cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Removing users from an AD group

DamienFR68
Copper Contributor

‎Oct 19 2023 05:59 AM

‎Oct 19 2023 05:59 AM

Removing users from an AD group

Hello,

I am using the following script to remove a batch of users from an AD group:

$x=Get-Content "C:\Users\damien.hartmann\Documents\Comptes.txt"
for ($i=0; $i -lt $x.Count; $i++)
{
Remove-ADGroupMember -Identity 'Office365_LicenceE1_Base' -Members $x[$i]
}

However I get the following error:

Remove-ADGroupMember : Impossible de lier le paramètre «Members». Impossible de convertir la valeur «C» en type «Microsoft.ActiveDirectory.Management.ADPrincipal». Erreur: «Cast non valide 
de 'System.Char' en 'Microsoft.ActiveDirectory.Management.ADPrincipal'.»
Au caractère C:\Users\damien.hartmann\Documents\changer_comptes_v3.ps1:4 : 68
+ ... ve-ADGroupMember -Identity 'Office365_LicenceE1_Base' -Members $x[$i]
+                                                                    ~~~~~~
    + CategoryInfo          : InvalidArgument : (:) [Remove-ADGroupMember], ParameterBindingException
    + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.ActiveDirectory.Management.Commands.RemoveADGroupMember

(apologies for the French)

The "C" mentioned is the first character of the first user in the Comptes.txt file.

 

Do you see where I made a mistake?

 

Thanks!

Labels:
289 Views
0 Likes
7 Replies
Reply
7 Replies
LainRobertson

‎Oct 19 2023 06:27 AM

‎Oct 19 2023 06:27 AM

Re: Removing users from an AD group

@DamienFR68 

 

There's multiple ways of tackling this, with some being significantly more efficient than others.

 

But first, what does your input file (Comptes.txt) contain?

 

If it contains RFC822 (or SMTP-style, if you prefer, as used for mail and userPrincipalName) addresses, this will not work. As per the documentation, only a specific set of string types can be used and SMTP-style addresses:

 

 

Accepted attribute formats for strings are:

 

  • distinguishedName
  • objectGUID
  • objectSid
  • sAMAccountName

 

You could take SMTP-style addresses from your Comptes.txt file, look up the users to obtain ADPrincipal objects, and then pass those to Remove-ADGroupMember, but this is a wildly inefficient path to pursue if you have more than, say, a few dozen users.

 

Cheers,

Lain

0 Likes
Reply
DamienFR68

‎Oct 19 2023 07:18 AM

‎Oct 19 2023 07:18 AM

Re: Removing users from an AD group

Thank you for the feedback Lain.
In my comptes.txt file I have users in firstname.name format, each on a separate line.

I will indeed have hundreds of users to manipulate, and cannot search the individual DistinguishedName for each of them.


0 Likes
Reply
LainRobertson

‎Oct 19 2023 04:03 PM

‎Oct 19 2023 04:03 PM

Re: Removing users from an AD group

@DamienFR68 

 

Does firstName.surname match the sAMAccountName naming standard?

 

If it doesn't match sAMAccountName then it's not going to work, as it's not one of the four supported string standards listed above.

 

Cheers,

Lain

0 Likes
Reply
DamienFR68

‎Oct 20 2023 05:43 AM - edited ‎Oct 20 2023 06:30 AM

‎Oct 20 2023 05:43 AM - edited ‎Oct 20 2023 06:30 AM

Re: Removing users from an AD group

To my knowledge it does, I have also tried with email address and obtained the same result. The error message focus on the first letter is very strange.
You confirm that the rest of the script is valid?

0 Likes
Reply
best response confirmed by DamienFR68 (Copper Contributor)
LainRobertson

‎Oct 20 2023 06:41 AM

‎Oct 20 2023 06:41 AM

Solution

Re: Removing users from an AD group

@DamienFR68 

 

Yes and no.

 

In principle, it could be made to work that way but there's two points I'd make:

 

  1. To get that specific type conversion error from your original post, there's something wrong with your input file, since the entire file is considered to be one single string;
  2. Even if the input file were correctly interpreted as a string array, using a "for" loop is very inefficient and won't scale well.

 

Strictly-speaking, the "for" loop is entirely unnecessary if the input file contains any of the four string references (the most likely string formats to be chosen being either sAMAccountName or distinguishedName).

 

If the issue with the input file can be fixed, then the simplest and most efficient way to remove the members contained within the input file would be:

 

Example

Remove-ADGroupMember -Identity "Office365_LicenceE1_Base" -Members (Get-Content -Path "C:\Users\damien.hartmann\Documents\Comptes.txt") -Confirm:$false;

 

Imagine your input file had 1,000 users in it at one user per line. Using a "for" loop approach would result in 1,000 separate calls to Active Directory for the setting of the group's "member" attribute.

 

Using the example above, a single call is made to Active Directory when setting the group's "member" attribute. That's a considerable difference and why there's a tremendous impact on Active Directory when using a loop.

 

Cheers,

Lain

1 Like
Reply
LainRobertson

‎Oct 20 2023 06:47 AM - edited ‎Oct 20 2023 06:47 AM

‎Oct 20 2023 06:47 AM - edited ‎Oct 20 2023 06:47 AM

Re: Removing users from an AD group

@DamienFR68 

 

Noting what you said here:

 

I have also tried with email address and obtained the same result

This error is expected, since "mail" is not one of the four attributes I listed earlier.

 

You must use one of the four listed attributes or take the more inefficient path of using Get-ADObject to find the user first and then pipe that into Remove-ADGroupMember. I dismissed this approach earlier on so I won't cover it here now.

 

Cheers,

Lain

0 Likes
Reply
DamienFR68

‎Oct 20 2023 06:52 AM

‎Oct 20 2023 06:52 AM

Re: Removing users from an AD group

Thanks a lot for your time and help. With your single command line it actually works, without having modified the .txt file.
Now I'm faced with a rights issue, but I'm going to handle that on my side.
Again, a big thank you!
1 Like
Reply