer "OU= Lab Groups,DC=lab,DC=local" -MaxItemsToDisplay 0 | Where-Object {$_.IncludeRecipients -ne $null} |Select Name, IncludeRecipients;foreach($i in $c){foreach($j in $i.IncludeRecipients.split(",")){if((Get-ADUser -Identity $j | Where-Object {$_.Enabled -eq $false})){Set-Smartgroup -Identity $i.Name -Remove @{IncludeRecipients = $j}}}}

Additional Information:

To remove disabled users from the Include list of a single Smart-Group, use the following commandlet:

$c=Get-SmartGroup -Identity "Test-1"| Select Name, IncludeRecipients;foreach($i in $c){foreach($j in $i.IncludeRecipients.split(",")){if((Get-ADUser -Identity $j | Where-Object {$_.Enabled -eq $false})){Set-Smartgroup -Identity $i.Name -Remove @{IncludeRecipients = $j}}}}

Reference:

GroupID Management Shell User Guide

Keywords: Bulk Remove, Disabled Users, Include List, Mangement Shell