Remove-ADGroupMember where member is in parent domain and group is in child domain (Network Steve Forum)

Remove-ADGroupMember where member is in parent domain and group is in child domain

I have a parent domain (sandbox.local) and a child domain (child.sandbox.local) and want the capability to add and remove sandbox\User to a (domain local) group in the child domain.

I can add the user to the group:

$GroupDN = (Get-ADGroup $groupsam -server "child.sandbox.local").DistinguishedName
$UserDN = (Get-ADUser $sam -server "sandbox.local").DistinguishedName
Add-ADGroupMember -Identity GroupDN -Members UserDN

Problem: when I use any of the commands listed below, I get an object not found or referral was returned from the server error.

Remove-ADGroupMember -Identity GroupDN -Members UserDN -server "sandbox.local"
Remove-ADGroupMember -Identity GroupDN -Members UserDN -server "child.sandbox.local"

Remove-ADPrincipalGroupMembership -Identity $UserDN -MemberOf $GroupDN -Server "sandbox.local"
Remove-ADPrincipalGroupMembership -Identity $UserDN -MemberOf $GroupDN -Server "child.sandbox.local"

Suggestions?

Paul

Remove-ADGroupMember -Identity $GroupDN -Members $UserDN -Confirm:$false -Server "sandbox.local"

Remove-ADGroupMember : A referral was returned from the server
At C:\Users\user\AppData\Local\Temp\4e5f275f-5786-4a0d-990e-50312cef9d70.ps1:10 char:21
+ Remove-ADGroupMember <<<< -Identity $GroupDN -Members $UserDN -Confirm:$false -Server "sandbox.local"
    + CategoryInfo          : ResourceUnavailable: (CN=TestGroup,OU...,DC=local:ADGroup) [Remove-ADGroupMember], ADReferralException
    + FullyQualifiedErrorId : A referral was returned from the server,Microsoft.ActiveDirectory.Management.Commands.RemoveADGroupMember

Remove-ADGroupMember -Identity $GroupDN -Members $UserDN -Confirm:$false -Server "child.sandbox.local"

Remove-ADGroupMember : Cannot find an object with identity: 'CN=user,OU=pacific,OU=KrbUsers,DC=ad,DC=spawar,DC=local' under: 'DC=pac,DC=
ad,DC=spawar,DC=local'.
At C:\Users\user\AppData\Local\Temp\4e5f275f-5786-4a0d-990e-50312cef9d70.ps1:10 char:21
+ Remove-ADGroupMember <<<< -Identity $GroupDN -Members $UserDN -Confirm:$false -Server "child.sandbox.local"
    + CategoryInfo          : ObjectNotFound: (CN=user,OU=...,DC=local:ADPrincipal) [Remove-ADGroupMember], ADIdentityNotFoundException
    + FullyQualifiedErrorId : SetADGroupMember.ValidateMembersParameter,Microsoft.ActiveDirectory.Management.Commands.RemoveADGroupMember

Remove-ADPrincipalGroupMembership -Identity $UserDN -MemberOf $GroupDN -Server "sandbox.local"

Remove-ADPrincipalGroupMembership : A referral was returned from the server
At C:\Users\user\AppData\Local\Temp\4e5f275f-5786-4a0d-990e-50312cef9d70.ps1:11 char:34
+ Remove-ADPrincipalGroupMembership <<<< -Identity $UserDN -MemberOf $GroupDN -Server "sandbox.local"
    + CategoryInfo          : ResourceUnavailable: (CN=user,OU=...,DC=local:ADPrincipal) [Remove-ADPrincipalGroupMembership], ADReferra
   lException
    + FullyQualifiedErrorId : A referral was returned from the server,Microsoft.ActiveDirectory.Management.Commands.RemoveADPrincipalGroupMembers
   hip

Remove-ADPrincipalGroupMembership -Identity $UserDN -MemberOf $GroupDN -Server "child.sandbox.local"

Remove-ADPrincipalGroupMembership : Cannot find an object with identity: 'CN=user,OU=pacific,OU=KrbUsers,DC=ad,DC=spawar,DC=local' under
: 'DC=pac,DC=ad,DC=spawar,DC=local'.
At C:\Users\user\AppData\Local\Temp\4e5f275f-5786-4a0d-990e-50312cef9d70.ps1:11 char:34
+ Remove-ADPrincipalGroupMembership <<<< -Identity $UserDN -MemberOf $GroupDN -Server "child.sandbox.local"
    + CategoryInfo          : ObjectNotFound: (CN=user,OU=...,DC=local:ADPrincipal) [Remove-ADPrincipalGroupMembership], ADIdentityNotF
   oundException
    + FullyQualifiedErrorId : SetADPrincipalGroupMembership:ProcessRecordOverride,Microsoft.ActiveDirectory.Management.Commands.RemoveADPrincipal
   GroupMembership

January 26th, 2014 6:09pm

Hi,

How about below code:

$GroupDN = Get-ADGroup $groupsam -server "child.sandbox.local"
$UserDN = Get-ADUser $sam -server "sandbox.local"
Add-ADGroupMember -Identity $GroupDN -server "child sanbox.local" -Members $UserDN

Then:

Remove-ADPrincipalGroupMembership -Server "child.sandbox.local" -Identity $UserDN -MemberOf $GroupDN

Regards,

Yan Li

Free Windows Admin Tool Kit Click here and download it now

January 28th, 2014 2:49am

Thank you for your time on this.

Remove-ADPrincipalGroupMembership -Server "child.sandbox.local" -Identity $UserDN -MemberOf $GroupDN

returns "A referral was returned from the server...+CategoryInfo: Resource Unavailable (CN = userid, ou=..." ADReferralException.

Although I was looking for the flexibility for removing individual accounts, I actually needed to clear the group, and then add back users that met a specific requirement, so went with the following:

Function Remove-AllGroupMembers
{
   Param(
       [string]$GroupDN
   )

   $ads_Property_Clear = 1
   [adsi]$de = "LDAP://" + $GroupDN
   $de.putex($ads_Property_Clear,"member",$null)
   $de.SetInfo()

}

February 3rd, 2014 6:12pm

I know this is an old thread but it doesn't look like it was completely resolved. I had a situation that sounded almost identical to yours. My scenario:

"Administrators" group in DomainB.DomainA.com had groups from DomainA.com in it. All attempts with the Remove-ADGroupMember and Remove-ADPrincipalGroupMembership cmdlets failed. This was my fix and I've verified it is working:

$Group = Get-ADGroup -Identity "Administrators" -Server "DomainA.com"
$GroupMembers = Get-ADGroupMember -Identity $Group
ForEach($Member in $GroupMembers){
   If($Member.Name -like "<insert condition here>"){
       Set-ADObject -Identity $($Group.DistinguishedName) -Remove @{member="$($Member.DistinguishedName)"} -Server "DomainA.com"
    }
}

Hope this helps anyone else that's having problems. This is a known issue with the remove cmdlets. I wanted to avoid ADSI code and stick with cmdlets and this worked perfectly.

Proposed as answer by WeisMan87 Monday, June 23, 2014 5:21 PM
Edited by WeisMan87 Monday, June 23, 2014 5:23 PM

Free Windows Admin Tool Kit Click here and download it now

June 23rd, 2014 5:21pm

$Group = Get-ADGroup -Identity "Administrators" -Server "DomainA.com"
$GroupMembers = Get-ADGroupMember -Identity $Group
ForEach($Member in $GroupMembers){
   If($Member.Name -like "<insert condition here>"){
       Set-ADObject -Identity $($Group.DistinguishedName) -Remove @{member="$($Member.DistinguishedName)"} -Server "DomainA.com"
    }
}

Hope this helps anyone else that's having problems. This is a known issue with the remove cmdlets. I wanted to avoid ADSI code and stick with cmdlets and this worked perfectly.

Proposed as answer by WeisMan87 Monday, June 23, 2014 5:21 PM
Edited by WeisMan87 Monday, June 23, 2014 5:23 PM

June 23rd, 2014 5:21pm

yeah this helped me WeisMan... thanks for the post... points to you :)

Free Windows Admin Tool Kit Click here and download it now

June 25th, 2014 5:57pm

WeisMan87,

I'm trying to do basically the same thing and using your code in this post:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/b16722e5-bac8-485e-9e47-d806c866bcd3/powershell-removeadgroupmember-not-working-multiple-domains?forum=winserverDS&prof=required

Not sure if you would be willing to help.

April 22nd, 2015 4:55pm

For me, on the Set-ADObject line, I ran this from 'DomainB' and did not specify -server 'DomainA'. When I did, it said it couldn't find the group. Took it off and it worked like a champion. Thanks. Remove-ADGroupMember didn't work for me and I went on the hunt. The perfect post. Thanks Again!

Free Windows Admin Tool Kit Click here and download it now

May 1st, 2015 10:34am

This topic is archived. No further replies will be accepted.