To quickly see the disabled users and their group membership in your Active Directory you can use this Powershell command:
Get-ADUser -SearchBase “OU=OU1,DC=domain,DC=local” -Filter ‘enabled -ne $True’ -Properties memberof | ft samaccountname, MemberOf -auto
This script will prompt you for a searchbase (Like “OU=OU1,DC=lab2,DC=local”) and remove all disabled users from their groups:
$inputfromuser = Read-Host ‘Enter AD Searchbase ‘
if ($inputfromuser -like “”)
{
Write-Host “Input error”
}
else{$Diableduser = Get-ADUser -SearchBase $inputfromuser -Filter ‘enabled -ne $True’ -Properties memberof
foreach ($user in $Diableduser)
{
foreach ($member in $user.MemberOf)
{
Write-Host “Removing” $user.SamAccountName “from” $member
Remove-ADGroupMember $member -Members $user.SamAccountName -Confirm:$false
}
}
}
Honorable mention for assisting on this script goes to Bjørn Wang
edit: Added script for membership removal
