SOLVED

Removing users from an AD group

Copper Contributor

Hello,

I am using the following script to remove a batch of users from an AD group:

$x=Get-Content "C:\Users\damien.hartmann\Documents\Comptes.txt"
for ($i=0; $i -lt $x.Count; $i++)
{
Remove-ADGroupMember -Identity 'Office365_LicenceE1_Base' -Members $x[$i]
}

However I get the following error:

Remove-ADGroupMember : Impossible de lier le paramètre «Members». Impossible de convertir la valeur «C» en type «Microsoft.ActiveDirectory.Management.ADPrincipal». Erreur: «Cast non valide 
de 'System.Char' en 'Microsoft.ActiveDirectory.Management.ADPrincipal'.»
Au caractère C:\Users\damien.hartmann\Documents\changer_comptes_v3.ps1:4 : 68
+ ... ve-ADGroupMember -Identity 'Office365_LicenceE1_Base' -Members $x[$i]
+                                                                    ~~~~~~
    + CategoryInfo          : InvalidArgument : (:) [Remove-ADGroupMember], ParameterBindingException
    + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.ActiveDirectory.Management.Commands.RemoveADGroupMember

(apologies for the French)

The "C" mentioned is the first character of the first user in the Comptes.txt file.

 

Do you see where I made a mistake?

 

Thanks!

7 Replies

@DamienFR68 

 

There's multiple ways of tackling this, with some being significantly more efficient than others.

 

But first, what does your input file (Comptes.txt) contain?

 

If it contains RFC822 (or SMTP-style, if you prefer, as used for mail and userPrincipalName) addresses, this will not work. As per the documentation, only a specific set of string types can be used and SMTP-style addresses:

 

 

Accepted attribute formats for strings are:

 

  • distinguishedName
  • objectGUID
  • objectSid
  • sAMAccountName

 

You could take SMTP-style addresses from your Comptes.txt file, look up the users to obtain ADPrincipal objects, and then pass those to Remove-ADGroupMember, but this is a wildly inefficient path to pursue if you have more than, say, a few dozen users.

 

Cheers,

Lain

Thank you for the feedback Lain.
In my comptes.txt file I have users in firstname.name format, each on a separate line.

I will indeed have hundreds of users to manipulate, and cannot search the individual DistinguishedName for each of them.


@DamienFR68 

 

Does firstName.surname match the sAMAccountName naming standard?

 

If it doesn't match sAMAccountName then it's not going to work, as it's not one of the four supported string standards listed above.

 

Cheers,

Lain

To my knowledge it does, I have also tried with email address and obtained the same result. The error message focus on the first letter is very strange.
You confirm that the rest of the script is valid?

best response confirmed by DamienFR68 (Copper Contributor)
Solution

@DamienFR68 

 

Yes and no.

 

In principle, it could be made to work that way but there's two points I'd make:

 

  1. To get that specific type conversion error from your original post, there's something wrong with your input file, since the entire file is considered to be one single string;
  2. Even if the input file were correctly interpreted as a string array, using a "for" loop is very inefficient and won't scale well.

 

Strictly-speaking, the "for" loop is entirely unnecessary if the input file contains any of the four string references (the most likely string formats to be chosen being either sAMAccountName or distinguishedName).

 

If the issue with the input file can be fixed, then the simplest and most efficient way to remove the members contained within the input file would be:

 

Example

Remove-ADGroupMember -Identity "Office365_LicenceE1_Base" -Members (Get-Content -Path "C:\Users\damien.hartmann\Documents\Comptes.txt") -Confirm:$false;

 

Imagine your input file had 1,000 users in it at one user per line. Using a "for" loop approach would result in 1,000 separate calls to Active Directory for the setting of the group's "member" attribute.

 

Using the example above, a single call is made to Active Directory when setting the group's "member" attribute. That's a considerable difference and why there's a tremendous impact on Active Directory when using a loop.

 

Cheers,

Lain

@DamienFR68 

 

Noting what you said here:

 


I have also tried with email address and obtained the same result

This error is expected, since "mail" is not one of the four attributes I listed earlier.

 

You must use one of the four listed attributes or take the more inefficient path of using Get-ADObject to find the user first and then pipe that into Remove-ADGroupMember. I dismissed this approach earlier on so I won't cover it here now.

 

Cheers,

Lain

Thanks a lot for your time and help. With your single command line it actually works, without having modified the .txt file.
Now I'm faced with a rights issue, but I'm going to handle that on my side.
Again, a big thank you!
1 best response

Accepted Solutions
best response confirmed by DamienFR68 (Copper Contributor)
Solution

@DamienFR68 

 

Yes and no.

 

In principle, it could be made to work that way but there's two points I'd make:

 

  1. To get that specific type conversion error from your original post, there's something wrong with your input file, since the entire file is considered to be one single string;
  2. Even if the input file were correctly interpreted as a string array, using a "for" loop is very inefficient and won't scale well.

 

Strictly-speaking, the "for" loop is entirely unnecessary if the input file contains any of the four string references (the most likely string formats to be chosen being either sAMAccountName or distinguishedName).

 

If the issue with the input file can be fixed, then the simplest and most efficient way to remove the members contained within the input file would be:

 

Example

Remove-ADGroupMember -Identity "Office365_LicenceE1_Base" -Members (Get-Content -Path "C:\Users\damien.hartmann\Documents\Comptes.txt") -Confirm:$false;

 

Imagine your input file had 1,000 users in it at one user per line. Using a "for" loop approach would result in 1,000 separate calls to Active Directory for the setting of the group's "member" attribute.

 

Using the example above, a single call is made to Active Directory when setting the group's "member" attribute. That's a considerable difference and why there's a tremendous impact on Active Directory when using a loop.

 

Cheers,

Lain

View solution in original post