Author Posts

December 9, 2016 at 4:55 pm


I have an AD User, Person2 with some memberships such as Domain Users, IntranetAccess, 5005 Email, 5005 Security

How would I remove all memeberships except Domain users and Intranet Access?

I found the solution earlier months ago, but now I can't find it.

I know you can use

Remove-ADGroupMember -Identity "5005 Email" -Members person2

to just remove 5005 email



December 9, 2016 at 5:31 pm

This will be a lot of effort for one user, I assume this is an example for a larger project.

#Create an array of the DNs of the groups to keep

$keep = @(
  'CN=Domain Users,CN=Users,DC=test,DC=com',   #probably not necessary, primary group usually handled separately

#get user's groups DNs

$user = 'Fred Smith'
$grps = get-aduser $user -properties memberof | select -expand memberof

#remove all except $keep

$grps | %{$keep -notcontains $_} | Remove-ADGroupmember $user -whatif

Remove -whatif once tested

December 9, 2016 at 6:05 pm

Thank you,

I saw something along the lines of this a few weeks ago also, I know this doesn't work, but it looked something like this:

suppose to: Gets the groupmembership of person2, and removes everything except Domain Users

(Get-ADPrincipalGroupMembership -Identity person2).name | Remove-ADGroupMember where{$_.(Get-ADPrincipalGroupMembership -Identity person) -ne "Domain Users"}

December 9, 2016 at 6:23 pm

I'm not sure if I'm thinking this correctly, but since I can do

Remove-ADGroupMember -Identity "5005 Email" -Members person2

to remove that permission , is there a way to add

where{$ -ne "Domain users"}

so that it removes all groups except Domain Users?

December 9, 2016 at 6:41 pm

With AD groups, its important to understand how the data is stored. Groups are not stored in the user object, it's a calculated field. Members are stored in the group object. So its not a matter of removing groups from a user, you have to remove the user from each group he is in.

December 9, 2016 at 6:51 pm

Thank you Ron,

I understand you remove a user from the group, and not vice versa.

That's what I'm trying to figure out. I saw an example earlier, but I can't find the link.

December 9, 2016 at 7:09 pm

You could do it that way for a single group, but you would have to compare the DN, not the CN. When you retrieve a user's group memberships, all you get is an array of DNs. You can then filter that list to remove the group(s) you want to keep and pipe it to remove-adgroupmember. But you'll need to use the full DN(s) in your filter.

Try This:

(get-aduser person2 -properties memberof).memberof

You should see 2 things. The data returned is just a list(array) of DNs. The Primary Group, Domains Users, is not listed.

So, assuming you want to remove all groups except the Primary group:

(get-aduser person2 -properties memberof).memberof|remove-adgroupmember person2

December 9, 2016 at 7:36 pm

(get-aduser person2 -properties memberof).memberof|remove-adgroupmember person2

When I do that, it's asking for Members[0]:

December 9, 2016 at 8:41 pm


(get-aduser person2 -properties memberof).memberof|remove-adgroupmember -member person2