Forum Discussion
Removing users from an AD group
Yes and no.
In principle, it could be made to work that way but there's two points I'd make:
- To get that specific type conversion error from your original post, there's something wrong with your input file, since the entire file is considered to be one single string;
- Even if the input file were correctly interpreted as a string array, using a "for" loop is very inefficient and won't scale well.
Strictly-speaking, the "for" loop is entirely unnecessary if the input file contains any of the four string references (the most likely string formats to be chosen being either sAMAccountName or distinguishedName).
If the issue with the input file can be fixed, then the simplest and most efficient way to remove the members contained within the input file would be:
Example
Remove-ADGroupMember -Identity "Office365_LicenceE1_Base" -Members (Get-Content -Path "C:\Users\damien.hartmann\Documents\Comptes.txt") -Confirm:$false;Imagine your input file had 1,000 users in it at one user per line. Using a "for" loop approach would result in 1,000 separate calls to Active Directory for the setting of the group's "member" attribute.
Using the example above, a single call is made to Active Directory when setting the group's "member" attribute. That's a considerable difference and why there's a tremendous impact on Active Directory when using a loop.
Cheers,
Lain
In my comptes.txt file I have users in firstname.name format, each on a separate line.
I will indeed have hundreds of users to manipulate, and cannot search the individual DistinguishedName for each of them.
Does firstName.surname match the sAMAccountName naming standard?
If it doesn't match sAMAccountName then it's not going to work, as it's not one of the four supported string standards listed above.
Cheers,
Lain
To my knowledge it does, I have also tried with email address and obtained the same result. The error message focus on the first letter is very strange.
You confirm that the rest of the script is valid?Noting what you said here:
I have also tried with email address and obtained the same resultThis error is expected, since "mail" is not one of the four attributes I listed earlier.
You must use one of the four listed attributes or take the more inefficient path of using Get-ADObject to find the user first and then pipe that into Remove-ADGroupMember. I dismissed this approach earlier on so I won't cover it here now.
Cheers,
Lain
- Thanks a lot for your time and help. With your single command line it actually works, without having modified the .txt file.
Now I'm faced with a rights issue, but I'm going to handle that on my side.
Again, a big thank you!
Yes and no.
In principle, it could be made to work that way but there's two points I'd make:
- To get that specific type conversion error from your original post, there's something wrong with your input file, since the entire file is considered to be one single string;
- Even if the input file were correctly interpreted as a string array, using a "for" loop is very inefficient and won't scale well.
Strictly-speaking, the "for" loop is entirely unnecessary if the input file contains any of the four string references (the most likely string formats to be chosen being either sAMAccountName or distinguishedName).
If the issue with the input file can be fixed, then the simplest and most efficient way to remove the members contained within the input file would be:
Example
Remove-ADGroupMember -Identity "Office365_LicenceE1_Base" -Members (Get-Content -Path "C:\Users\damien.hartmann\Documents\Comptes.txt") -Confirm:$false;Imagine your input file had 1,000 users in it at one user per line. Using a "for" loop approach would result in 1,000 separate calls to Active Directory for the setting of the group's "member" attribute.
Using the example above, a single call is made to Active Directory when setting the group's "member" attribute. That's a considerable difference and why there's a tremendous impact on Active Directory when using a loop.
Cheers,
Lain