Forum Discussion
Remove bulk users from mail-enabled security group
- Feb 23, 2022
stogiefan My bad, should have been member instead of members.. Try this:
foreach ($user in get-aduser -filter * | where-object DistinguishedName -like '*Withdrawn*') {Remove-DistributionGroupMember -Identity 'Students - All' -member $user.SamAccountName -Confirm:$False -WhatIf }
(You don't have to install the module again or connect-exchangeonline again in your session, next session you can connect straight away without installing the module too)
stogiefan Something like this, you have to enter the OU of the Withdrawn users in it, use a -whatif to test after the remove-adgroupmember 😉
foreach ($user in get-aduser -filter * | where-object DistinguishedName -match 'ou of withdrawn students') {get-adgroup -filter * -properties mail | where-object {($_.mail -ne $Null) -and ($_.groupcategory -eq "Security")}} | remove-adgroupmember -members $user }
I know I need to identify the members of an OU in AD. I assume to do so I need to use the path name rather than just the nested OU's name.
eg - "(DOMAIN)/USERS/STUDENTS/WITHDRAWN" ... or just "Withdrawn"?
Also, where do I identify the group name that they need to be removed from? In this case it is "Students - All".
Also, I assume I run this in powershell from my AD server correct?
I apologize for so many questions, I may be in over my head! Ha!
- Feb 22, 2022
stogiefan Doesn't matter, you're using PowerShell and that's always ok! I thought you wanted the users to be removed from any mail-enabled security group, but if you only have one group that the users need to be removed from.. That's easier and I replaced the OU filter for a wildcard search on any user within the Withdrawn OU, try the script below and if it returns some users that would be affected by it.. You can then remove the -WhatIf part, I've added the -Force:$True parameter so that it won't ask you if you want to remove the user for every occurence.
And you can run it from your Domain Controller / AD Server, that's the easiest for you now I guess 😉 (You can install the RSAT tools on your computer too and run a PowerShell command from there if you start it as your Admin account)- edit - Changed $user to $user.SamAccountName
foreach ($user in get-aduser -filter * | where-object DistinguishedName -like '*Withdrawn*') {Remove-AdGroupMember -Identity 'Students - All' -members $user.SamAccountName -Force:$True -WhatIf }
- stogiefanFeb 23, 2022Brass ContributorI cannot thank you enough for working with me on this. I understand this a bit better now. When I first ran it, it said it did not recognize the "force" parameter. I removed that and the "whatif" and it said it could not find the Students - All object. this may be due to the hybrid nature of our environment. That OU exists in our local AD but the security group may be cloud-only. I am not sure how this works as I am not the network admin, I am the computer technician. But my coworker won't do this stuff so I am forced to try and learn it.
Thank you again for taking your time to help me!- Feb 23, 2022Ok, that might be the case... You could try to change remove-adgroupmember to Remove-DistributionGroupMember, the parameters are the same.. If you do a seach in Active Directory Users and Computers, does it show go anything while searching for Students? It could also be a dynamic group, that users are put in it automatically. In that case, the query behind it should be modified perhaps to include enabled users?