PowerShell to Remove Users from Cross Domain Groups

How would you remove over 1,000 users from 10 different AD groups?” Another engineer on my team asked me this, and my answer without a beat, PowerShell.

The work environment has many different domains and several forests. So this shouldn’t be a difficult process. So I started with the simple approach, of getting the Users.txt and Groups.txt imported as variables.

$ADGroups = get-content C:\Scripts\Logs\groups.txt
$UserstoRemove = Get-content C:\Scripts\Logs\users.txt

That part was easy, so now I need to enumerate the authoritative domain controller for the domain the users are in along with the domain for the groups. Lucky for me all of the groups and users are in a single domain although they are different.

$Domain_GroupAreIn = (Get-ADDomain Domain_GroupAreIn).PDCEmulator
$Domain_UsersAreIn = (Get-ADDomain Domain_UsersAreIn).PDCEmulator

Now I have the decision of looping through the groups or the users first. I thought about this and choose to loop through the groups since there was only 10.

foreach ($ADGroup in $ADGroups)

Now the group loop begins. I need to enumerate the group membership of the group and do a comparison to the list of users with another loop.

$Members = Get-ADGroupMember -Identity $ADGroup -server $Domain_GroupAreIn ` -recursive
foreach ($user in $userstoRemove){
      If ($Members.name -contains $user)

If the loop finds that the user is a member of the group, then its removed.

Write-host "Removing $user from $ADgroup" -ForegroundColor Yellow
$DomainUser = get-aduser $user -Server $Domain_UsersAreIn
Remove-ADGroupMember -Identity $ADgroup -members $DomainUser -Server ` $Domain_GroupAreIn

Seems simple enough, but on the first run of the script, it looked like everything was working as intended, but after doing a spot check nothing had changed. I double checked everything and couldn’t find anything that was out of place. Then it hit me, the workstation I was running the script from was in a different domain that the one that contains the ad groups. I changed were I was running the script and it worked.

Below is the complete script.

$ADGroups = get-content C:\Scripts\Logs\groups.txt
$UserstoRemove = Get-content C:\Scripts\Logs\users.txt
$Domain_GroupAreIn = (Get-ADDomain Domain_GroupAreIn).PDCEmulator
$Domain_UsersAreIn = (Get-ADDomain Domain_UsersAreIn).PDCEmulator
foreach ($ADGroup in $ADGroups){
    $Members = Get-ADGroupMember -Identity $ADGroup -server $Domain_GroupAreIn -Recursive
        foreach ($user in $userstoRemove){
            If ($Members.name -contains $user){
                Write-host "removing $user from $ADgroup" -ForegroundColor ` Yellow
                $DomainUser = get-aduser $user -Server $Domain_UsersAreIn
                Remove-ADGroupMember -Identity $ADgroup -members ` $DomainUser -Server $Domain_GroupAreIn
            }
        }
}

If you want to test to see how this works for you. Modify the line below…

Remove-ADGroupMember -Identity $ADgroup -members $DomainUser -Server ` $Domain_GroupAreIn

To include -whatif

Remove-ADGroupMember -Identity $ADgroup -members $DomainUser -Server ` $Domain_GroupAreIn -whatif

This will display what it would do if it were ran without changing anything.

-Stuart

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.