Help with Powershell Script - Removing User from AD group if found as a primary user for a computer in Endpoint

Question

Hi - Hopefully this can be done:

This is a hybrid workplace. We have an AD group of users that is used just to get them setup with Autopilot, the group is synced to AAD. Once their laptop is setup, they need to be removed from that AD group.
Problem is, not everyone remembers to remove the users from that group and people are in there unnecessarily which gives them access to a vpn that they shouldn't be using in day-to-day.

So, trying to come up with a powershell script that does the following:

1. Gets all of the users in the AD group
2. Gets all of the windows devices that show autopilotenrolled is true for those users in the group
3. For each user in the group where the device is autopilotenrolled that's true, remove them from the group in AD (I believe it has to be removed from AD, not AAD since it's synced).

The problem is the mix of getting info from AAD/Endpoint and trying to use that info to go back to AD.
Can someone come up with a powershell script that can do something like that?

Thanks

Answer 1

Hello there,

The PowerShell Get-ADGroupMember cmdlet is used to list the members of an Active Directory group.
If you’re not sure what the group name is, you can issue the following command to list all Active Directory groups.

Get-ADGroup -filter * | sort name | select name

Get all the Autopilot profiles available in your Intune tenant, and display them in JSON format:

Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON

------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept it as an answer–