stackoom
  简体   繁体   中英

Remove-ADPrincipalGroupMembership 'insufficient rights'

 原文  2020-08-04 01:57:11       powershell/ active-directory

Question

I have a Powershell script that removes a user from all AD Groups and it fails with 'insufficient rights' when I throw a collection of groups at it, but not when I remove a single group.

$adcred = Get-Credential
$adUser = Read-Host 'Enter username'
$adGroups = Get-ADPrincipalGroupMembership -Identity $adUser | where {$_.name -ne 'Domain Users'}
Remove-ADPrincipalGroupMembership -Identity $adUser -MemberOf $adGroups -Credential $adcred

WARNING: Could not remove member(s) from ADGroup: '{-- snip --}'. Error is:
'Insufficient access rights to perform the operation'.
WARNING: Could not remove member(s) from ADGroup: '{-- snip --}'. Error is: 'Insufficient access rights to perform the operation'.
Remove-ADPrincipalGroupMembership : Could not remove member(s) to one or more ADGroup.
At line:1 char:1
+ Remove-ADPrincipalGroupMembership -Identity $adUser -MemberOf $adGrou ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Microsoft.Activ...ement.ADGroup[]:ADGroup[]) [Remove-ADPrincipalGroupMembership], ADExcep
   tion
    + FullyQualifiedErrorId : 1,Microsoft.ActiveDirectory.Management.Commands.RemoveADPrincipalGroupMembership

But it works if I manually enter one group name using the same credentials.

Remove-ADPrincipalGroupMembership -Identity $adUser -MemberOf 'somegroup' -Credential $adcred

My Powershell Windows is running under a non-Domain Admin account, but I provide the Domain Admin credentials in the script. Furthermore, if I run a new Powershell Window 'As different user' and provide my domain admin credentials, then Remove-ADPrincipalGroupMembership will work even when I throw a collection at it.

1 answers

solution1
 0  2020-08-04 04:44:38

This should fix the issue. Instead of just giving it a string, you're giving the entire AD user object.

$adcred = Get-Credential
$adUser = Read-Host 'Enter username' | get-aduser
$adGroups = Get-ADPrincipalGroupMembership -Identity $adUser | where {$_.name -ne 
'Domain Users'}
Remove-ADPrincipalGroupMembership -Identity $adUser -MemberOf $adGroups -Credential $adcred

I've tested thoroughly and it works. So does piping in the user

$adcred = Get-Credential
$adUser = Read-Host 'Enter username'
$adGroups = Get-ADPrincipalGroupMembership -Identity $adUser | where {$_.name -ne 
'Domain Users'}
$aduser |  Get-Aduser | Remove-ADPrincipalGroupMembership -MemberOf $adGroups -Credential $adcred

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question get all computer accounts and remove-ADPrincipalGroupMembership Insufficient access rights to perform the operation — Powershell Need to Remove the selected Access Rights Powershell - Exchange - Remove almost all mailbox rights Filter Get-ADPrincipalGroupMembership Get-ADPrincipalGroupMembership including "managed by" Using Get-ADPrincipalGroupMembership as a job Get-ADPrincipalGroupMembership -Identity not accepting variable Get-ADPrincipalGroupMembership forward slash error Powershell command to remove/replace access/owner rights on all files and folders
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM