PowerShell to Remove Users from Cross Domain Groups

How would you remove over 1,000 users from 10 different AD groups?” Another engineer on my team asked me this, and my answer without a beat, PowerShell.

The work environment has many different domains and several forests. So this shouldn’t be a difficult process. So I started with the simple approach, of getting the Users.txt and Groups.txt imported as variables.

$ADGroups = get-content C:\Scripts\Logs\groups.txt
$UserstoRemove = Get-content C:\Scripts\Logs\users.txt

That part was easy, so now I need to enumerate the authoritative domain controller for the domain the users are in along with the domain for the groups. Lucky for me all of the groups and users are in a single domain although they are different.

$Domain_GroupAreIn = (Get-ADDomain Domain_GroupAreIn).PDCEmulator
$Domain_UsersAreIn = (Get-ADDomain Domain_UsersAreIn).PDCEmulator

Now I have the decision of looping through the groups or the users first. I thought about this and choose to loop through the groups since there was only 10.

foreach ($ADGroup in $ADGroups)

Now the group loop begins. I need to enumerate the group membership of the group and do a comparison to the list of users with another loop.

$Members = Get-ADGroupMember -Identity $ADGroup -server $Domain_GroupAreIn ` -recursive
foreach ($user in $userstoRemove){
      If ($Members.name -contains $user)

If the loop finds that the user is a member of the group, then its removed.

Write-host "Removing $user from $ADgroup" -ForegroundColor Yellow
$DomainUser = get-aduser $user -Server $Domain_UsersAreIn
Remove-ADGroupMember -Identity $ADgroup -members $DomainUser -Server ` $Domain_GroupAreIn

Seems simple enough, but on the first run of the script, it looked like everything was working as intended, but after doing a spot check nothing had changed. I double checked everything and couldn’t find anything that was out of place. Then it hit me, the workstation I was running the script from was in a different domain that the one that contains the ad groups. I changed were I was running the script and it worked.

Below is the complete script.

$ADGroups = get-content C:\Scripts\Logs\groups.txt
$UserstoRemove = Get-content C:\Scripts\Logs\users.txt
$Domain_GroupAreIn = (Get-ADDomain Domain_GroupAreIn).PDCEmulator
$Domain_UsersAreIn = (Get-ADDomain Domain_UsersAreIn).PDCEmulator
foreach ($ADGroup in $ADGroups){
    $Members = Get-ADGroupMember -Identity $ADGroup -server $Domain_GroupAreIn -Recursive
        foreach ($user in $userstoRemove){
            If ($Members.name -contains $user){
                Write-host "removing $user from $ADgroup" -ForegroundColor ` Yellow
                $DomainUser = get-aduser $user -Server $Domain_UsersAreIn
                Remove-ADGroupMember -Identity $ADgroup -members ` $DomainUser -Server $Domain_GroupAreIn
            }
        }
}

If you want to test to see how this works for you. Modify the line below…

Remove-ADGroupMember -Identity $ADgroup -members $DomainUser -Server ` $Domain_GroupAreIn

To include -whatif

Remove-ADGroupMember -Identity $ADgroup -members $DomainUser -Server ` $Domain_GroupAreIn -whatif

This will display what it would do if it were ran without changing anything.

-Stuart

4 thoughts on “PowerShell to Remove Users from Cross Domain Groups”

  1. I’m having the same troubles.
    It may help me (and others) understand this bettter if there is a view of some sample of the data in: groups.txt & users.txt

    Thanks.

    1. Garry,
      Sorry for the slow reply.
      The users.txt file has a list of the user’s SamAccountName. The groups.txt is the ad group name. I hope this helps to resolve the issues you are facing.

      -Stuart

  2. Hi,

    I got the same problem, but I found that it’s to be a limitation caused by PowerShell 5.1 code himself. Someone explain that it work if he use the Quest (Dell) ActiveRoles Management PowerShell cmdlets instead those from Microsoft.

    Unfortunately, those Quest PowerShell tools are old, no more supported and need Microsoft .NET Framework 3.5 SP1 installed (where it will be removed in 2028 on almost Microsft products).

    See: https://ss64.com/ps/quest.html

    —————

    I didn’t test using PowerShell 6.x or 7.x for the moment, may be Microsoft will optimize his code !

  3. I don’t think you need the PDC Emulator necessarily. I had success by just specifying the Domain with the -Server flag. I think the bulk of this problem is getting the User object from the correct Domain instead of trying to refer to it by a string identity.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.