Deleting Users from Groups

by Silverbacko at 2013-04-15 07:02:58

I have a script that deletes all users within a list of groups without deleting the groups -

Get-ADGroup -SearchBase “OU=SharePoint Groups,DC=org,DC=com” -Filter * | Foreach-Object{
$Members = Get-ADGroupMember -Identity $_ | Where-Object {$.objectClass -ne ‘computer’}
Remove-ADGroupMember -Identity $
-Members $Members -Confirm:$false}

Some of the users are in DC=org1,DC=com instead.

This script works great if all of the users within the group are in the same domain. If not it fails on all users with the error -
Remove-ADGroupMember : The specified account name is not a member of the group.

Any help is greatly appreciated.

Thanks. SB
by MasterOfTheHat at 2013-04-15 08:06:45
Have you tried using the DN or the user? I’m not sure exactly how the Remove-ADGroupMember cmdlet searches for users, but I’m betting it doesn’t go beyond the local domain.
by Silverbacko at 2013-04-15 09:07:59
If this is what you meant, I got the same error:

Get-ADGroup -SearchBase “OU=TEST - SharePoint Org Groups,DC=tec,DC=net” -Filter * | Foreach-Object{
$Members = Get-ADGroupMember -Identity $_ | Where-Object {$.objectClass -ne ‘computer’}
Remove-ADGroupMember -Identity $
.distinguishedName -Members $Members -Confirm:$false

If it is, then back to your assumption that Remove-ADGroupMember doesnt go beyond the local domain… How do I recognize and remove those users?
by poshoholic at 2013-04-15 09:36:14
A few questions come to mind for me.
1. Are you able to remove just one member of a group using Remove-ADGroupMember when that member comes from a different domain? You should verify that first.
2. If you can do (1), but you cannot remove members from multiple domains in one call, will it work if you break up the $Members array into multiple arrays, one per domain and remove the members from each of those domains with one call per set of members?
by Silverbacko at 2013-04-15 11:57:12
posh - It doesnt look like the Remove-ADGroupMember command will work across domains. I played with the -Identity (DN and CN) and -Server parms and couldnt get it to work.
by poshoholic at 2013-04-15 12:48:36
I’m much less familiar with the Microsoft AD cmdlets than I am with the Quest AD cmdlets. I know with the Quest cmdlets though you could open connections to multiple domains, and in the calls you invoke you could specify the connection you wanted to use. It’s been a while, and I don’t have AD set up in my lab right now since I recently rebuilt my computer (and I’m waiting patiently for my shiny new 960GB Crucial M500 SSD drive), but if I recall correctly, you could do this with Quest’s cmdlets.
by Silverbacko at 2013-04-30 07:51:17
I finally just replaced the Remove-ADGroupMember command with the following ADSI equivalent commands:

#remove-adgroupmember -Identity $ident2 -member $row[0].Trim() -Confirm:$false
$User_temp = Get-ADUser $row[0].Trim() -Server ($row[1].Trim()+".net")
$User = [ADSI](“LDAP://” + $User_temp.DistinguishedName)
$Group = [ADSI](“LDAP://” + $ident2)

Hope this helps someone else.