none
Help! Removing AD Group Membership for a list of AD User RRS feed

  • Question

  • I am trying to to remove 100+ users AD group membership, I have the samaccountname in a text file. I am getting an error. 


    foreach ($user in (get-content c:\users.txt))

    {

    foreach ($g in (get-aduser -identity $user -properties memberof).memberof)

    {

    remove-adgroupmember -identity $g -member $user -Confirm:$false

    }

    }

    Wednesday, February 10, 2016 7:54 PM

Answers

  • The original one worked. I dont know what the issue was...

    import-module activedirectory
     foreach ($user in (get-content c:\temp\UserIdOnlyFirstrun.txt))

    {

    foreach ($g in (get-aduser -identity $user -properties memberof).memberof)

    {
    remove-adgroupmember -identity $g -member $user -Confirm:$false

    }

    }

    • Marked as answer by M_Aijaz Thursday, February 11, 2016 3:33 PM
    Wednesday, February 10, 2016 11:13 PM

All replies

  • I have also tired this but get the pop up "pipeline position 2 box"

    import-module activedirectory
    $Users = Get-Content c:\user.txt
    foreach ($user in $Users)
    {Get-ADuser -Identity $User | Remove-ADgroupmember $User -Confirm:$false}

    Wednesday, February 10, 2016 8:05 PM
  • It might make more sense to use Set-ADUser and use -Clear memberOf, assuming you want to remove all group memberships.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Wednesday, February 10, 2016 8:12 PM
    Moderator
  • Will that keep the primary group? "Domain User"
    Wednesday, February 10, 2016 8:28 PM
  • Yes, that group is never included in memberOf. And you cannot eliminate the primary group.

    Edit: If you can remove the primary group membership, clear the primaryGroupID attribute. I never tried.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Wednesday, February 10, 2016 8:39 PM
    Moderator
  • import-module activedirectory
    $Users = Get-Content c:\user.txt
    foreach ($user in $Users)
    {Set-ADuser -clear $User | Remove-ADgroupmember $User -Confirm:$false}
    Wednesday, February 10, 2016 8:43 PM
  • Actually, I was suggesting:

    import-module activedirectory
    $Users = Get-Content c:\user.txt
    ForEach ($User in $Users)
    {
        Set-ADUser -Identity $User -Clear memberOf
    }

    where each $user is the sAMAccountName of a user.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Wednesday, February 10, 2016 10:42 PM
    Moderator
  • Getting Error below:

    Set-ADUser : Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM)
    At line:5 char:15
    +     Set-ADUser <<<<  -Identity $User -Clear memberOf
        + CategoryInfo          : NotSpecified: (User1:ADUser) [Set-ADUser], ADException
        + FullyQualifiedErrorId : Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM),Microsoft.ActiveDi
       rectory.Management.Commands.SetADUser
     
    Set-ADUser : Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM)
    At line:5 char:15
    +     Set-ADUser <<<<  -Identity $User -Clear memberOf
        + CategoryInfo          : NotSpecified: (User2:ADUser) [Set-ADUser], ADException
        + FullyQualifiedErrorId : Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM),Microsoft.ActiveDi
       rectory.Management.Commands.SetADUser
     
    Set-ADUser : Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM)
    At line:5 char:15
    +     Set-ADUser <<<<  -Identity $User -Clear memberOf
        + CategoryInfo          : NotSpecified: (User3:ADUser) [Set-ADUser], ADException
        + FullyQualifiedErrorId : Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM),Microsoft.ActiveDi
       rectory.Management.Commands.SetADUser
     

    Wednesday, February 10, 2016 10:56 PM
  • The original one worked. I dont know what the issue was...

    import-module activedirectory
     foreach ($user in (get-content c:\temp\UserIdOnlyFirstrun.txt))

    {

    foreach ($g in (get-aduser -identity $user -properties memberof).memberof)

    {
    remove-adgroupmember -identity $g -member $user -Confirm:$false

    }

    }

    • Marked as answer by M_Aijaz Thursday, February 11, 2016 3:33 PM
    Wednesday, February 10, 2016 11:13 PM
  • Argh. Sorry about the error in the script I posted. I should have known (perhaps).

    The problem, I believe, is that memberOf is a linked attribute. It is linked with the member attribute of groups. The forward link is the member attribute. The value of this attribute is saved in AD with the group object. The memberOf attribute is the back link, and it's value is not saved directly in AD. Instead, a link table is used to refer to the corresponding group object. Only the link index value is saved with the user or computer object in AD.

    It is not documented anywhere I have found, and I was not aware before, but you must not be able to use the -Clear parameter with back linked attributes. The same may apply with the -Replace, -Add, and -Remove parameters. I also assume that you can use -Clear with forward linked attributes. I would need to test.

    Sorry about that. If -Clear could be used it would be much easier than having to loop through all of the memberships. But I am glad that your code now works.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, February 11, 2016 5:29 PM
    Moderator
  • I tested in my lab and confirmed what I suspected earlier. You cannot use the -Clear, -Add, -Remove, or -Replace parameters of the AD module cmdlets with any back-linked attributes. That means attributes like memberOf or directReports. You can, however, use these parameters with forward-linked attributes, like the member attribute of groups or the manager attribute of users.

    The error I get when attempting to modify back-linked attributes with any of these PowerShell parameters is similar to below:


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Wednesday, February 17, 2016 7:59 PM
    Moderator