Remove group membership from multiple domain
Remove group membership from multiple domain

The Powershell cmdlet Remove-ADGroupMember have a problem to remove group membership in this case :

  • user account from Domain1.domain.local
  • group from Domain2.domain.local

If you run the command :

Remove-ADGroupMember -Identity “CN=GroupName,OU=Groups,DC=Domain2,DC=domain,DC=local” -Members “CN=UserName,OU=Users,DC=Domain1,DC=domain,DC=local” -confirm:$false -server “dc01.Domain1.domain.local”

You will have the following error message :

Remove-ADGroupMember : Cannot find an object with identity: 'CN=GroupName,OU=Groups,DC=Domain2,DC=domain,DC=local' under: 'DC=Domain1,DC=domain,DC=local'.
At line:1 char:1
+ Remove-ADGroupMember -Identity "CN=GroupName,OU=Groups,DC=Domain2 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (CN=GroupName,OU=Groups...=domain,DC=local:ADGroup) [Remove-ADGroupMember], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.RemoveADGroupMember

If you try to run this command :

Remove-ADGroupMember -Identity “CN=GroupName,OU=Groups,DC=Domain2,DC=domain,DC=local” -Members “CN=UserName,OU=Users,DC=Domain1,DC=domain,DC=local” -confirm:$false -server “dc01.Domain2.domain.local”

Another error :

Remove-ADGroupMember : Cannot find an object with identity: 'CN=UserName,OU=Users,DC=Domain1,DC=domain,DC=local' under: 'DC=Domain2,DC=domain,DC=local'.
At line:1 char:1
+ Remove-ADGroupMember -Identity "CN=GroupName,OU=Groups,DC=Domain2 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (CN=UserName...=domain,DC=local:ADPrincipal) [Remove-ADGroupMember], ADIdentityNotFoundException
    + FullyQualifiedErrorId : SetADGroupMember.ValidateMembersParameter,Microsoft.ActiveDirectory.Management.Commands.RemoveADGroupMember

In this scenario, the only way to manage this task is to use the Powershell cmdlet Set-ADObject :

$Group = get-adgroup "CN=GroupName,OU=Groups,DC=Domain2,DC=domain,DC=local" -server "dc01.Domain2.domain.local"
Set-ADObject -Identity $($Group.DistinguishedName) -Remove @{member="CN=UserName,OU=Users,DC=Domain1,DC=domain,DC=local"} -Server "dc01.Domain2.domain.local"

<>

My Powershell script categories

Remove group membership from multiple domain

Leave a Reply

Your email address will not be published.