0phoi5 Posted September 9, 2016 Share Posted September 9, 2016 Hi all, I have the following line of code in a PowerShell file, intended to remove a user from all Active Directory groups beginning with an @ symbol; Get-ADGroup -Filter 'name -like "@*"' | Remove-ADGroupMember -Members $UserID It actually works fine, and successfully removes them from the correct groups, however the script locks my admin account every time it's run. Weird! I suspect it's to do with it 'using up' my Kerberos authentication tokens (it uses too many, as it runs for every single AD group beginning with @), or it thinks I'm trying to do something malicious because I'm sending such a large amount of commands in a short time? Is there a way for me to amend this line of code, so that instead of running Remove-ADGroupMember for every single @ group in the Active Directory, it only runs for the groups that the user is a member of? Or any other ideas? Thank you. Quote Link to comment Share on other sites More sharing options...
sud0nick Posted September 9, 2016 Share Posted September 9, 2016 (edited) That shouldn't lock out your account as far as I know. However, this is probably a better way to get what you want. It will target only the groups that your user is associated with and remove them from each. Get-ADPrincipalGroupMembership $UserID | ? { $_.Name -like "@*" } | Select Name | % { Remove-ADGroupMember $_ -Members $UserID } Edit: Forgot that you're looking for group names with "@" so I fixed it to include only those groups. Edited September 9, 2016 by sud0nick Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted September 9, 2016 Author Share Posted September 9, 2016 Thank you, I will give this a test and get back to you. Busy work day! Much appreciated. Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted September 14, 2016 Author Share Posted September 14, 2016 Annoyingly, I cannot run Get-ADPrincipalGroupMembership at the moment, due to 'The server was unable to process the request due to an internal error.' I've asked one of our higher resolver teams to take a look at my access rights. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.