Remove ADGroupMember except domain users and others

This topic contains 8 replies, has 2 voices, and was last updated by Profile photo of Ron Ron 5 months, 2 weeks ago.

  • Author
    Posts
  • #59914
    Profile photo of Tony Antony
    Tony Antony
    Participant

    Hello,

    I have an AD User, Person2 with some memberships such as Domain Users, IntranetAccess, 5005 Email, 5005 Security

    How would I remove all memeberships except Domain users and Intranet Access?

    I found the solution earlier months ago, but now I can't find it.

    I know you can use

    Remove-ADGroupMember -Identity "5005 Email" -Members person2

    to just remove 5005 email

    Thanks,

    Tony

  • #59916
    Profile photo of Ron
    Ron
    Participant

    This will be a lot of effort for one user, I assume this is an example for a larger project.

    #Create an array of the DNs of the groups to keep
    
    $keep = @(
      'CN=Domain Users,CN=Users,DC=test,DC=com',   #probably not necessary, primary group usually handled separately
      'CN=IntranetAccess,CN=Groups,DC=test,DC=com')
    
    #get user's groups DNs
    
    $user = 'Fred Smith'
    $grps = get-aduser $user -properties memberof | select -expand memberof
    
    #remove all except $keep
    
    $grps | %{$keep -notcontains $_} | Remove-ADGroupmember $user -whatif
    

    Remove -whatif once tested

  • #59919
    Profile photo of Tony Antony
    Tony Antony
    Participant

    Thank you,

    I saw something along the lines of this a few weeks ago also, I know this doesn't work, but it looked something like this:

    suppose to: Gets the groupmembership of person2, and removes everything except Domain Users

    (Get-ADPrincipalGroupMembership -Identity person2).name | Remove-ADGroupMember where{$_.(Get-ADPrincipalGroupMembership -Identity person) -ne "Domain Users"}
  • #59925
    Profile photo of Tony Antony
    Tony Antony
    Participant

    I'm not sure if I'm thinking this correctly, but since I can do

    Remove-ADGroupMember -Identity "5005 Email" -Members person2

    to remove that permission , is there a way to add

    where{$_.name -ne "Domain users"}

    so that it removes all groups except Domain Users?

  • #59929
    Profile photo of Ron
    Ron
    Participant

    With AD groups, its important to understand how the data is stored. Groups are not stored in the user object, it's a calculated field. Members are stored in the group object. So its not a matter of removing groups from a user, you have to remove the user from each group he is in.

  • #59932
    Profile photo of Tony Antony
    Tony Antony
    Participant

    Thank you Ron,

    I understand you remove a user from the group, and not vice versa.

    That's what I'm trying to figure out. I saw an example earlier, but I can't find the link.

  • #59934
    Profile photo of Ron
    Ron
    Participant

    You could do it that way for a single group, but you would have to compare the DN, not the CN. When you retrieve a user's group memberships, all you get is an array of DNs. You can then filter that list to remove the group(s) you want to keep and pipe it to remove-adgroupmember. But you'll need to use the full DN(s) in your filter.

    Try This:

    (get-aduser person2 -properties memberof).memberof

    You should see 2 things. The data returned is just a list(array) of DNs. The Primary Group, Domains Users, is not listed.

    So, assuming you want to remove all groups except the Primary group:

    (get-aduser person2 -properties memberof).memberof|remove-adgroupmember person2
    • #59935
      Profile photo of Tony Antony
      Tony Antony
      Participant
      (get-aduser person2 -properties memberof).memberof|remove-adgroupmember person2

      When I do that, it's asking for Members[0]:

    • #59938
      Profile photo of Ron
      Ron
      Participant

      Sorry

      (get-aduser person2 -properties memberof).memberof|remove-adgroupmember -member person2

You must be logged in to reply to this topic.