Remove bulk users from mail-enabled security group

Occasional Contributor

We have an OU built for Withdrawn students; the accounts are disabled but they still show up in groups they belonged to. We need to be able to remove them from mailing lists. We use a mail-enabled security group for All Students. I need to be able to remove all the Withdrawn students from this group. What is the best way to go about this? 

Thank you in advance!

17 Replies

@stogiefan Something like this, you have to enter the OU of the Withdrawn users in it, use a -whatif to test after the remove-adgroupmember ;) 


foreach ($user in get-aduser -filter * | where-object DistinguishedName -match 'ou of withdrawn students') {get-adgroup -filter * -properties mail | where-object {($_.mail -ne $Null) -and ($_.groupcategory -eq "Security")}} | remove-adgroupmember -members $user }


Wow, thanks so much for this. I will get back to you after giving it a try!
Hi again, and thanks again for your response. I could not get this to work. I am painfully inexperienced with Powershell. But I do want to try and understand this.

I know I need to identify the members of an OU in AD. I assume to do so I need to use the path name rather than just the nested OU's name.
eg - "(DOMAIN)/USERS/STUDENTS/WITHDRAWN" ... or just "Withdrawn"?

Also, where do I identify the group name that they need to be removed from? In this case it is "Students - All".

Also, I assume I run this in powershell from my AD server correct?

I apologize for so many questions, I may be in over my head! Ha!

@stogiefan Doesn't matter, you're using PowerShell and that's always ok! I thought you wanted the users to be removed from any mail-enabled security group, but if you only have one group that the users need to be removed from.. That's easier and I replaced the OU filter for a wildcard search on any user within the Withdrawn OU, try the script below and if it returns some users that would be affected by it.. You can then remove the -WhatIf part, I've added the -Force:$True parameter so that it won't ask you if you want to remove the user for every occurence.

And you can run it from your Domain Controller / AD Server, that's the easiest for you now I guess ;) (You can install the RSAT tools on your computer too and run a PowerShell command from there if you start it as your Admin account)


- edit - Changed $user to $user.SamAccountName



foreach ($user in get-aduser -filter * | where-object DistinguishedName -like '*Withdrawn*') {Remove-AdGroupMember -Identity 'Students - All' -members $user.SamAccountName -Force:$True -WhatIf }





I cannot thank you enough for working with me on this. I understand this a bit better now. When I first ran it, it said it did not recognize the "force" parameter. I removed that and the "whatif" and it said it could not find the Students - All object. this may be due to the hybrid nature of our environment. That OU exists in our local AD but the security group may be cloud-only. I am not sure how this works as I am not the network admin, I am the computer technician. But my coworker won't do this stuff so I am forced to try and learn it.
Thank you again for taking your time to help me!
Ok, that might be the case... You could try to change remove-adgroupmember to Remove-DistributionGroupMember, the parameters are the same.. If you do a seach in Active Directory Users and Computers, does it show go anything while searching for Students? It could also be a dynamic group, that users are put in it automatically. In that case, the query behind it should be modified perhaps to include enabled users?
That didn't work out either. Let me give you more info and it may help.
Ad is on our DC and Exchange is on it's own server. Then we have the cloud environment (Azure and 365). I am not sure how that all works together. The users accounts are in the OU I mentioned above and they are disabled (since they are withdrawn students). For whatever reason the school wants to keep the accts but remove them from distros. We use several diff groups for those distros. In this case, "Students - All" is a mail-enabled security group.
I was hoping I could somehow identify the OU members (withdrawn students) to remove them in bulk from distros (specifically the one above).
Does this help?
I am so appreciative of you taking your time here. I completely understand if this becomes annoying, lol.

@stogiefan If it's really a Active Directory group, mail-enabled security, could I say that every disabled user in it should be removed from it? Could make thing somewhat easier :) 

I am so sorry I am having trouble understanding.
I think I just figured something out. In our local AD, on the DC, there are only Computers and Users. I don't see any groups.
In Azure AD I see all the groups. That may be the disconnect.
To answer your question, yes, all the users in the Withdrawn OU are disabled and they are the ones that need to be removed from it.
Hope this helps!

@stogiefan Ok, well.. Here's another try, you can run it on your DC. First you install the module ExchangeOnlineManagement and connect to your 365 environment. (If you're not an Exchange Admin or Global Admin online, this won't work). Then you run through the users again and remove them from the online distribution-group. Remove the -whatif if you get the users returned that it would remove from the group..



Install-Module ExchangeOnlineManagement -Scope CurrentUser
foreach ($user in get-aduser -filter * | where-object DistinguishedName -like '*Withdrawn*') {Remove-DistributionGroupMember -Identity 'Students - All' -member $user.SamAccountName -Confirm:$False -WhatIf }



Thank you yet again!!

I am able to connect to exch online but I got this error:
A parameter cannot be found that matches parameter name 'members'.
best response confirmed by stogiefan (Occasional Contributor)

@stogiefan My bad, should have been member instead of members.. Try this:


foreach ($user in get-aduser -filter * | where-object DistinguishedName -like '*Withdrawn*') {Remove-DistributionGroupMember -Identity 'Students - All' -member $user.SamAccountName -Confirm:$False -WhatIf }

 (You don't have to install the module again or connect-exchangeonline again in your session,  next session you can connect straight away without installing the module too)

YES!! This is it, thank you so much!!
Nice! No problem, glad this worked out for you! Perhaps following an online training is something for you, PowerShell can help you with some many things and sometimes there's no escaping it ;)
I will and thank you again!
That seems like an expensive (performance wise) way of doing this.

Getting all AD Users and then filtering locally (Where-Object) for using a wildcard search where you can just use the search base to get the users from the Withdrawn container.

Get-ADUser -Filter * -Searchbase "OU=Withdrawn,OU=xxx,DC=xx,DC=xx,DC=xx"
I understand, but formatting was difficult and this was easier in this case :grinning_face_with_sweat: