How to Remove Users From Groups in PowerShell

Marion Paul Kenneth Mendoza Feb 02, 2024 PowerShell PowerShell ADGroup
  1. Remove Users From Groups in PowerShell
  2. Command Parameters of Remove-ADGroupMember in PowerShell
How to Remove Users From Groups in PowerShell

This article will discuss removing users from active directory groups and using PowerShell to discuss the command’s parameters.

Remove Users From Groups in PowerShell

Removing users from a local or active directory group once a user leaves a group or organization is a common requirement. However, manually removing them can be time-consuming, and in the case of bulk removal, it is very tough and requires immense concentration.

Nevertheless, there are commands in PowerShell that will remove users from the local and AD groups.

In PowerShell, a specific native command removes a user from a group. The cmdlet is called Remove-ADGroupMember.

The basic syntax of the command is below.

Remove-ADGroupMember [-WhatIf] [-Confirm] [-AuthType] [-Credential <PSCredential>] [-Identity] <ADGroup> [-Members] <ADPrincipal[]> [-Partition <String>] [-PassThru] [-Server <String>] [-DisablePermissiveModify] [<CommonParameters>]

The Remove-ADGroupMember uses the rlgm alias. As you can see, the command contains and accepts many parameters, so let us discuss them one by one.

Command Parameters of Remove-ADGroupMember in PowerShell

  1. -Confirm

    This parameter inquires for client confirmation before continuing to execute. The data type of the parameter is switch.

    Its alias name is cf. False is the default value. The parameter doesn’t acknowledge pipeline input, and wildcard characters are not permitted.

  2. -WhatIf

    This parameter lets the user know if this cmdlet is run. The parameter’s data type is switch, the alias name of the parameter is wi, the default value of this parameter is False, it doesn’t accept pipeline input, and wildcard characters are not permitted.

  3. -Authtype

    This parameter alludes to the authentication to remove items from the AD group. It can be negotiated (0) or basic (1).

By default, negotiate is utilized. Essential strategy requires a setup SSL association.

The default information sort of this parameter is `ADAuthType`. The default value is `none`.

Pipeline input isn't acknowledged for this parameter, and wild card characters are not allowed.

  1. -Credential

    This parameter indicates the credential beneath which the script will run the cmdlet. By default, the current user’s profile is first considered.

    If the command is being run from a drive, the drive’s account is utilized. The default data type of this parameter is PSCredential.

    None is the default value. The parameter doesn’t acknowledge pipeline input, and wildcard characters are not permitted.

  2. -DisablePermissiveModify

    This parameter prevents the system from throwing an error when adding an existing user to a group. The default data type of this parameter is switch.

    The default value is false. The parameter doesn’t accept pipeline input, and wildcard characters are also not permitted.

  3. -Members

    This parameter can be a group of users, groups, or objects that needs to be removed from the Active Directory group. The parameter can take the following as values; DN, Security Identifier, SAM account name, and GUID.

    The data type of this parameter is ADPrincipal[]. None is the default value of the parameter.

    The parameter doesn’t accept pipeline input, and wildcard characters are also not permitted.

  1. -Partition

    This parameter represents the Active Directory partition’s distinguished name. In Active Directory, a default value is set under one of the following cases.

    In the case of identity, the parameter is assigned a DN, and then the partitions name is generated directly from the DN. Suppose the cmdlets are run from the AD drive.

    The value of the partition is derived from the current path of the drive. If either of the above two cases is not matched, the target domains value is used as the partition value.

    The data type is string. None is the default value. The parameter doesn’t accept pipeline input, and wildcard characters are also not permitted.

  2. -Passthru

    This parameter doesn’t generate any output. It usually returns the object of the item we are trying to remove.

    The data type is switch. None is the default value. The parameter doesn’t accept pipeline input, and wildcard characters are also not permitted.

    Below is an example code of the Removed-ADGroupMember.

    Write-Host "Removing users from an AD group."
Import-Csv "C:\temp\test_users.csv" | ForEach-Object {
    $identity = $_.Identity
    $user = $_.Member
    Remove-ADGroupMember -Identity $identity -Members $user
    Write-Host "User $user successfully removed from the AD group"
}
Enjoying our tutorials? Subscribe to DelftStack on YouTube to support us in creating more high-quality video guides. Subscribe
Author: Marion Paul Kenneth Mendoza
Marion Paul Kenneth Mendoza avatar Marion Paul Kenneth Mendoza avatar

Marion specializes in anything Microsoft-related and always tries to work and apply code in an IT infrastructure.

LinkedIn