remove all AD group membership from a computer

This topic contains 2 replies, has 2 voices, and was last updated by Profile photo of Tony Rodal Tony Rodal 3 months, 1 week ago.

  • Author
    Posts
  • #53162
    Profile photo of Tony Rodal
    Tony Rodal
    Participant

    Hi, I'm fairly new to powershell and I'm looking for help on a powershell script to remove all AD group membership from a computer. So anything under the Member of tab in AD for that computer. Please note I do not plan on using the dell quest cmdlets. Thanks for any help in advance.

  • #53172
    Profile photo of Fredrik Kacsmarck
    Fredrik Kacsmarck
    Participant

    There are probably many ways to do it but e.g.

    # The computer you want to remove
    $server = 'Server1'
    
    # The computer DN
    $computerDN = Get-ADComputer -Identity $server | select -expandproperty DistinguishedName
    
    # The list of groups in the member of attribute
    $groupDN = Get-ADComputer -Identity $server -Properties MemberOf| select -expandproperty MemberOf
    
    # go through the list
    foreach($g in $groupDN)
      {
      # If you want to suppress confirmation add -Confirm:$false to the line below
      Remove-ADGroupMember -Identity "$g" -Member "$computerDN"
      }
    

    Disclaimer: works in my lab, so test it first before using.
    Edit: You need the powershell RSAT tools for Active Directory installed to use the Get-ADComputer, Remove-ADgroupmember
    Edit2: Forgot to mention that the above will not remove the group that is set as the Primary AD group for the computer, usually this is "Domain Computers"

  • #53200
    Profile photo of Tony Rodal
    Tony Rodal
    Participant

    This works great. Thank you for the quick reply.

You must be logged in to reply to this topic.