none
How to remove a domain user from a group in other domain?

    Question

  • Hi, I need to remove all groups from a domain user with powershell. The user belongs to groups in other domain in the tree. When I use "Remove-ADPrincipalGroupMembership" connected to user domain, it raises a referreal error. When I use "Remove-ADGroupMember" connected to group domain, it raises than user does not exist.

    Anybody can do this?

    Thursday, November 29, 2012 11:46 AM

Answers

  • Hello,

    Use QUEST Active Directory PowerShell, I tested and worked.

    Remove-QADGroupMember -Identity 'CN=group1,OU=Admins,DC=Blog,DC=Wiki,DC=Com' -Member 'Wiki\r.mueller'

    Regards

    Thursday, December 06, 2012 2:41 AM
  • Hi,

      All right Patris, thank you for your job. I think it is a bug in commandlet.

    • Marked as answer by Baterias Monday, December 10, 2012 7:23 AM
    Friday, December 07, 2012 7:45 AM
  • In my environment, with the Powershell V3 cmdlet, continues failing.

    I know this is an old thread but it doesn't look like it was completely resolved. My scenario:

    "Administrators" group in DomainB.DomainA.com had groups from DomainA.com in it. All attempts with the Remove-ADGroupMember and Remove-ADPrincipalGroupMembership cmdlets failed. This was my fix and I've verified it is working:

    $Group = Get-ADGroup -Identity "Administrators" -Server "DomainA.com"
    $GroupMembers = Get-ADGroupMember -Identity $Group
    ForEach($Member in $GroupMembers){
       If($Member.Name -like "<insert condition here>"){
           Set-ADObject -Identity $($Group.DistinguishedName) -Remove @{member="$($Member.DistinguishedName)"} -Server "DomainA.com"
        }
    }

    Hope this helps anyone else that's having problems. This is a known issue with the remove cmdlets. I wanted to avoid ADSI code and stick with cmdlets and this worked perfectly.
    • Proposed as answer by WeisMan87 Monday, June 23, 2014 5:18 PM
    • Edited by WeisMan87 Monday, June 23, 2014 5:24 PM
    • Marked as answer by Baterias Tuesday, July 08, 2014 11:53 AM
    Monday, June 23, 2014 5:16 PM

All replies

  • Hi, I need to remove all groups from a domain user with powershell. The user belongs to groups in other domain in the tree. When I use "Remove-ADPrincipalGroupMembership" connected to user domain, it raises a referreal error. When I use "Remove-ADGroupMember" connected to group domain, it raises than user does not exist.

    Anybody can do this?

    Thursday, November 29, 2012 11:45 AM
  • Can you please post your Code here? ALos please post the exact error message.

    Thanks,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.


    Thursday, November 29, 2012 11:53 AM
  • Hi Baterias,

    I use for this the quest Powershell tools.

    $user = Get-QADUser '[USERNAME]'
    foreach ($gr in ($user.MemberOf)){
     Remove-QADGroupMember -Identity $gr -Member $user.SamAccountName
    }

    Just replace [username] with the name of your users

    Regards

    Dan

    Thursday, November 29, 2012 12:02 PM
  • Remove-ADGroupMember -Identity "cn=MyGroup,ou=Groups,dc=MyDomain,MyRoot,dc=com" -Members "cn=MyUser,ou=Staff,dc=MyRoot,dc=com" -server "DC.MyDomain.MyRoot.com"

    Remove-ADPrincipalGroupMembership -Identity "cn=MyUser,ou=Staff,dc=MyRoot,dc=com" -MemberOf "cn=MyGroup,ou=Groups,dc=MyDomain,MyRoot,dc=com" -server "DC.MyRoot.com"

    Both failed.

    • Edited by Baterias Thursday, November 29, 2012 12:04 PM
    Thursday, November 29, 2012 12:04 PM
  • Quest tools work very well, but we don't use external tools in production servers. Thanks.
    Thursday, November 29, 2012 12:08 PM
  • Try this ,

    Remove-ADGroupMember -Identity "cn=MyGroup,ou=Groups,dc=MyDomain,MyRoot,dc=com" -Members "cn=MyUser,ou=Staff,dc=MyRoot,dc=com" -Partition "DC=xxxx,DC=yyyy,DC=com"

    -Partition is used to identify the DN of a user account.

    As I can see in your question the user account exists in some other child domain.

    Thanks,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Thursday, November 29, 2012 12:09 PM
    • Proposed as answer by pbbergsMVP Thursday, November 29, 2012 1:00 PM
    Thursday, November 29, 2012 12:10 PM
  • -Partition parameter only support this values:

      * Group domain

      * Configuration

      * Schema

      * ForestDNSZones

      * DomainDNSZones

    This values don't work. The user's domain value is not supported.

    Thanks.

    Thursday, November 29, 2012 12:25 PM
  • Did you give a try at it?

    As per my understanding , User account exists in other domain and you are running your script on other domain.

    Since Default Domain Context is differnet for different domain , you are facing this issue because of that.

    Thanks,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Thursday, November 29, 2012 12:54 PM
  • I am connect to domain A. I try to remove an user from domain B in a group in domain A.

    Now, I will try with this: http://blogs.msdn.com/b/adpowershell/archive/2010/01/20/adding-removing-members-from-another-forest-or-domain-to-groups-in-active-directory.aspx

    Thursday, November 29, 2012 1:00 PM
  • It does not work in my environment. I'm working on it. I will tell you.
    Thursday, November 29, 2012 1:12 PM
  • For removing users it seems does'nt work. In my environment it fails. This is my code:

    $probeta = get-aduser "probeta" -server ServerDomainB
    $Grupo = get-adgroup "Grouper" -server ServerDomainA
    Remove-ADGroupMember $Grupo -Members $probeta -server ServerDomainA


    Result: Remove-ADGroupMember :Specied account name does not belongs to group.

    Thursday, November 29, 2012 1:43 PM
  • For removing users it seems does'nt work. In my environment it fails. This is my code:

    $probeta = get-aduser "probeta" -server ServerDomainB
    $Grupo = get-adgroup "Grouper" -server ServerDomainA
    Remove-ADGroupMember $Grupo -Members $probeta -server ServerDomainA


    Result: Remove-ADGroupMember :Specied account name does not belongs to group.

    Thursday, November 29, 2012 1:44 PM
  • If you are looking for assistance with scripting, PowerShell forum is good source to ask:
    http://social.technet.microsoft.com/Forums/en/winserverpowershell/threads


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    Thursday, November 29, 2012 7:11 PM
  • Hello,

    For me worked fine. Also I have 2x Forest, Contoso.com and Wiki.com. User r.mueller from Contoso.com is member of Test group in Wiki.com

    $User=Get-ADUser "r.mueller" -server "DC.Contoso.com"
    $Group=Get-ADGroup "Test" -server "DC2008R2.wiki.com"
    Remove-ADGroupMember $Group -Members $user -server "DC2008R2.wiki.com"

    Regards

    Friday, November 30, 2012 1:20 PM
  • I have two domains in the same forest, parent and child. I will try again. Thanks.
    Friday, November 30, 2012 1:22 PM
  • Hi,

     

    I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.

    Regards,

    Arthur Li

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Arthur Li

    TechNet Community Support

    Monday, December 03, 2012 4:24 AM
  • Here is my test:

    Pusc.rpso.usc.es is a domain controller in parent domain.

    comte.rpso.usc.es is a domain controller in child domain.

    Add-Groupmember works fine.

    remove-ADGroupmember fails for the same user.

    Monday, December 03, 2012 8:36 AM
  • Here is my test:

    Pusc.rpso.usc.es is a domain controller in parent domain.

    comte.rpso.usc.es is a domain controller in child domain.

    Add-Groupmember works fine.

    remove-ADGroupmember fails for the same user.

    Hello,

    Are you sure Pusc.rpso.usc.es & comte.rpso.usc.es not DCs in same domain?

    You wrote about parent and child domain but for both DCs are rpso.usc.es.

    Regards


    • Edited by Patris_70 Monday, December 03, 2012 12:23 PM
    Monday, December 03, 2012 12:03 PM
  • Yes, it is all right. We have a disjoint namespace (http://technet.microsoft.com/en-us/library/cc731125%28WS.10%29.aspx). Domain controllers have a similar FQDN but are in different Active Directory domains.

    Thanks.

    Monday, December 03, 2012 12:19 PM
  • Hello,

    Please run this PowerShell command and write here output:

    Get-ADGroup "testgroup" -Server "comte.rpso.usc.es"

    Regards

    Monday, December 03, 2012 1:01 PM
  • Here it is:

    PS C:\Windows> Get-ADGroup "testgroup" -Server "comte.rpso.usc.es"


    DistinguishedName : CN=TestGroup,OU=Traballo,DC=rai,DC=usc,DC=es
    GroupCategory     : Security
    GroupScope        : Universal
    Name              : TestGroup
    ObjectClass       : group
    ObjectGUID        : 62b170f3-19ee-4dd0-a2e2-d1a7e49c7a85
    SamAccountName    : TestGroup
    SID               : S-1-5-21-1883471393-1495760609-619646970-154498

    PS C:\Windows> Get-ADGroup "testgroup" -Server "comte.rpso.usc.es"


    DistinguishedName : CN=TestGroup,OU=Traballo,DC=rai,DC=usc,DC=es
    GroupCategory     : Security
    GroupScope        : Universal
    Name              : TestGroup
    ObjectClass       : group
    ObjectGUID        : 62b170f3-19ee-4dd0-a2e2-d1a7e49c7a85
    SamAccountName    : TestGroup
    SID               : S-1-5-21-1883471393-1495760609-619646970-154498

    Monday, December 03, 2012 1:39 PM
  • Now Try this:

    $User=Get-ADUser "probeta" -Server "Pusc.rpso.usc.es "

    $Group=Get-ADGroup "testgroup" -Server "comte.rai.usc.es"

    Remove-ADGroupMember $Group -Members $User -Server "comte.rai.usc.es"


    Regards

    Monday, December 03, 2012 2:23 PM
  • It is exactly what I did in my test.
    Monday, December 03, 2012 7:42 PM
  • Hello,

    No, you used comte.rpso.usc.es but in my command is comte.rai.usc.es.

    Regards

    Tuesday, December 04, 2012 7:28 AM
  • It seems the same thing, bu I'll try it. Thanks again.
    Tuesday, December 04, 2012 9:52 AM
  • Hi, it fails too:


    • Edited by Baterias Tuesday, December 04, 2012 11:53 AM
    Tuesday, December 04, 2012 11:52 AM
  • Hello,

    Are you Domain Admin or Enterprise Admin or have you delegation permission?

    Regards

    Tuesday, December 04, 2012 9:09 PM
  • Hello,

               I'm Enterprise Admin. With ADSI instead of Active Directory commandlets, it works fine:

    $Group = [ADSI] "LDAP://rai.usc.es/CN=TestGroup,OU=Traballo,DC=rai,DC=usc,DC=es"
    $Group.remove("LDAP://usc.es/CN=Probeta,OU=Traballo,DC=usc,DC=es")

    Thanks.

    Wednesday, December 05, 2012 8:12 AM
  • Hello,

    Please try with:

    $User=Get-ADObject "CN=Probeta,OU=Traballo,DC=usc,DC=es" -Server "Pusc.rpso.usc.es:3268"
    $Group=Get-ADObject "CN=TestGroup,OU=Traballo,DC=rai,DC=usc,DC=es" -Server "comte.rai.usc.es:3268"
    Remove-ADGroupMember $Group -Members $User -Server "comte.rai.usc.es:3268"

    Regards

    Wednesday, December 05, 2012 9:28 AM
  • Sorry, it fails again. Strangely enough Add-Groupmember works fine.

     Thanks.

    Wednesday, December 05, 2012 10:58 AM
  • Hello,

    You're absolutely right, I created a Child domain and tested and same error!!!

    But worked fine with 2x Forest!!!, and in this link, he used ADSI too.

    Remove a user in domainA from a group in domainB

    Regards

    Wednesday, December 05, 2012 10:07 PM
  • Hello,

    Use QUEST Active Directory PowerShell, I tested and worked.

    Remove-QADGroupMember -Identity 'CN=group1,OU=Admins,DC=Blog,DC=Wiki,DC=Com' -Member 'Wiki\r.mueller'

    Regards

    Thursday, December 06, 2012 2:41 AM
  • Hi,

      All right Patris, thank you for your job. I think it is a bug in commandlet.

    • Marked as answer by Baterias Monday, December 10, 2012 7:23 AM
    Friday, December 07, 2012 7:45 AM
  • This has been fixed in PowerShell V3 cmdlet for Remove-ADgroupMember

    Example: Remove-ADGroupMember -Identity GroupName -Member $User

    Where $User is defined earlier as the user

    $User = Get-Aduser Username  -Server DCNAMEWHEREUSEREXISTS

    Tuesday, August 06, 2013 7:38 AM
  • In my environment, with the Powershell V3 cmdlet, continues failing.
    • Edited by Baterias Thursday, October 03, 2013 11:53 AM poor english
    Thursday, October 03, 2013 11:51 AM
  • In my environment, with the Powershell V3 cmdlet, continues failing.

    I know this is an old thread but it doesn't look like it was completely resolved. My scenario:

    "Administrators" group in DomainB.DomainA.com had groups from DomainA.com in it. All attempts with the Remove-ADGroupMember and Remove-ADPrincipalGroupMembership cmdlets failed. This was my fix and I've verified it is working:

    $Group = Get-ADGroup -Identity "Administrators" -Server "DomainA.com"
    $GroupMembers = Get-ADGroupMember -Identity $Group
    ForEach($Member in $GroupMembers){
       If($Member.Name -like "<insert condition here>"){
           Set-ADObject -Identity $($Group.DistinguishedName) -Remove @{member="$($Member.DistinguishedName)"} -Server "DomainA.com"
        }
    }

    Hope this helps anyone else that's having problems. This is a known issue with the remove cmdlets. I wanted to avoid ADSI code and stick with cmdlets and this worked perfectly.
    • Proposed as answer by WeisMan87 Monday, June 23, 2014 5:18 PM
    • Edited by WeisMan87 Monday, June 23, 2014 5:24 PM
    • Marked as answer by Baterias Tuesday, July 08, 2014 11:53 AM
    Monday, June 23, 2014 5:16 PM
  • It's OK WeisMan87. Set-ADObject works fine removing member from other domain. Thanks.
    Tuesday, July 08, 2014 11:53 AM