Feb 21 2022 10:47 AM
We have an OU built for Withdrawn students; the accounts are disabled but they still show up in groups they belonged to. We need to be able to remove them from mailing lists. We use a mail-enabled security group for All Students. I need to be able to remove all the Withdrawn students from this group. What is the best way to go about this?
Thank you in advance!
Feb 21 2022 01:09 PM
@stogiefan Something like this, you have to enter the OU of the Withdrawn users in it, use a -whatif to test after the remove-adgroupmember ;)
foreach ($user in get-aduser -filter * | where-object DistinguishedName -match 'ou of withdrawn students') {get-adgroup -filter * -properties mail | where-object {($_.mail -ne $Null) -and ($_.groupcategory -eq "Security")}} | remove-adgroupmember -members $user }
Feb 22 2022 01:30 PM
Feb 22 2022 01:46 PM
Feb 22 2022 02:03 PM - edited Feb 23 2022 12:53 AM
@stogiefan Doesn't matter, you're using PowerShell and that's always ok! I thought you wanted the users to be removed from any mail-enabled security group, but if you only have one group that the users need to be removed from.. That's easier and I replaced the OU filter for a wildcard search on any user within the Withdrawn OU, try the script below and if it returns some users that would be affected by it.. You can then remove the -WhatIf part, I've added the -Force:$True parameter so that it won't ask you if you want to remove the user for every occurence.
And you can run it from your Domain Controller / AD Server, that's the easiest for you now I guess ;) (You can install the RSAT tools on your computer too and run a PowerShell command from there if you start it as your Admin account)
- edit - Changed $user to $user.SamAccountName
foreach ($user in get-aduser -filter * | where-object DistinguishedName -like '*Withdrawn*') {Remove-AdGroupMember -Identity 'Students - All' -members $user.SamAccountName -Force:$True -WhatIf }
Feb 23 2022 05:34 AM
Feb 23 2022 05:41 AM
Feb 23 2022 08:24 AM
Feb 23 2022 09:15 AM
@stogiefan If it's really a Active Directory group, mail-enabled security, could I say that every disabled user in it should be removed from it? Could make thing somewhat easier :)
Feb 23 2022 09:22 AM
Feb 23 2022 10:07 AM - edited Feb 23 2022 10:16 AM
@stogiefan Ok, well.. Here's another try, you can run it on your DC. First you install the module ExchangeOnlineManagement and connect to your 365 environment. (If you're not an Exchange Admin or Global Admin online, this won't work). Then you run through the users again and remove them from the online distribution-group. Remove the -whatif if you get the users returned that it would remove from the group..
Install-Module ExchangeOnlineManagement -Scope CurrentUser
Connect-ExchangeOnline
foreach ($user in get-aduser -filter * | where-object DistinguishedName -like '*Withdrawn*') {Remove-DistributionGroupMember -Identity 'Students - All' -member $user.SamAccountName -Confirm:$False -WhatIf }
Feb 23 2022 10:13 AM
Feb 23 2022 10:17 AM
Solution@stogiefan My bad, should have been member instead of members.. Try this:
foreach ($user in get-aduser -filter * | where-object DistinguishedName -like '*Withdrawn*') {Remove-DistributionGroupMember -Identity 'Students - All' -member $user.SamAccountName -Confirm:$False -WhatIf }
(You don't have to install the module again or connect-exchangeonline again in your session, next session you can connect straight away without installing the module too)
Feb 23 2022 10:31 AM
Feb 23 2022 10:34 AM
Feb 23 2022 10:40 AM
Feb 25 2022 08:24 AM
Feb 25 2022 08:28 AM
Feb 23 2022 10:17 AM
Solution@stogiefan My bad, should have been member instead of members.. Try this:
foreach ($user in get-aduser -filter * | where-object DistinguishedName -like '*Withdrawn*') {Remove-DistributionGroupMember -Identity 'Students - All' -member $user.SamAccountName -Confirm:$False -WhatIf }
(You don't have to install the module again or connect-exchangeonline again in your session, next session you can connect straight away without installing the module too)