Public/Remove-ADSIGroupMember.ps1
function Remove-ADSIGroupMember { <# .SYNOPSIS Function to Remove a group member .DESCRIPTION Function to Remove a group member .PARAMETER Identity Specifies the Identity of the group You can provide one of the following properties DistinguishedName Guid Name SamAccountName Sid UserPrincipalName Those properties come from the following enumeration: System.DirectoryServices.AccountManagement.IdentityType .PARAMETER Member Specifies the member account. Performing an Ambiguous Name Resolution LDAP query to find the account. http://social.technet.microsoft.com/wiki/contents/articles/22653.active-directory-ambiguous-name-resolution.aspx .PARAMETER Credential Specifies the alternative credential to use. By default it will use the current user windows credentials. .PARAMETER DomainName Specifies the alternative Domain where the user should be created By default it will use the current domain. .EXAMPLE Remove-ADSIGroupMember -Identity TestADSIGroup -Member 'UserTestAccount1' Removing the User account 'UserTestAccount1' to the group 'TestADSIGroup' .EXAMPLE Remove-ADSIGroupMember -Identity TestADSIGroup -Member 'GroupTestAccount1' Removing the Group account 'GroupTestAccount1' to the group 'TestADSIGroup' .EXAMPLE Remove-ADSIGroupMember -Identity TestADSIGroup -Member 'ComputerTestAccount1' Removing the Computer account 'ComputerTestAccount1' to the group 'TestADSIGroup' .NOTES Francois-Xavier.Cat LazyWinAdmin.com @lazywinadm github.com/lazywinadmin #> [CmdletBinding(SupportsShouldProcess=$true)] PARAM( [parameter(Mandatory=$true, ValueFromPipelineByPropertyName=$true, ValueFromPipeline=$true)] $Identity, [Alias("RunAs")] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential = [System.Management.Automation.PSCredential]::Empty, [String]$DomainName, $Member ) BEGIN { Add-Type -AssemblyName System.DirectoryServices.AccountManagement # Create Context splatting $ContextSplatting = @{ Contexttype = "Domain" } IF ($PSBoundParameters['Credential']){$ContextSplatting.Credential = $Credential} IF ($PSBoundParameters['DomainName']){$ContextSplatting.DomainName = $DomainName} $Context = New-ADSIPrincipalContext @ContextSplatting } PROCESS { TRY{ # Resolving member # Directory Entry object $DirectoryEntryParams = $ContextSplatting.remove('ContextType') $DirectoryEntry = New-ADSIDirectoryEntry @DirectoryEntryParams # Principal Searcher $DirectorySearcher = new-object -TypeName System.DirectoryServices.DirectorySearcher $DirectorySearcher.SearchRoot = $DirectoryEntry # Adding an Ambiguous Name Resolution LDAP Filter $DirectorySearcher.Filter = "(anr=$member)" # Retrieve a single object $Account = $DirectorySearcher.FindOne().GetDirectoryEntry() if($Account) { switch ($Account.SchemaClassName) { 'user' {$member =[System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($Context, $Account.distinguishedname)} 'group' {$member = [System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($Context, $Account.distinguishedname)} 'computer' {$member = [System.DirectoryServices.AccountManagement.ComputerPrincipal]::FindByIdentity($Context, $Account.distinguishedname)} } } if ($pscmdlet.ShouldProcess("$Identity", "Remove Account member $member")){ $group =(Get-ADSIGroup -Identity $Identity @ContextSplatting) [void]$group.members.remove($Member) #Void because this method returns $True/$false ($group.Save()) } } CATCH{ Write-Error $Error[0] } } } |