我尝试编写脚本来查找已禁用的用户,这些用户是AD中特定OU中一个或多个组的成员。然后,它将删除所有已禁用用户的所有组。但我想生成一个用户列表,但名称列表除外。假设我不想删除某些特定禁用用户的组。
$SearchBase = "OU=Disabled Users,DC=contoso,DC=com"
$Users = Get-ADUser -filter * -SearchBase $SearchBase -Properties MemberOf
$ExcludeUsers =@("SM_82786dfdc96642ed9","SM_516a93b689334db1a")
$Users = $Users | where-Object { $ExcludeUsers -notcontains $_.samaccountname }
ForEach($User in $Users){
$User.MemberOf | Remove-ADGroupMember -Member $User -Confirm:$false
}
错误:
Remove-ADGroupMember : Cannot validate argument on parameter 'Identity'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:3 char:22
+ $User.MemberOf | Remove-ADGroupMember -Member $User -Confirm:$false
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Remove-ADGroupMember], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.RemoveADGroupMember
答案 0 :(得分:0)
好像您发现没有任何群组的用户(域用户不属于memberof)。使用Where-Object之类的东西来过滤掉空对象。例如:
$User.MemberOf | Where-Object { $_ } | Remove-ADGroupMember -Member $User -Confirm:$false