Hello,
I have an AD User, Person2 with some memberships such as Domain Users, IntranetAccess, 5005 Email, 5005 Security
How would I remove all memeberships except Domain users and Intranet Access?
I found the solution earlier months ago, but now I can’t find it.
I know you can use
Remove-ADGroupMember -Identity “5005 Email” -Members person2
to just remove 5005 email
Thanks,
Tony
This will be a lot of effort for one user, I assume this is an example for a larger project.
#Create an array of the DNs of the groups to keep
$keep = @(
'CN=Domain Users,CN=Users,DC=test,DC=com', #probably not necessary, primary group usually handled separately
'CN=IntranetAccess,CN=Groups,DC=test,DC=com')
#get user's groups DNs
$user = 'Fred Smith'
$grps = get-aduser $user -properties memberof | select -expand memberof
#remove all except $keep
$grps | %{$keep -notcontains $_} | Remove-ADGroupmember $user -whatif
Remove -whatif once tested
Thank you,
I saw something along the lines of this a few weeks ago also, I know this doesn’t work, but it looked something like this:
suppose to: Gets the groupmembership of person2, and removes everything except Domain Users
(Get-ADPrincipalGroupMembership -Identity person2).name | Remove-ADGroupMember where{$_.(Get-ADPrincipalGroupMembership -Identity person) -ne "Domain Users"}
I’m not sure if I’m thinking this correctly, but since I can do
Remove-ADGroupMember -Identity “5005 Email” -Members person2
to remove that permission , is there a way to add
where{$_.name -ne “Domain users”}
so that it removes all groups except Domain Users?
With AD groups, its important to understand how the data is stored. Groups are not stored in the user object, it’s a calculated field. Members are stored in the group object. So its not a matter of removing groups from a user, you have to remove the user from each group he is in.
Thank you Ron,
I understand you remove a user from the group, and not vice versa.
That’s what I’m trying to figure out. I saw an example earlier, but I can’t find the link.
You could do it that way for a single group, but you would have to compare the DN, not the CN. When you retrieve a user’s group memberships, all you get is an array of DNs. You can then filter that list to remove the group(s) you want to keep and pipe it to remove-adgroupmember. But you’ll need to use the full DN(s) in your filter.
Try This:
(get-aduser person2 -properties memberof).memberof
You should see 2 things. The data returned is just a list(array) of DNs. The Primary Group, Domains Users, is not listed.
So, assuming you want to remove all groups except the Primary group:
(get-aduser person2 -properties memberof).memberof|remove-adgroupmember person2
(get-aduser person2 -properties memberof).memberof|remove-adgroupmember person2
When I do that, it’s asking for Members[0]:
Sorry
(get-aduser person2 -properties memberof).memberof|remove-adgroupmember -member person2