How to remove a domain user from a group in other domain?

Ask a question

Thursday, November 29, 2012 11:46 AM

0
Hi, I need to remove all groups from a domain user with powershell. The user belongs to groups in other domain in the tree. When I use "Remove-ADPrincipalGroupMembership" connected to user domain, it raises a referreal error. When I use "Remove-ADGroupMember" connected to group domain, it raises than user does not exist.

Anybody can do this?
- Moved by Arthur_LiMicrosoft Contingent Staff, Moderator Friday, November 30, 2012 4:56 AM (From:Directory Services)
- Reply
- Quote

All Replies

Thursday, November 29, 2012 11:45 AM

0
Hi, I need to remove all groups from a domain user with powershell. The user belongs to groups in other domain in the tree. When I use "Remove-ADPrincipalGroupMembership" connected to user domain, it raises a referreal error. When I use "Remove-ADGroupMember" connected to group domain, it raises than user does not exist.

Anybody can do this?
- Merged by Yan Li_Microsoft Contingent Staff, Moderator Monday, December 03, 2012 5:53 AM
- Reply
- Quote
Thursday, November 29, 2012 11:53 AM

0
Can you please post your Code here? ALos please post the exact error message.

Thanks,

_Prashant_

MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.
- Edited by Prashant Girennavar Thursday, November 29, 2012 11:55 AM
- Reply
- Quote
Thursday, November 29, 2012 12:02 PM

0
Hi Baterias,

I use for this the quest Powershell tools.
```
$user = Get-QADUser '[USERNAME]'
foreach ($gr in ($user.MemberOf)){
 Remove-QADGroupMember -Identity $gr -Member $user.SamAccountName
}
```
Just replace [username] with the name of your users

Regards

Dan
- Reply
- Quote
Thursday, November 29, 2012 12:04 PM

0
Remove-ADGroupMember -Identity "cn=MyGroup,ou=Groups,dc=MyDomain,MyRoot,dc=com" -Members "cn=MyUser,ou=Staff,dc=MyRoot,dc=com" -server "DC.MyDomain.MyRoot.com"

Remove-ADPrincipalGroupMembership -Identity "cn=MyUser,ou=Staff,dc=MyRoot,dc=com" -MemberOf "cn=MyGroup,ou=Groups,dc=MyDomain,MyRoot,dc=com" -server "DC.MyRoot.com"

Both failed.
- Edited by Baterias Thursday, November 29, 2012 12:04 PM
- Reply
- Quote
Thursday, November 29, 2012 12:08 PM

0

Quest tools work very well, but we don't use external tools in production servers. Thanks.
- Reply
- Quote
Thursday, November 29, 2012 12:09 PM

0
Try this ,
```
Remove-ADGroupMember -Identity "cn=MyGroup,ou=Groups,dc=MyDomain,MyRoot,dc=com" -Members "cn=MyUser,ou=Staff,dc=MyRoot,dc=com" -Partition "DC=xxxx,DC=yyyy,DC=com"
```
-Partition is used to identify the DN of a user account.

As I can see in your question the user account exists in some other child domain.

Thanks,

_Prashant_

MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.
- Reply
- Quote
Thursday, November 29, 2012 12:10 PM

0
Hello,

Please read this link:

Adding/removing members from another forest or domain to groups in Active Directory (Active Directory Powershell Blog)

Regards
- Proposed As Answer by pbbergsMVP Thursday, November 29, 2012 1:00 PM
- Reply
- Quote
Thursday, November 29, 2012 12:25 PM

0

-Partition parameter only support this values:

* Group domain

* Configuration

* Schema

* ForestDNSZones

* DomainDNSZones

This values don't work. The user's domain value is not supported.

Thanks.
- Reply
- Quote
Thursday, November 29, 2012 12:54 PM

0

Did you give a try at it?

As per my understanding , User account exists in other domain and you are running your script on other domain.

Since Default Domain Context is differnet for different domain , you are facing this issue because of that.

Thanks,

_Prashant_
MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.
- Reply
- Quote
Thursday, November 29, 2012 1:00 PM

0

I am connect to domain A. I try to remove an user from domain B in a group in domain A.

Now, I will try with this: http://blogs.msdn.com/b/adpowershell/archive/2010/01/20/adding-removing-members-from-another-forest-or-domain-to-groups-in-active-directory.aspx
- Reply
- Quote
Thursday, November 29, 2012 1:12 PM

0

It does not work in my environment. I'm working on it. I will tell you.
- Reply
- Quote
Thursday, November 29, 2012 1:43 PM

0

For removing users it seems does'nt work. In my environment it fails. This is my code:

$probeta = get-aduser "probeta" -server ServerDomainB
$Grupo = get-adgroup "Grouper" -server ServerDomainA
Remove-ADGroupMember $Grupo -Members $probeta -server ServerDomainA

Result: Remove-ADGroupMember :Specied account name does not belongs to group.
- Reply
- Quote
Thursday, November 29, 2012 1:44 PM

0

For removing users it seems does'nt work. In my environment it fails. This is my code:

$probeta = get-aduser "probeta" -server ServerDomainB
$Grupo = get-adgroup "Grouper" -server ServerDomainA
Remove-ADGroupMember $Grupo -Members $probeta -server ServerDomainA

Result: Remove-ADGroupMember :Specied account name does not belongs to group.
- Reply
- Quote
Thursday, November 29, 2012 7:11 PM

0
If you are looking for assistance with scripting, PowerShell forum is good source to ask:
http://social.technet.microsoft.com/Forums/en/winserverpowershell/threads

Best Regards,

Sandesh Dubey.

MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
- Edited by Sandesh DubeyMicrosoft Community Contributor Thursday, November 29, 2012 7:12 PM
- Reply
- Quote
Friday, November 30, 2012 1:20 PM

0
Hello,

For me worked fine. Also I have 2x Forest, Contoso.com and Wiki.com. User r.mueller from Contoso.com is member of Test group in Wiki.com
```
$User=Get-ADUser "r.mueller" -server "DC.Contoso.com"
$Group=Get-ADGroup "Test" -server "DC2008R2.wiki.com"
Remove-ADGroupMember $Group -Members $user -server "DC2008R2.wiki.com"
```
Regards
- Reply
- Quote
Friday, November 30, 2012 1:22 PM

0

I have two domains in the same forest, parent and child. I will try again. Thanks.
- Reply
- Quote
Monday, December 03, 2012 4:24 AM

Moderator

0

Hi,

I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.

Regards,

Arthur Li

TechNet Subscriber Support

If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Arthur Li

TechNet Community Support
- Reply
- Quote
Monday, December 03, 2012 8:36 AM

0

Here is my test:

Pusc.rpso.usc.es is a domain controller in parent domain.

comte.rpso.usc.es is a domain controller in child domain.

Add-Groupmember works fine.

remove-ADGroupmember fails for the same user.
- Reply
- Quote
Monday, December 03, 2012 12:03 PM

0
Here is my test:

Pusc.rpso.usc.es is a domain controller in parent domain.

comte.rpso.usc.es is a domain controller in child domain.

Add-Groupmember works fine.

remove-ADGroupmember fails for the same user.

Hello,

Are you sure Pusc.rpso.usc.es & comte.rpso.usc.es not DCs in same domain?

You wrote about parent and child domain but for both DCs are rpso.usc.es.

Regards
- Edited by Patris_70 Monday, December 03, 2012 12:23 PM
- Reply
- Quote
Monday, December 03, 2012 12:19 PM

0

Yes, it is all right. We have a disjoint namespace (http://technet.microsoft.com/en-us/library/cc731125%28WS.10%29.aspx). Domain controllers have a similar FQDN but are in different Active Directory domains.

Thanks.
- Reply
- Quote
Monday, December 03, 2012 1:01 PM

0
Hello,

Please run this PowerShell command and write here output:
```
Get-ADGroup "testgroup" -Server "comte.rpso.usc.es"
```
Regards
- Reply
- Quote
Monday, December 03, 2012 1:39 PM

0

Here it is:

PS C:\Windows> Get-ADGroup "testgroup" -Server "comte.rpso.usc.es"

DistinguishedName : CN=TestGroup,OU=Traballo,DC=rai,DC=usc,DC=es
GroupCategory     : Security
GroupScope        : Universal
Name              : TestGroup
ObjectClass       : group
ObjectGUID        : 62b170f3-19ee-4dd0-a2e2-d1a7e49c7a85
SamAccountName    : TestGroup
SID               : S-1-5-21-1883471393-1495760609-619646970-154498

PS C:\Windows> Get-ADGroup "testgroup" -Server "comte.rpso.usc.es"

DistinguishedName : CN=TestGroup,OU=Traballo,DC=rai,DC=usc,DC=es
GroupCategory     : Security
GroupScope        : Universal
Name              : TestGroup
ObjectClass       : group
ObjectGUID        : 62b170f3-19ee-4dd0-a2e2-d1a7e49c7a85
SamAccountName    : TestGroup
SID               : S-1-5-21-1883471393-1495760609-619646970-154498
- Reply
- Quote

Monday, December 03, 2012 2:23 PM

Now Try this:

$User=Get-ADUser "probeta" -Server "Pusc.rpso.usc.es "

$Group=Get-ADGroup "testgroup" -Server "comte.rai.usc.es"

Remove-ADGroupMember $Group -Members $User -Server "comte.rai.usc.es"

Regards

Monday, December 03, 2012 7:42 PM

0

It is exactly what I did in my test.
- Reply
- Quote
Tuesday, December 04, 2012 7:28 AM

0

Hello,

No, you used comte.rpso.usc.es but in my command is comte.rai.usc.es.

Regards
- Reply
- Quote
Tuesday, December 04, 2012 9:52 AM

0

It seems the same thing, bu I'll try it. Thanks again.
- Reply
- Quote
Tuesday, December 04, 2012 11:52 AM

0
Hi, it fails too:
- Edited by Baterias Tuesday, December 04, 2012 11:53 AM
- Reply
- Quote
Tuesday, December 04, 2012 9:09 PM

0

Hello,

Are you Domain Admin or Enterprise Admin or have you delegation permission?

Regards
- Reply
- Quote
Wednesday, December 05, 2012 8:12 AM

0

Hello,

I'm Enterprise Admin. With ADSI instead of Active Directory commandlets, it works fine:

$Group = [ADSI] "LDAP://rai.usc.es/CN=TestGroup,OU=Traballo,DC=rai,DC=usc,DC=es"
$Group.remove("LDAP://usc.es/CN=Probeta,OU=Traballo,DC=usc,DC=es")

Thanks.
- Reply
- Quote

Wednesday, December 05, 2012 9:28 AM

Hello,

Please try with:

$User=Get-ADObject "CN=Probeta,OU=Traballo,DC=usc,DC=es" -Server "Pusc.rpso.usc.es:3268"
$Group=Get-ADObject "CN=TestGroup,OU=Traballo,DC=rai,DC=usc,DC=es" -Server "comte.rai.usc.es:3268"
Remove-ADGroupMember $Group -Members $User -Server "comte.rai.usc.es:3268"

Regards

Wednesday, December 05, 2012 10:58 AM

0

Sorry, it fails again. Strangely enough Add-Groupmember works fine.

Thanks.
- Reply
- Quote
Wednesday, December 05, 2012 10:07 PM

0

Hello,

You're absolutely right, I created a Child domain and tested and same error!!!

But worked fine with 2x Forest!!!, and in this link, he used ADSI too.

Remove a user in domainA from a group in domainB

Regards
- Reply
- Quote
Thursday, December 06, 2012 2:41 AM

0
Hello,

Use QUEST Active Directory PowerShell, I tested and worked.
```
Remove-QADGroupMember -Identity 'CN=group1,OU=Admins,DC=Blog,DC=Wiki,DC=Com' -Member 'Wiki\r.mueller'
```
Regards
- Marked As Answer by Arthur_LiMicrosoft Contingent Staff, Moderator Sunday, December 09, 2012 12:48 PM
- Reply
- Quote
Friday, December 07, 2012 7:45 AM

0
Hi,

All right Patris, thank you for your job. I think it is a bug in commandlet.
- Marked As Answer by Baterias Monday, December 10, 2012 7:23 AM
- Reply
- Quote

How to remove a domain user from a group in other domain?

All Replies

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support by product

Other support links

Not an IT pro?