remove disabled users from distribution groups exchange online

Welcome Forums General PowerShell Q&A remove disabled users from distribution groups exchange online

Viewing 10 reply threads
  • Author
    Posts
    • #240791
      Participant
      Topics: 37
      Replies: 88
      Points: 511
      Rank: Major Contributor

      Hi All

      when I try to run this code

      $groups = Get-DistributionGroup -ResultSize Unlimited
      foreach($group in $groups){
      Get-DistributionGroupMember $group |
      ?{$_.RecipientType -like ‘*User*’ -and $_.ResourceType -eq $null} |
      Get-User | ?{$_.UserAccountControl -match ‘AccountDisabled’} |
      Remove-DistributionGroupMember $group -Confirm:$false
      }
      
      

      I’m getting the following error messages

      Cannot process argument transformation on parameter ‘Identity’. Cannot convert the “name_of_distributionlist” value of type
      “Deserialized.Microsoft.Exchange.Data.Directory.Management.DistributionGroup” to type
      “Microsoft.Exchange.Configuration.Tasks.DistributionGroupMemberIdParameter”.
      + CategoryInfo : InvalidData: (:) [Get-DistributionGroupMember], ParameterBindin…mationException
      + FullyQualifiedErrorId : ParameterArgumentTransformationError,Get-DistributionGroupMember
      + PSComputerName : outlook.office365.com
      
      

      any Idea’s on how to solve this?

       

      thanks for your input

       

      Paul

    • #240803
      Participant
      Topics: 5
      Replies: 2422
      Points: 6,253
      Helping Hand
      Rank: Community MVP

      Without the possiblitiy to test I’d suspect Get-DistributionGroupMember is not able to deal with the complete object. So you should provide only the expected property of the object … try the sAMAccountName:

      $groups = Get-DistributionGroup -ResultSize Unlimited
      foreach ($group in $groups) {
          Get-DistributionGroupMember -Identity $group.sAMAccountName |
              Where-Object { $_.RecipientType -like '*User*' -and $null -eq $_.ResourceType } |
                  Get-User | 
                      Where-Object { $_.UserAccountControl -match 'AccountDisabled' } |
                          Remove-DistributionGroupMember $group -Confirm:$false
      }
    • #240806
      Participant
      Topics: 37
      Replies: 88
      Points: 511
      Rank: Major Contributor

      Hi Olaf,

      thanks for your suggestion however no joy still the same error message

       

      Paul

    • #240920
      Participant
      Topics: 5
      Replies: 2422
      Points: 6,253
      Helping Hand
      Rank: Community MVP

      Paul,

      hmmm … I didn’t want to test the part with the remove cmdlet but actually the code ran in my environment. Try it this way:

      Get-DistributionGroup -ResultSize Unlimited | 
          ForEach-Object {
              $DistributionGroup = $_.sAMAccountName
              Get-DistributionGroupMember -Identity $DistributionGroup |
                  Where-Object { $_.RecipientType -like '*User*' -and $null -eq $_.ResourceType } |
                      Get-User | 
                          Where-Object { $_.UserAccountControl -match 'AccountDisabled' } |
                              ForEach-Object {
                                  Remove-DistributionGroupMember -Identity $DistributionGroup -Confirm:$false -Member $_.SamAccountName
                              }
          }
    • #240974
      Participant
      Topics: 37
      Replies: 88
      Points: 511
      Rank: Major Contributor

      Hi Olaf,

      still no  luck,
      another thing that is weird is that whenever the user account is still active it will work

      $email = “[email protected]”
      
      $mailbox = Get-Mailbox -Identity $email
      
      $DN=$mailbox.DistinguishedName
      
      $Filter = “Members -like “”$DN”””
      
      $DistributionGroupsList = Get-DistributionGroup -ResultSize Unlimited -Filter $Filter
      
      Write-host `n
      Write-host “Listing all Distribution Groups:”
      Write-host `n
      $DistributionGroupsList | ft
      
      $answer = Read-Host “Would you like to proceed and remove $email from all distribution groups ( y / n )?”
      
      While (“y”,”n” -notcontains $answer) {
      $answer = Read-Host “Would you like to proceed and remove $email from all distribution groups ( y / n )?”
      }
      
      If ($answer -eq ‘y’) {
      
      ForEach ($item in $DistributionGroupsList) {
      Remove-DistributionGroupMember -Identity $item.DisplayName –Member $email -Confirm:$false
      }
      
      Write-host `n
      Write-host “Successfully removed”
      
      Remove-Variable * -ErrorAction SilentlyContinue
      }
      
      Else
      
      {
      Remove-Variable * -ErrorAction SilentlyContinue
      }
      
      

      do you happen to know why removing the distribution groups for disabled users is such a pain?

       

    • #241016
      Participant
      Topics: 5
      Replies: 2422
      Points: 6,253
      Helping Hand
      Rank: Community MVP

      do you happen to know why removing the distribution groups for disabled users is such a pain?

      Do you want to remove the users or the distribution groups?

    • #241037
      Participant
      Topics: 37
      Replies: 88
      Points: 511
      Rank: Major Contributor

      Olaf,

      I want to remove the users, but the thing is when a user is leaving the company I can deal with that as long as the account is active. for the already deactivated users I’m strugling to get it to work, because I get that error message posted in the original post thrown at me

    • #241103
      Inactive
      Topics: 0
      Replies: 5
      Points: 0
      Rank: Member

      Olaf was correct. The problem with the original syntax is that Get-DistributionGroupMember returns a deserialized object which is being passed to the Remove-DistributionGroupMember’s -Identity parameter. Looking at the help for this cmdlet show you what properties you can pass to it. I have put them here: -Identity <DistributionGroupIdParameter>

      The Identity parameter specifies the distribution group or mail-enabled security group that you want to modify. You can use
      any value that uniquely identifies the group.

      For example: * Name, * Display name, * Alias, * Distinguished name (DN), * Canonical DN, * Email address or * GUID

      Required? true
      Position? 1
      Default value
      Accept pipeline input? True
      Accept wildcard characters? false

      You are most likely having an issue because when the account is inactive it has been removed  and it sitting in the dumpster which is retained for 30 days after the account is removed. Bigger question is the user on any sort of time based or Lithold?

    • #241133
      Participant
      Topics: 37
      Replies: 88
      Points: 511
      Rank: Major Contributor

      Dave thanks for your answer

      when I run this code it works on the active users but on the disabled users I get the below mentioned error message

      $users = import-csv c:\temp\csv\toRemove.csv
      
      foreach($user in $users){
      
      $email = “$($user.email)”
      
      $mailbox = Get-Mailbox -Identity $email
      
      $DN=$mailbox.DistinguishedName
      
      $Filter = “Members -like “”$DN”””
      
      $DistributionGroupsList = Get-DistributionGroup -ResultSize Unlimited -Filter $Filter
      
      $DistributionGroupsList
      
      ForEach ($item in $DistributionGroupsList) {
      Remove-DistributionGroupMember -Identity $item.DisplayName –Member $email -Confirm:$false
      }
      }
      
      

      I get the following error message

      The operation couldn’t be performed because object ‘[email protected]’ couldn’t be found on
      ‘xxxxxx.PROD.OUTLOOK.COM’.
      + CategoryInfo : NotSpecified: (:) [Get-Mailbox], ManagementObjectNotFoundException
      + FullyQualifiedErrorId : [Server=servername,RequestId=3677493e-a17d-4d93-ab7e-7567764e1a25,TimeStamp=7/8/2020 5:46:21 PM] [Fail
      ureCategory=Cmdlet-ManagementObjectNotFoundException] ,Microsoft.Exchange.Management.RecipientTasks.GetMailbox
      + PSComputerName : office365
      
      

      when running this code while the user is still active I do get the distributionlists he’s member of

    • #241172
      Inactive
      Topics: 0
      Replies: 5
      Points: 0
      Rank: Member

      Because when they are inactive they don’t have an exchange account and the mailbox is marked inactive and in the dumpster. All exchange attributes are removed unless you activate it, assign a license and move the mailbox out of the dumpster. You will want to remove them from all groups before you mark them inactive or remove them to minimize the risk of leaving objects in your gal or orphaned objects.

    • #241247
      Participant
      Topics: 37
      Replies: 88
      Points: 511
      Rank: Major Contributor

      Dave,

      makes sence how would I manage to remove every disabled user from the distribution groups and avoiding errors?

       

Viewing 10 reply threads
  • You must be logged in to reply to this topic.