Forum Discussion

stogiefan's avatar
stogiefan
Brass Contributor
Feb 21, 2022

Remove bulk users from mail-enabled security group

We have an OU built for Withdrawn students; the accounts are disabled but they still show up in groups they belonged to. We need to be able to remove them from mailing lists. We use a mail-enabled security group for All Students. I need to be able to remove all the Withdrawn students from this group. What is the best way to go about this? 

Thank you in advance!

  • stogiefan My bad, should have been member instead of members.. Try this:

     

    foreach ($user in get-aduser -filter * | where-object DistinguishedName -like '*Withdrawn*') {Remove-DistributionGroupMember -Identity 'Students - All' -member $user.SamAccountName -Confirm:$False -WhatIf }

     (You don't have to install the module again or connect-exchangeonline again in your session,  next session you can connect straight away without installing the module too)

  • stogiefan Something like this, you have to enter the OU of the Withdrawn users in it, use a -whatif to test after the remove-adgroupmember 😉 

     

    foreach ($user in get-aduser -filter * | where-object DistinguishedName -match 'ou of withdrawn students') {get-adgroup -filter * -properties mail | where-object {($_.mail -ne $Null) -and ($_.groupcategory -eq "Security")}} | remove-adgroupmember -members $user }

     

    • stogiefan's avatar
      stogiefan
      Brass Contributor
      Wow, thanks so much for this. I will get back to you after giving it a try!
    • stogiefan's avatar
      stogiefan
      Brass Contributor
      Hi again, and thanks again for your response. I could not get this to work. I am painfully inexperienced with Powershell. But I do want to try and understand this.

      I know I need to identify the members of an OU in AD. I assume to do so I need to use the path name rather than just the nested OU's name.
      eg - "(DOMAIN)/USERS/STUDENTS/WITHDRAWN" ... or just "Withdrawn"?

      Also, where do I identify the group name that they need to be removed from? In this case it is "Students - All".

      Also, I assume I run this in powershell from my AD server correct?

      I apologize for so many questions, I may be in over my head! Ha!

      • stogiefan Doesn't matter, you're using PowerShell and that's always ok! I thought you wanted the users to be removed from any mail-enabled security group, but if you only have one group that the users need to be removed from.. That's easier and I replaced the OU filter for a wildcard search on any user within the Withdrawn OU, try the script below and if it returns some users that would be affected by it.. You can then remove the -WhatIf part, I've added the -Force:$True parameter so that it won't ask you if you want to remove the user for every occurence.

        And you can run it from your Domain Controller / AD Server, that's the easiest for you now I guess 😉 (You can install the RSAT tools on your computer too and run a PowerShell command from there if you start it as your Admin account)

         

        - edit - Changed $user to $user.SamAccountName

         

         

        foreach ($user in get-aduser -filter * | where-object DistinguishedName -like '*Withdrawn*') {Remove-AdGroupMember -Identity 'Students - All' -members $user.SamAccountName -Force:$True -WhatIf }

         

         

         

         

Resources