none
Need to delete ALL users from ALL groups which are contained in a specific OU in my environement

    Question

  • Hello,

    I have an OU called "DGroups" in the root of my AD domain.  Inside that OU are various security groups.  What I am trying to accomplish is a powershell script which will parse through all the groups in that domain, and then just remove all users who are members of ANY and ALL groups in that particular OU.  I am pretty close with a 1-line script, but it doesnt seem to like me piping to Remove-ADGroupMember.  Here is what I have:

    Get-ADGroup -SearchBase "OU=DGroups,DC=mydomain,DC=com" -filter {GroupCategory -eq "Security"} | Get-ADGroupMember | Remove-ADGroupMember -WhatIf

    If I remove the last portion, it will list all users who are in the groups, but it just doesn't allow me to remove them?  Any ideas?


    Friday, July 13, 2018 8:59 PM

All replies

  • Look at the last command.  Look at the options.  What do you see?  What does it mean?  Use help on the CmdLet to learn how it works.  Simple.  It is what we learn about PowerShell in first grade.  Did you play hooky in first grade.  I bet you did. 

    \_(ツ)_/

    Friday, July 13, 2018 9:04 PM
    Moderator
  • You can use the -Clear parameter of Set-ADGroup to clear the member attribute of a group. No need to enumerate the members. Pipe your Get-ADGroup statement to Set-ADGroup with -Clear member.

    Edit: This works because the member attribute is a forward linked attribute. It does not work with the corresponding back linked attribute, memberOf.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Friday, July 13, 2018 9:07 PM
  • I dont usually do powershell....im in the "first grade.", but thanks for the help
    Sunday, July 15, 2018 1:59 PM
  • Sorry to be so needy, but I am not a powershell guy and am just learning.  Would you mind altering my script to show me what it should look like to accomplish my task using the -Clear parameter?
    Sunday, July 15, 2018 2:05 PM
  • Nevermind....I got it.  Thanks again!
    Sunday, July 15, 2018 2:23 PM
  • I dont usually do powershell....im in the "first grade.", but thanks for the help

    Take the following tutorial.  When you finish you will be a first grade wiz kid.  You will then be eligible for early entry into the MIT computer program.


    \_(ツ)_/


    Sunday, July 15, 2018 2:43 PM
    Moderator
  • With Remove-AdGroupMember, according to the help, you can pipe in the Identity (name of the group), but not the Members.

    Sunday, July 15, 2018 7:32 PM
  • In case you still have questions, my suggestion is:

    Get-ADGroup -SearchBase "OU=DGroups,DC=mydomain,DC=com" -filter {GroupCategory -eq "Security"} | Set-ADGroup -Clear Member

    Note, this does not remove membership in the "primary" group, which should be "Domain Users". But every user must have a "primary" group..


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Sunday, July 15, 2018 10:05 PM
  • In case you still have questions, my suggestion is:

    Get-ADGroup -SearchBase "OU=DGroups,DC=mydomain,DC=com" -filter {GroupCategory -eq "Security"} | Set-ADGroup -Clear Member

    Note, this does not remove membership in the "primary" group, which should be "Domain Users". But every user must have a "primary" group..


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Nobody seems to have considered that the groups in question may have, as members, other groups. In other words, the membership may not consist only of users. If there's a group hierarchy then simply clearing the members is going to be messy and, unless there's very good documentation, it'll be difficult to reconstruct that hierarchy!

    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    Monday, July 16, 2018 1:55 AM