remove disabled users from distribution groups exchange online

Hi All

when I try to run this code
[pre]
$groups = Get-DistributionGroup -ResultSize Unlimited
foreach($group in $groups){
Get-DistributionGroupMember $group |
?{$.RecipientType -like ‘User’ -and $.ResourceType -eq $null} |
Get-User | ?{$_.UserAccountControl -match ‘AccountDisabled’} |
Remove-DistributionGroupMember $group -Confirm:$false
}

[/pre]
I’m getting the following error messages

[pre]

Cannot process argument transformation on parameter ‘Identity’. Cannot convert the “name_of_distributionlist” value of type
“Deserialized.Microsoft.Exchange.Data.Directory.Management.DistributionGroup” to type
“Microsoft.Exchange.Configuration.Tasks.DistributionGroupMemberIdParameter”.

  • CategoryInfo : InvalidData: (:slight_smile: [Get-DistributionGroupMember], ParameterBindin…mationException
  • FullyQualifiedErrorId : ParameterArgumentTransformationError,Get-DistributionGroupMember
  • PSComputerName : outlook.office365.com

[/pre]
any Idea’s on how to solve this?

 

thanks for your input

 

Paul

Without the possiblitiy to test I’d suspect Get-DistributionGroupMember is not able to deal with the complete object. So you should provide only the expected property of the object … try the sAMAccountName:

$groups = Get-DistributionGroup -ResultSize Unlimited
foreach ($group in $groups) {
    Get-DistributionGroupMember -Identity $group.sAMAccountName |
        Where-Object { $_.RecipientType -like '*User*' -and $null -eq $_.ResourceType } |
            Get-User | 
                Where-Object { $_.UserAccountControl -match 'AccountDisabled' } |
                    Remove-DistributionGroupMember $group -Confirm:$false
}

Hi Olaf,

thanks for your suggestion however no joy still the same error message

 

Paul

Paul,

hmmm … I didn’t want to test the part with the remove cmdlet but actually the code ran in my environment. Try it this way:

Get-DistributionGroup -ResultSize Unlimited | 
    ForEach-Object {
        $DistributionGroup = $_.sAMAccountName
        Get-DistributionGroupMember -Identity $DistributionGroup |
            Where-Object { $_.RecipientType -like '*User*' -and $null -eq $_.ResourceType } |
                Get-User | 
                    Where-Object { $_.UserAccountControl -match 'AccountDisabled' } |
                        ForEach-Object {
                            Remove-DistributionGroupMember -Identity $DistributionGroup -Confirm:$false -Member $_.SamAccountName
                        }
    }

Hi Olaf,

still no luck,
another thing that is weird is that whenever the user account is still active it will work

[pre]

$email = “user@mydomain.com

$mailbox = Get-Mailbox -Identity $email

$DN=$mailbox.DistinguishedName

$Filter = “Members -like “”$DN”""

$DistributionGroupsList = Get-DistributionGroup -ResultSize Unlimited -Filter $Filter

Write-host n Write-host "Listing all Distribution Groups:" Write-host n
$DistributionGroupsList | ft

$answer = Read-Host “Would you like to proceed and remove $email from all distribution groups ( y / n )?”

While (“y”,“n” -notcontains $answer) {
$answer = Read-Host “Would you like to proceed and remove $email from all distribution groups ( y / n )?”
}

If ($answer -eq ‘y’) {

ForEach ($item in $DistributionGroupsList) {
Remove-DistributionGroupMember -Identity $item.DisplayName –Member $email -Confirm:$false
}

Write-host `n
Write-host “Successfully removed”

Remove-Variable * -ErrorAction SilentlyContinue
}

Else

{
Remove-Variable * -ErrorAction SilentlyContinue
}

[/pre]

do you happen to know why removing the distribution groups for disabled users is such a pain?

 

Do you want to remove the users or the distribution groups?

Olaf,

I want to remove the users, but the thing is when a user is leaving the company I can deal with that as long as the account is active. for the already deactivated users I’m strugling to get it to work, because I get that error message posted in the original post thrown at me

Olaf was correct. The problem with the original syntax is that Get-DistributionGroupMember returns a deserialized object which is being passed to the Remove-DistributionGroupMember’s -Identity parameter. Looking at the help for this cmdlet show you what properties you can pass to it. I have put them here: -Identity <DistributionGroupIdParameter>

The Identity parameter specifies the distribution group or mail-enabled security group that you want to modify. You can use
any value that uniquely identifies the group.

For example: * Name, * Display name, * Alias, * Distinguished name (DN), * Canonical DN, * Email address or * GUID

Required? true
Position? 1
Default value
Accept pipeline input? True
Accept wildcard characters? false

You are most likely having an issue because when the account is inactive it has been removed and it sitting in the dumpster which is retained for 30 days after the account is removed. Bigger question is the user on any sort of time based or Lithold?

Dave thanks for your answer

when I run this code it works on the active users but on the disabled users I get the below mentioned error message
[pre]

$users = import-csv c:\temp\csv\toRemove.csv

foreach($user in $users){

$email = “$($user.email)”

$mailbox = Get-Mailbox -Identity $email

$DN=$mailbox.DistinguishedName

$Filter = “Members -like “”$DN”""

$DistributionGroupsList = Get-DistributionGroup -ResultSize Unlimited -Filter $Filter

$DistributionGroupsList

ForEach ($item in $DistributionGroupsList) {
Remove-DistributionGroupMember -Identity $item.DisplayName –Member $email -Confirm:$false
}
}

[/pre]
I get the following error message
[pre]
The operation couldn’t be performed because object ‘user@mydomain.com’ couldn’t be found on
xxxxxx.PROD.OUTLOOK.COM’.

  • CategoryInfo : NotSpecified: (:slight_smile: [Get-Mailbox], ManagementObjectNotFoundException
  • FullyQualifiedErrorId : [Server=servername,RequestId=3677493e-a17d-4d93-ab7e-7567764e1a25,TimeStamp=7/8/2020 5:46:21 PM] [Fail
    ureCategory=Cmdlet-ManagementObjectNotFoundException] ,Microsoft.Exchange.Management.RecipientTasks.GetMailbox
  • PSComputerName : office365

[/pre]
when running this code while the user is still active I do get the distributionlists he’s member of

Because when they are inactive they don’t have an exchange account and the mailbox is marked inactive and in the dumpster. All exchange attributes are removed unless you activate it, assign a license and move the mailbox out of the dumpster. You will want to remove them from all groups before you mark them inactive or remove them to minimize the risk of leaving objects in your gal or orphaned objects.

Dave,

makes sence how would I manage to remove every disabled user from the distribution groups and avoiding errors?