none
How to use powershell to clear aduser's property "memberof"? RRS feed

  • Question

  • Hi:

    I used the cmdlet "Set-ADUser -Identity aduser -Clear MemberOf" to clear groups.

    But it reported error as following:

    Set-ADUser : Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager(SAM).

    How to resolve it?

    Thanks.

    Friday, January 19, 2018 6:49 AM

Answers

  • The -Clear parameter cannot be used with the memberOf attribute because it is a back linked attribute (the forward link is the member attribute of groups). Because of this, the memberOf value is not actually saved in the AD database with the user object. Instead, a link table is used to "lookup" the values. See this article:

    https://social.technet.microsoft.com/wiki/contents/articles/33495.powershell-ad-module-cmdlets-cannot-clear-add-remove-or-replace-back-link-attributes.aspx

    In the section "Alternatives" for -Clear, you can loop through the group memberships and remove the user from each, as suggested:

    $User = "jsmith"
    $Groups = (Get-ADUser -Identity $User -Properties memberOf).memberOf
    ForEach ($Group In $Groups)
    {
        Remove-ADGroupMember -Identity $Group -Members $User -Confirm:$False
    }

    But you can also use the Remove-ADPrincipalGroupMembership cmdlet, as below:

    $User = "jsmith"
    $Groups = (Get-ADUser -Identity $User -Properties memberOf).memberOf
    Remove-ADPrincipalGroupMembership -Identity $User -MemberOf $Groups -Confirm:$False


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Proposed as answer by BOfH-666 Friday, January 19, 2018 3:08 PM
    • Marked as answer by Lja Li Tuesday, January 23, 2018 2:57 AM
    Friday, January 19, 2018 1:42 PM
    Moderator

All replies

  • Enumerate all groups and remove the user from all groups in a loop.

    Best regards,

    (79,108,97,102|%{[char]$_})-join''

    • Proposed as answer by I.T Delinquent Friday, January 19, 2018 9:04 AM
    Friday, January 19, 2018 8:55 AM
  • The -Clear parameter cannot be used with the memberOf attribute because it is a back linked attribute (the forward link is the member attribute of groups). Because of this, the memberOf value is not actually saved in the AD database with the user object. Instead, a link table is used to "lookup" the values. See this article:

    https://social.technet.microsoft.com/wiki/contents/articles/33495.powershell-ad-module-cmdlets-cannot-clear-add-remove-or-replace-back-link-attributes.aspx

    In the section "Alternatives" for -Clear, you can loop through the group memberships and remove the user from each, as suggested:

    $User = "jsmith"
    $Groups = (Get-ADUser -Identity $User -Properties memberOf).memberOf
    ForEach ($Group In $Groups)
    {
        Remove-ADGroupMember -Identity $Group -Members $User -Confirm:$False
    }

    But you can also use the Remove-ADPrincipalGroupMembership cmdlet, as below:

    $User = "jsmith"
    $Groups = (Get-ADUser -Identity $User -Properties memberOf).memberOf
    Remove-ADPrincipalGroupMembership -Identity $User -MemberOf $Groups -Confirm:$False


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Proposed as answer by BOfH-666 Friday, January 19, 2018 3:08 PM
    • Marked as answer by Lja Li Tuesday, January 23, 2018 2:57 AM
    Friday, January 19, 2018 1:42 PM
    Moderator
  • This should just work.

    $Username = @{$ID ='ADUser'; $MemberOf = (Get-ADPrincipalGroupMembership ADUser).Name}
    Remove-ADPrincipalGroupMembership @Username



    • Edited by Naw Saturday, January 20, 2018 8:31 AM
    • Proposed as answer by Naw Saturday, January 20, 2018 9:43 AM
    Friday, January 19, 2018 11:58 PM
  • Why would you think that?  Maybe you are thinking of this ...

    Remove-ADPrincipalGroupMembership  -Identity $user -MemberOf $user.MemberOf


    \_(ツ)_/

    Saturday, January 20, 2018 12:04 AM
  • This should just work.

    Remove-ADPrincipalGroupMembership "user.name"
    That wouldn't work. Remove-ADPrincipalGroupMembership has two mandatory parameters!!

    Best regards,

    (79,108,97,102|%{[char]$_})-join''

    Saturday, January 20, 2018 12:08 AM
  • This should just work.

    Remove-ADPrincipalGroupMembership "user.name"

    That wouldn't work. Remove-ADPrincipalGroupMembership has two mandatory parameters!!

    Best regards,

    (79,108,97,102|%{[char]$_})-join''


    Now how did you figure that out?  Have you been cheating and reading the documentation again?

    \_(ツ)_/

    Saturday, January 20, 2018 12:10 AM
  • Of course. I always read the documentation if I'm not familiar with some cmdlets I don't use on a regular base. But my name is not Now.  ;-)  :-P

    Best regards,

    (79,108,97,102|%{[char]$_})-join''

    Saturday, January 20, 2018 12:14 AM
  • been using that cmdlet since it came out. I still have my script for processing leavers. The only group it won't strip out is 'Domain Users'.
    Saturday, January 20, 2018 12:18 AM
  • Amazing.  Old school.  A believer in the written proof.

    I have read so many CmdLets so many times and I still go back hoping that I missed some nuance.

    Rethinking out knowledge is critical to evolving technically.  Unfortunately most kids coming out of high school can't read more than tweets and road signs.

    Our schools are failing. 


    \_(ツ)_/

    Saturday, January 20, 2018 12:19 AM
  • Amen to that. Sometimes I read it 3 or 4 times to assemble the German translation for my old brain. 

    Best regards,

    (79,108,97,102|%{[char]$_})-join''

    Saturday, January 20, 2018 12:29 AM
  • fixed it :P The second line was all I remember, I went thru my script. Thanks for correcting.
    Saturday, January 20, 2018 8:38 AM