Powershell 2.0 - Remove Group Membership for List of Disabled Accounts

5.3k views Asked by At

I'm trying to remove AD group membership for a list of users whose accounts have been disabled but not sure how to properly combine the cmdlets. This is my attempt...

Import-CSV T:\temp\users.csv | ForEach-Object {Get-ADPrincipalGroupMembership -Identity $_.member | ForEach-Object {Remove-ADPrincipalGroupMembership -Identity $_.member -MemberOf SamAccountName}}

users.csv (file contents below)

member
testuser1
testuser2
testuser3

I get the following message...

Remove-ADPrincipalGroupMembership : Cannot convert 'Microsoft.ActiveDirectory.Management.ADPropertyValueCollection' to
the type 'Microsoft.ActiveDirectory.Management.ADPrincipal' required by parameter 'Identity'. Specified method is not s
upported.
At line:1 char:160
+ Import-CSV T:\temp\users.csv | ForEach-Object {Get-ADPrincipalGroupMembership -Identity $_.member | ForEach-Object {R
emove-ADPrincipalGroupMembership -Identity <<<<  $_.member -MemberOf SamAccountName}}
    + CategoryInfo          : InvalidArgument: (:) [Remove-ADPrincipalGroupMembership], ParameterBindingException
    + FullyQualifiedErrorId : CannotConvertArgument,Microsoft.ActiveDirectory.Management.Commands.RemoveADPrincipalGro
   upMembership
1

There are 1 answers

3
Adi Inbar On BEST ANSWER

It's generally a good idea to also provide a sample of the data you're operating on (in this case, what the contents of users.csv looks like), since the key to resolving the problem could lie in the data you're reading in. However, in this case I believe I can see what's tripping you up without seeing the data.

Keep in mind that in each stage of the pipeline, $_ is set the the values of each of the objects from the previous stage of the pipeline. $_.member doesn't have a consistent value throughout the pipeline.

In the second stage, ForEach-Object {Get-ADPrincipalGroupMembership -Identity $_.member, $_.member evaluates to the values of the "member" column of the CSV file. In the third stage, ForEach-Object {Remove-ADPrincipalGroupMembership -Identity $_.member -MemberOf SamAccountName}, it evaluates to the Member property of the group objects passed from the second stage. Those objects don't have a Member property, so $_.member is null.

What you can do is capture the values from the CSV file (usernames, I presume?) it into a variable at the beginning of the first ForEach-Object filter, and use that as the -Identity argument:

Import-Csv T:\temp\users.csv | %{
  $user = $_.member
  Get-ADPrincipalGroupMembership -Identity $user | %{
    Remove-ADPrincipalGroupMembership -Identity $user -MemberOf $_.SamAccountName
  }
}

Also, note that the argument to -MemberOf should be $_.SamAccountName. In PowerShell 3.0, the following will give you the SamAccountName property of each group:

Get-ADPrincipalGroupMembership -Identity $user | % SamAccountName

However, in a scriptblock you need $_.SamAccountName. In PowerShell 2.0 (as you've tagged this question), you can't use bare property names at all.