我有一个帐户列表(SAM帐户名称)和一个需要删除所有帐户的组列表。我的问题是,由于用户位于不同的域中,因此我必须指定-server DC01。我可以通过以下方式一次删除1个用户:
$Groups = Get-Content C:\temp\groups.txt
$user = get-aduser <username> -Server "DC01.domain.com"
foreach ($Group in $Groups) {
Write-Host "Removing $user from $group" -Foreground Yellow
Remove-ADGroupMember -Identity $group -Members $user -Confirm:$false
}
但是我有几个长长的用户列表,并且必须有一种方法可以针对所有这些用户。
我尝试添加下面的**条目,但没有骰子:
$Groups = Get-Content C:\temp\groups.txt
$user = Get-Content C:\temp\users0.txt **-Server "DC01.domain.com"**
foreach ($Group in $Groups) {
Write-Host "Removing $user from $group" -Foreground Yellow
Remove-ADGroupMember -Identity $group -Members $user **-searchbase = "DC=domain,DC=com"** -Confirm:$false
}
提前感谢您的任何建议!
答案 0 :(得分:1)
我现在无法测试,但是我相信您可以将-Members参数设置为一组用户。
显然,如果用户来自另一个域时提供{DistinguishedNames}数组,则Remove-ADGroupMember不起作用,因此我们需要使用由以下项返回的完整默认对象(Microsoft.ActiveDirectory.Management.ADUser) Get-ADUser cmdlet。
$DCGroups = (Get-ADDomain your.domainA.com).PDCEmulator # get a PDC emulator in domain A where the groups are
$DCUsers = (Get-ADDomain your.domainB.com).PDCEmulator # get a PDC emulator in domain B where the users are
$Groups = Get-Content 'C:\temp\groups.txt' # the groups are in domainA
# get an array users ADUser Objects from Domain B
$users = Get-Content 'C:\temp\users0.txt' | ForEach-Object {
$user = Get-ADUser -Filter "SamAccountName -eq '$_'" -Server $DCUsers -ErrorAction SilentlyContinue
if ($user) { $user }
}
# remove these users from the groups in Domain A
foreach ($Group in $Groups) {
Write-Host "Removing $($users.Count) users from $Group" -Foreground Yellow
Remove-ADGroupMember -Identity $Group -Members $users -Confirm:$false -Server $DCGroups
}
修改
要克服尝试删除不属于该组成员的用户时抛出的异常,需要添加一些额外的代码以确保-Members的{{1}}参数仅包含当前属于该组的ADUser对象。
Remove-ADGroupMember