Remove AD group members from incorrect groups


We have about 500 receptionists spread across our various external branches. All receptionists are members of the ‘Receptionists’ AD group.

Some dimwit (not me!) managed to add about half of the receptionists to another Active Directory group which will give them access to some VERY sensitive information. Heads will definitely roll if this gets out.

So, as it stands, we have about 250 receptionists who are members of the ‘Receptionists’ group and also members of the ‘Sensitive’ group.

I need to get the 250 receptionists out of the ‘Sensitive’ group.

Can anyone help?



There are a couple of ways of doing it, but it would depend on what attributes you have in AD. Try something like this (not tested):

#REQUIRES QUEST AD Commandlets # Collect the members of the good group $good = Get-QADGroupMember -Identity ReceptionistGroup # Collect the members of the bad group $bad = Get-QADGroupMember -Identity SensitiveGroup # Compare the good group to the bad and provide users that are members of both groups # Then loop through and remove them from the other group Compare-Object $good $bad -Property Name -ExcludeDifferent -IncludeEqual | foreach{ Remove-QADGroupMember -Identity SensitiveGroup -Member $_.Name}


Thank you very much for that. Unfortunately I don’t have the Quest AD Commandlets installed, but I was able to adapt your excellent suggestion to generate a csv list of ‘offending’ accounts, using just the regular Active Directory module commandlets.

Fortunately (thanks to you) I’ve discovered that there were a number of test accounts and also disabled accounts on the list, so the overall figure is considerably less than I originally thought. Only (?!) 143 users across the estate have (had) access to the very sensitive information (patient medical history).

We’ve removed a handful of users to check there are no adverse effects (nobody seems to know how or why they got added in the first place). Then I’ll proceed with the last part of your snippet to remove the rest.

Thanks again for your help. This would have been classed as a major security breach.

Glad you were able to figure it out with the example provided.