# Import Active Directory module
Import-Module ActiveDirectory

# Get all users with adminCount=1
$adminUsers = Get-ADUser -LDAPFilter "(adminCount=1)" -Properties MemberOf,adminCount

# Get all groups with adminCount=1
$adminGroups = Get-ADGroup -Filter {AdminCount -eq 1}

# Create an array to store users not in admin groups
$usersNotInAdminGroups = @()

# Check each user
foreach ($user in $adminUsers) {
    $isMember = $false
    
    # Check membership in each admin group
    foreach ($group in $adminGroups) {
        # Get group members
        $groupMembers = Get-ADGroupMember -Identity $group | Select-Object -ExpandProperty SamAccountName
        
        # Check if user is in this group
        if ($groupMembers -contains $user.SamAccountName) {
            $isMember = $true
            break
        }
    }
    
    # If user is not in any admin groups, add to list
    if (-not $isMember) {
        $usersNotInAdminGroups += [PSCustomObject]@{
            UserName = $user.SamAccountName
            DisplayName = $user.Name
            DistinguishedName = $user.DistinguishedName
        }
    }
}

# Clear adminCount for users not in admin groups
foreach ($user in $usersNotInAdminGroups) {
    try {
        Write-Host "Clearing adminCount for user: $($user.UserName)"
        Set-ADUser -Identity $user.UserName -Clear adminCount -ErrorAction Stop
        Write-Host "Successfully cleared adminCount for $($user.UserName)" -ForegroundColor Green
    }
    catch {
        Write-Host "Failed to clear adminCount for $($user.UserName): $($_.Exception.Message)" -ForegroundColor Red
    }
}

# Output results
Write-Host "`nFinal Results:"
$usersNotInAdminGroups | Format-Table -AutoSize