Get-ADuser | Remove-ADUser not deleting users

This topic contains 7 replies, has 2 voices, and was last updated by  Norm Long 2 months ago.

  • Author
    Posts
  • #96552

    Norm Long
    Participant

    Good morning!
    Attempting to delete AD accounts via the following script:
    foreach ($user in get-content d:\powershell_temp\svcfwsqlstg_accounts_bad.out) {
    Get-ADUser -Filter {Name -eq "$user"} -SearchBase “OU=ServiceAccts,DC=cheri,DC=org” | Remove-ADUser
    "Removing $user" | Out-file -FilePath d:\powershell_temp\remove_invalid_sql_svc_accts.txt -Append
    }

    Run the script but the accounts do not delete

    Here is the contents of the file
    svcSQLStg400Agent
    svcSQLStg400DBEng
    svcSQLStg400Int
    svcSQLStg450Agent
    svcSQLStg450DBENg
    svcSQLStg450SSRS
    svcSQLStg450SSRSAgent
    svcSQLStg450SSRSEng

    Thank you in advance

    Norm

  • #96554

    Don Jones
    Keymaster

    I'd start by just running the Get-ADUser part. Is it returning users? Because if that's not working, then the Remove won't work, either.

    For example, "Get-ADUser -Filter {Name -eq "$user"}" seems odd to me. I'm wondering why you wouldn't just use "Get-ADUser -Identity $user"" instead.

  • #96567

    Norm Long
    Participant

    Hello Don;
    Thank you for your response, perhaps I'm not following you here is what I get:
    $list = Get-Content d:\powershell_temp\svcfwsqlstg_accounts_bad.out
    echo $list
    svcFWSQLStg400Agent
    svcFWSQLStg400DBEng
    svcFWSQLStg400Int
    svcFWSQLStg450Agent
    svcFWSQLStg450DBENg
    svcFWSQLStg450SSRS
    svcFWSQLStg450SSRSAgent
    svcFWSQLStg450SSRSEng

    Get-Aduser -Identity $list
    Get-ADUser : Cannot convert 'System.Object[]' to the type 'Microsoft.ActiveDirectory.Management.ADUser' required by parameter 'Identity'. Specified
    method is not supported.
    At line:1 char:22
    + Get-Aduser -Identity $list
    + ~~~~~
    + CategoryInfo : InvalidArgument: (:) [Get-ADUser], ParameterBindingException
    + FullyQualifiedErrorId : CannotConvertArgument,Microsoft.ActiveDirectory.Management.Commands.GetADUser

    Thanks for the help
    Norm

  • #96569

    Don Jones
    Keymaster

    Sure, but that's not what I suggested :). You gave -Identity an array. So, just re-using your original code:

    foreach ($user in (get-content d:\powershell_temp\svcfwsqlstg_accounts_bad.out)) {
      Get-ADUser -Identity $user
    }
    

    Is what I was asking.

  • #96570

    Norm Long
    Participant

    Hello Don;
    Had a senior moment forgot the foreach loop. Still having a small shall we say opportunity: Get-Aduser : Cannot find an object with identity: 'svcFWSQLStg450SSRSAgent' under: 'DC=cheri,DC=org'. This svc account is in AD doubled checked.

    Norm

  • #96576

    Norm Long
    Participant

    Hello Don;

    Please note the following, I do not understand why Get-ADUser does not work for svcFWSQLStg450SSRSAgent It does work when I do the following Get-ADUser -Filter {Name -eq 'svcFWSQLStg450SSRSAgent' } -SearchBase “OU=ServiceAccts,DC=cheri,DC=org”. This is why I was trying to use Remove-ADUser -Filter {Name -eq "$user"} -SearchBase “OU=ServiceAccts,DC=wvus,DC=org” Didn't seem I had any other options

    Here is the output:

    $ foreach ($user in (get-content d:\powershell_temp\svcfwsqlstg_accounts_bad.out )) {
    Get-Aduser -Identity $user -Properties DistinguishedName | Select-Object -ExpandProperty DistinguishedName
    #"Removing $user"
    }
    CN=svcFWSQLStg400Agent,OU=ServiceAccts,DC=cheri,DC=org
    CN=svcFWSQLStg400DBEng,OU=ServiceAccts,DC=cheri,DC=org
    CN=svcFWSQLStg400Int,OU=ServiceAccts,DC=cheri,DC=org
    CN=svcFWSQLStg450Agent,OU=ServiceAccts,DC=cheri,DC=org
    CN=svcFWSQLStg450DBENg,OU=ServiceAccts,DC=cheri,DC=org
    CN=svcFWSQLStg450SSRS,OU=ServiceAccts,DC=cheri,DC=org
    Get-Aduser : Cannot find an object with identity: 'svcFWSQLStg450SSRSAgent' under: 'DC=cheri,DC=org'.
    At line:2 char:1
    + Get-Aduser -Identity $user -Properties DistinguishedName | Select-Obj ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (svcFWSQLStg450SSRSAgent:ADUser) [Get-ADUser], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Manageme
    nt.Commands.GetADUser

    Get-Aduser : Cannot find an object with identity: 'svcFWSQLStg450SSRSEng' under: 'DC=cheri,DC=org'.
    At line:2 char:1
    + Get-Aduser -Identity $user -Properties DistinguishedName | Select-Obj ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (svcFWSQLStg450SSRSEng:ADUser) [Get-ADUser], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Manageme
    nt.Commands.GetADUser

    [1:03 PM]ndl@FWTS012:Powershell_Test $ Get-ADUser -Filter {Name -eq 'svcFWSQLStg450SSRSAgent' } -SearchBase “OU=ServiceAccts,DC=cheri,DC=org”

    DistinguishedName : CN=svcFWSQLStg450SSRSAgent,OU=ServiceAccts,DC=cheri,DC=org
    Enabled : True
    GivenName :
    Name : svcFWSQLStg450SSRSAgent
    ObjectClass : user
    ObjectGUID : b5013a82-daf5-4926-bd27-d5eba4d2a2b2
    SamAccountName : svcFWSQLStg450SSRSAg
    SID : S-1-5-21-2000478354-1229272821-682003330-40899
    Surname :
    UserPrincipalName : svcFWSQLStg450SSRSAgent@cheri.org

    [1:06 PM]ndl@FWTS012:Powershell_Test $ Get-ADUser -Identity svcFWSQLStg450SSRSAgent
    Get-ADUser : Cannot find an object with identity: 'svcFWSQLStg450SSRSAgent' under: 'DC=cheri,DC=org'.
    At line:1 char:1
    + Get-ADUser -Identity svcFWSQLStg450SSRSAgent
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (svcFWSQLStg450SSRSAgent:ADUser) [Get-ADUser], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Mi

    Thank you for your help!

    Norm

  • #96578

    Don Jones
    Keymaster

    I'd manually look up that user and find out why. The -Identity parameter should run against:

    A distinguished name
    A GUID (objectGUID)
    A security identifier (objectSid)
    A SAM account name (sAMAccountName)

    So check those properties of the user(s) not working. For example, I note that the samAccountName isn't what you listed, it's "svcFWSQLStg450SSRSAg". The Name property isn't in the list of things searched by -Identity. So the "account name" is "svcFWSQLStg450SSRSAg".

    But, it looks like this:

    foreach ($user in (get-content d:\powershell_temp\svcfwsqlstg_accounts_bad.out)) {
      Get-ADUser -Identity $user | Remove-ADUser -WhatIf
    }
    

    Should list the users it's willing to remove. Delete "-WhatIf" and it should remove them.

  • #96587

    Norm Long
    Participant

    Hello Don;
    Great catch!! Yes indeed some the failing AD entries SamAccountName was different than the AD Name and DN. Since Get-ADuser -Identity goes after the SamAccountName and my input files contained the Name value hence the problem. Modified my input files and all is well.

    Thanks again!!

    Norm

You must be logged in to reply to this topic.