remove disabled users from distribution groups exchange online

acer4605 · July 7, 2020, 3:45am

Hi All

when I try to run this code
[pre]
$groups = Get-DistributionGroup -ResultSize Unlimited
foreach($group in $groups){
Get-DistributionGroupMember $group |
?{$.RecipientType -like ‘User’ -and $.ResourceType -eq $null} |
Get-User | ?{$_.UserAccountControl -match ‘AccountDisabled’} |
Remove-DistributionGroupMember $group -Confirm:$false
}

[/pre]
I’m getting the following error messages

[pre]

Cannot process argument transformation on parameter ‘Identity’. Cannot convert the “name_of_distributionlist” value of type
“Deserialized.Microsoft.Exchange.Data.Directory.Management.DistributionGroup” to type
“Microsoft.Exchange.Configuration.Tasks.DistributionGroupMemberIdParameter”.

CategoryInfo : InvalidData: ( [Get-DistributionGroupMember], ParameterBindin…mationException
FullyQualifiedErrorId : ParameterArgumentTransformationError,Get-DistributionGroupMember
PSComputerName : outlook.office365.com

[/pre]
any Idea’s on how to solve this?

thanks for your input

Paul

Olaf · July 7, 2020, 4:43am

Without the possiblitiy to test I’d suspect Get-DistributionGroupMember is not able to deal with the complete object. So you should provide only the expected property of the object … try the sAMAccountName:

$groups = Get-DistributionGroup -ResultSize Unlimited
foreach ($group in $groups) {
    Get-DistributionGroupMember -Identity $group.sAMAccountName |
        Where-Object { $_.RecipientType -like '*User*' -and $null -eq $_.ResourceType } |
            Get-User | 
                Where-Object { $_.UserAccountControl -match 'AccountDisabled' } |
                    Remove-DistributionGroupMember $group -Confirm:$false
}

acer4605 · July 7, 2020, 5:11am

Hi Olaf,

thanks for your suggestion however no joy still the same error message

Paul

Olaf · July 7, 2020, 12:58pm

Paul,

hmmm … I didn’t want to test the part with the remove cmdlet but actually the code ran in my environment. Try it this way:

Get-DistributionGroup -ResultSize Unlimited | 
    ForEach-Object {
        $DistributionGroup = $_.sAMAccountName
        Get-DistributionGroupMember -Identity $DistributionGroup |
            Where-Object { $_.RecipientType -like '*User*' -and $null -eq $_.ResourceType } |
                Get-User | 
                    Where-Object { $_.UserAccountControl -match 'AccountDisabled' } |
                        ForEach-Object {
                            Remove-DistributionGroupMember -Identity $DistributionGroup -Confirm:$false -Member $_.SamAccountName
                        }
    }

acer4605 · July 7, 2020, 9:14pm

Hi Olaf,

still no luck,
another thing that is weird is that whenever the user account is still active it will work

[pre]

$email = “user@mydomain.com”

$mailbox = Get-Mailbox -Identity $email

$DN=$mailbox.DistinguishedName

$Filter = “Members -like “”$DN”“”

$DistributionGroupsList = Get-DistributionGroup -ResultSize Unlimited -Filter $Filter

Write-host n Write-host "Listing all Distribution Groups:" Write-host n
$DistributionGroupsList | ft

$answer = Read-Host “Would you like to proceed and remove $email from all distribution groups ( y / n )?”

While (“y”,“n” -notcontains $answer) {
$answer = Read-Host “Would you like to proceed and remove $email from all distribution groups ( y / n )?”
}

If ($answer -eq ‘y’) {

ForEach ($item in $DistributionGroupsList) {
Remove-DistributionGroupMember -Identity $item.DisplayName –Member $email -Confirm:$false
}

Write-host `n
Write-host “Successfully removed”

Remove-Variable * -ErrorAction SilentlyContinue
}

Else

{
Remove-Variable * -ErrorAction SilentlyContinue
}

[/pre]

do you happen to know why removing the distribution groups for disabled users is such a pain?

Olaf · July 8, 2020, 2:55am

Do you want to remove the users or the distribution groups?

acer4605 · July 8, 2020, 4:10am

Olaf,

I want to remove the users, but the thing is when a user is leaving the company I can deal with that as long as the account is active. for the already deactivated users I’m strugling to get it to work, because I get that error message posted in the original post thrown at me

system · July 8, 2020, 6:48am

Olaf was correct. The problem with the original syntax is that Get-DistributionGroupMember returns a deserialized object which is being passed to the Remove-DistributionGroupMember’s -Identity parameter. Looking at the help for this cmdlet show you what properties you can pass to it. I have put them here: -Identity <DistributionGroupIdParameter>

The Identity parameter specifies the distribution group or mail-enabled security group that you want to modify. You can use
any value that uniquely identifies the group.

For example: * Name, * Display name, * Alias, * Distinguished name (DN), * Canonical DN, * Email address or * GUID

Required? true
Position? 1
Default value
Accept pipeline input? True
Accept wildcard characters? false

You are most likely having an issue because when the account is inactive it has been removed and it sitting in the dumpster which is retained for 30 days after the account is removed. Bigger question is the user on any sort of time based or Lithold?

acer4605 · July 8, 2020, 8:43am

Dave thanks for your answer

when I run this code it works on the active users but on the disabled users I get the below mentioned error message
[pre]

$users = import-csv c:\temp\csv\toRemove.csv

foreach($user in $users){

$email = “$($user.email)”

$mailbox = Get-Mailbox -Identity $email

$DN=$mailbox.DistinguishedName

$Filter = “Members -like “”$DN”“”

$DistributionGroupsList = Get-DistributionGroup -ResultSize Unlimited -Filter $Filter

$DistributionGroupsList

ForEach ($item in $DistributionGroupsList) {
Remove-DistributionGroupMember -Identity $item.DisplayName –Member $email -Confirm:$false
}
}

[/pre]
I get the following error message
[pre]
The operation couldn’t be performed because object ‘user@mydomain.com’ couldn’t be found on
‘xxxxxx.PROD.OUTLOOK.COM’.

CategoryInfo : NotSpecified: ( [Get-Mailbox], ManagementObjectNotFoundException
FullyQualifiedErrorId : [Server=servername,RequestId=3677493e-a17d-4d93-ab7e-7567764e1a25,TimeStamp=7/8/2020 5:46:21 PM] [Fail
ureCategory=Cmdlet-ManagementObjectNotFoundException] ,Microsoft.Exchange.Management.RecipientTasks.GetMailbox
PSComputerName : office365

[/pre]
when running this code while the user is still active I do get the distributionlists he’s member of

system · July 8, 2020, 12:12pm

Because when they are inactive they don’t have an exchange account and the mailbox is marked inactive and in the dumpster. All exchange attributes are removed unless you activate it, assign a license and move the mailbox out of the dumpster. You will want to remove them from all groups before you mark them inactive or remove them to minimize the risk of leaving objects in your gal or orphaned objects.

acer4605 · July 8, 2020, 7:33pm

Dave,

makes sence how would I manage to remove every disabled user from the distribution groups and avoiding errors?

Topic		Replies	Views
AD Accounts and DistributionGroups PowerShell Help	4	330	May 16, 2024
Distribution groups starting with the same name PowerShell Help	5	283	May 16, 2024
Remove only DL from user memberof PowerShell Help	2	186	May 16, 2024
trying to find if any disabled users have membership in a group PowerShell Help	6	178	May 16, 2024
Set-DistributionGroup Script Help! PowerShell Help	5	255	May 16, 2024

remove disabled users from distribution groups exchange online

Related topics