remove disabled users from distribution groups exchange online

[acer460527 Participant Topics: 37 Replies: 88 Points: 511Rank: Major Contributor]

Hi All

when I try to run this code

$groups = Get-DistributionGroup -ResultSize Unlimited
foreach($group in $groups){
Get-DistributionGroupMember $group |
?{$_.RecipientType -like ‘*User*’ -and $_.ResourceType -eq $null} |
Get-User | ?{$_.UserAccountControl -match ‘AccountDisabled’} |
Remove-DistributionGroupMember $group -Confirm:$false
}

I’m getting the following error messages

Cannot process argument transformation on parameter ‘Identity’. Cannot convert the “name_of_distributionlist” value of type
“Deserialized.Microsoft.Exchange.Data.Directory.Management.DistributionGroup” to type
“Microsoft.Exchange.Configuration.Tasks.DistributionGroupMemberIdParameter”.
+ CategoryInfo : InvalidData: (:) [Get-DistributionGroupMember], ParameterBindin…mationException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Get-DistributionGroupMember
+ PSComputerName : outlook.office365.com

any Idea’s on how to solve this?

 

thanks for your input

 

Paul

[Olaf Participant Topics: 5 Replies: 2422 Points: 6,253Rank: Community MVP]

Without the possiblitiy to test I’d suspect Get-DistributionGroupMember is not able to deal with the complete object. So you should provide only the expected property of the object … try the sAMAccountName:

$groups = Get-DistributionGroup -ResultSize Unlimited
foreach ($group in $groups) {
    Get-DistributionGroupMember -Identity $group.sAMAccountName |
        Where-Object { $_.RecipientType -like '*User*' -and $null -eq $_.ResourceType } |
            Get-User | 
                Where-Object { $_.UserAccountControl -match 'AccountDisabled' } |
                    Remove-DistributionGroupMember $group -Confirm:$false
}

[acer460527 Participant Topics: 37 Replies: 88 Points: 511Rank: Major Contributor]

Hi Olaf,

thanks for your suggestion however no joy still the same error message

 

Paul

[Olaf Participant Topics: 5 Replies: 2422 Points: 6,253Rank: Community MVP]

Paul,

hmmm … I didn’t want to test the part with the remove cmdlet but actually the code ran in my environment. Try it this way:

Get-DistributionGroup -ResultSize Unlimited | 
    ForEach-Object {
        $DistributionGroup = $_.sAMAccountName
        Get-DistributionGroupMember -Identity $DistributionGroup |
            Where-Object { $_.RecipientType -like '*User*' -and $null -eq $_.ResourceType } |
                Get-User | 
                    Where-Object { $_.UserAccountControl -match 'AccountDisabled' } |
                        ForEach-Object {
                            Remove-DistributionGroupMember -Identity $DistributionGroup -Confirm:$false -Member $_.SamAccountName
                        }
    }

[acer460527 Participant Topics: 37 Replies: 88 Points: 511Rank: Major Contributor]

Hi Olaf,

still no  luck,
another thing that is weird is that whenever the user account is still active it will work

$email = “[email protected]”

$mailbox = Get-Mailbox -Identity $email

$DN=$mailbox.DistinguishedName

$Filter = “Members -like “”$DN”””

$DistributionGroupsList = Get-DistributionGroup -ResultSize Unlimited -Filter $Filter

Write-host `n
Write-host “Listing all Distribution Groups:”
Write-host `n
$DistributionGroupsList | ft

$answer = Read-Host “Would you like to proceed and remove $email from all distribution groups ( y / n )?”

While (“y”,”n” -notcontains $answer) {
$answer = Read-Host “Would you like to proceed and remove $email from all distribution groups ( y / n )?”
}

If ($answer -eq ‘y’) {

ForEach ($item in $DistributionGroupsList) {
Remove-DistributionGroupMember -Identity $item.DisplayName –Member $email -Confirm:$false
}

Write-host `n
Write-host “Successfully removed”

Remove-Variable * -ErrorAction SilentlyContinue
}

Else

{
Remove-Variable * -ErrorAction SilentlyContinue
}

do you happen to know why removing the distribution groups for disabled users is such a pain?

 

[Olaf Participant Topics: 5 Replies: 2422 Points: 6,253Rank: Community MVP]

acer460527 wrote:

do you happen to know why removing the distribution groups for disabled users is such a pain?

Do you want to remove the users or the distribution groups?

[acer460527 Participant Topics: 37 Replies: 88 Points: 511Rank: Major Contributor]

Olaf,

I want to remove the users, but the thing is when a user is leaving the company I can deal with that as long as the account is active. for the already deactivated users I’m strugling to get it to work, because I get that error message posted in the original post thrown at me

[Inactive Topics: 0 Replies: 5 Points: 0Rank: Member]

Olaf was correct. The problem with the original syntax is that Get-DistributionGroupMember returns a deserialized object which is being passed to the Remove-DistributionGroupMember’s -Identity parameter. Looking at the help for this cmdlet show you what properties you can pass to it. I have put them here: -Identity <DistributionGroupIdParameter>

The Identity parameter specifies the distribution group or mail-enabled security group that you want to modify. You can use
any value that uniquely identifies the group.

For example: * Name, * Display name, * Alias, * Distinguished name (DN), * Canonical DN, * Email address or * GUID

Required? true
Position? 1
Default value
Accept pipeline input? True
Accept wildcard characters? false

You are most likely having an issue because when the account is inactive it has been removed  and it sitting in the dumpster which is retained for 30 days after the account is removed. Bigger question is the user on any sort of time based or Lithold?

[acer460527 Participant Topics: 37 Replies: 88 Points: 511Rank: Major Contributor]

Dave thanks for your answer

when I run this code it works on the active users but on the disabled users I get the below mentioned error message

$users = import-csv c:\temp\csv\toRemove.csv

foreach($user in $users){

$email = “$($user.email)”

$mailbox = Get-Mailbox -Identity $email

$DN=$mailbox.DistinguishedName

$Filter = “Members -like “”$DN”””

$DistributionGroupsList = Get-DistributionGroup -ResultSize Unlimited -Filter $Filter

$DistributionGroupsList

ForEach ($item in $DistributionGroupsList) {
Remove-DistributionGroupMember -Identity $item.DisplayName –Member $email -Confirm:$false
}
}

I get the following error message

The operation couldn’t be performed because object ‘[email protected]’ couldn’t be found on
‘xxxxxx.PROD.OUTLOOK.COM’.
+ CategoryInfo : NotSpecified: (:) [Get-Mailbox], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : [Server=servername,RequestId=3677493e-a17d-4d93-ab7e-7567764e1a25,TimeStamp=7/8/2020 5:46:21 PM] [Fail
ureCategory=Cmdlet-ManagementObjectNotFoundException] ,Microsoft.Exchange.Management.RecipientTasks.GetMailbox
+ PSComputerName : office365

when running this code while the user is still active I do get the distributionlists he’s member of

[Inactive Topics: 0 Replies: 5 Points: 0Rank: Member]

Because when they are inactive they don’t have an exchange account and the mailbox is marked inactive and in the dumpster. All exchange attributes are removed unless you activate it, assign a license and move the mailbox out of the dumpster. You will want to remove them from all groups before you mark them inactive or remove them to minimize the risk of leaving objects in your gal or orphaned objects.

[acer460527 Participant Topics: 37 Replies: 88 Points: 511Rank: Major Contributor]

Dave,

makes sence how would I manage to remove every disabled user from the distribution groups and avoiding errors?

 

[Author]

Posts