{"id":52853,"date":"2009-07-28T03:01:00","date_gmt":"2009-07-28T03:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2009\/07\/28\/hey-scripting-guy-how-do-i-remove-all-group-members-in-active-directory\/"},"modified":"2009-07-28T03:01:00","modified_gmt":"2009-07-28T03:01:00","slug":"hey-scripting-guy-how-do-i-remove-all-group-members-in-active-directory","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/hey-scripting-guy-how-do-i-remove-all-group-members-in-active-directory\/","title":{"rendered":"Hey, Scripting Guy! How Do I Remove All Group Members in Active Directory?"},"content":{"rendered":"

\n

\"Hey,<\/span><\/p>\n

Hey Scripting Guy! I have several groups created in Active Directory whose membership has changed dramatically. Rather than go through a long list of users and try to manually clean up the list, I would like to just delete all the users from the group so that I can later add the newly approved members to the group. I have checked around, and there does not seem to be a deleteall<\/b> method from a directory entry object in Windows PowerShell. Am I missing it?<\/p>\n<\/p>\n

— JD<\/p>\n

 <\/p>\n

\"Hey,<\/p>\n

Hello JD, <\/p>\n

This week I (Ed) am speaking at Microsoft TechReady in Seattle. TechReady is kind of like Tech∙<\/span>Ed except it is for Microsoft employees only. I have been attending lots of sessions, completing hands-on labs, and am generally fried—<\/span>or maybe broiled (it’s very hot here right now). The bad things about conferences such as this is that it always seems that there are two sessions that both sound good that are scheduled at the same time. As a result I end up missing some really cool session that sounds great. Of course, all the sessions are recorded, and all the Microsoft PowerPoint decks are posted on a SharePoint site, but it is not quite the same as attending the live session. When I gather around a lunch table and chat with friends and co-workers, I always ask about the sessions they attended. At times my choice is confirmed, but occasionally I feel as if I really missed out on something. <\/p>\n

JD, I do not want you to miss out on anything, so I wrote the Remove-AllGroupMembers.ps1 script for you. One thing you will notice is there is no deleteall<\/b> method, so you did not overlook a method. In fact, we pulled out a method we used in VBScript (putex<\/b>) to perform the magical deletion you required. The complete Remove-AllGroupMembers.ps1 script is seen here. <\/p>\n

Remove-AllGroupMembers.ps1<\/p>\n

<\/strong><\/p>\n

Param(
   <\/span>[string]$group,
   <\/span>[string]$ou,
   <\/span>[string]$domain,
   <\/span>[switch]$whatif,
   <\/span>[switch]$help
) #end param<\/p>\n

Function Get-ScriptHelp
{
 <\/span>“Remove-AllGroupMembers.ps1 removes all members of a group”
 <\/span>“Remove-AllGroupMembers.ps1 -group cn=mygroup -ou ou=myou -domain ‘dc=nwtraders,dc=com'”
 <\/span>“Remove-AllGroupMembers.ps1 -group cn=mygroup -ou ou=myou -domain ‘dc=nwtraders,dc=com’ -whatif”
} # end function Get-ScriptHelp<\/p>\n

Function Remove-AllGroupMembers
{
 <\/span>Param(
   <\/span>[string]$group,
   <\/span>[string]$ou,
   <\/span>[string]$domain
 <\/span>) #end param
 <\/span>$ads_Property_Clear = 1
 <\/span>$de = [adsi]”LDAP:\/\/$group,$ou,$domain”
 <\/span>$de.putex($ads_Property_Clear,”member”,$null)
 <\/span>$de.SetInfo()
} # end function Remove-AllGroupMembers<\/p>\n

Function Get-Whatif
{
  <\/span>Param(
   <\/span>[string]$group,
   <\/span>[string]$ou,
   <\/span>[string]$domain
 <\/span>) #end param
 <\/span>“WHATIF: Remove all members from $group,$ou,$domain”
} #end function Get-Whatif<\/p>\n

# *** Entry Point to script ***<\/p>\n

if(-not($group -and $ou -and $domain))
  <\/span>{ throw (“group ou and domain required”) }
if($whatif) { Get-Whatif -group $group -ou $ou -domain $domain ; exit }
if($help) { Get-Scripthelp ; exit }
“Removing all members from $group,$ou,$domain”
Remove-AllGroupMembers -group $group -ou $ou -domain $domain<\/p>\n

<\/font><\/font><\/font><\/p>\n

The Remove-AllGroupMembers.ps1 script begins by creating several command-line parameters. To do this, the Param<\/b> statement is used. The first three parameters are strings: the group name, the organizational unit name, and the domain name. These will need to be supplied to the script in the form of cn=groupname<\/b>. You could modify the script to change this requirement, but it rapidly becomes rather complicated in trying to figure out how many levels down a group may reside. The last two parameters are switched parameters: the whatif<\/b> and the help<\/b> parameters. The Param<\/b> section of the script is seen here: <\/p>\n

Param(
   <\/span>[string]$group,
   <\/span>[string]$ou,
   <\/span>[string]$domain,
   <\/span>[switch]$whatif,
   <\/span>[switch]$help
) #end param<\/span><\/p>\n

<\/font><\/font><\/p>\n

I consider it a best practice when a script requires command-line parameters to include help information to illustrate how to actually use the script. This is useful not only for the users of your script, but also for you as well when you approach a script several months after it has been written. In Windows PowerShell 2.0, script help integrates with the Get-Help<\/b> cmdlet, and can be created using stylized tags. But in Windows PowerShell 1.0, you are limited to displaying strings to the command line. By creating minimal help for your scripts now, you are preparing yourself to migrate the script to the more robust script help available in Windows PowerShell 2.0. <\/p>\n

In the Get-ScriptHelp<\/b> function, a short description of the script is displayed, as well as two representative command-line examples: <\/p>\n

Function Get-ScriptHelp
{
 <\/span>“Remove-AllGroupMembers.ps1 removes all members of a group”
 <\/span>“Remove-AllGroupMembers.ps1 -group cn=mygroup -ou ou=myou -domain ‘dc=nwtraders,dc=com'”
 <\/span>“Remove-AllGroupMembers.ps1 -group cn=mygroup -ou ou=myou -domain ‘dc=nwtraders,dc=com’ -whatif”
} # end function Get-ScriptHelp<\/span><\/p>\n

<\/font><\/font><\/p>\n

To remove all members of a group you can use the Remove-AllGroupMembers<\/b> function. Members of a group are seen here: <\/p>\n

\n

\"Image<\/a><\/p>\n<\/p>\n

\n

 <\/p>\n

The function begins with three parameters: group<\/b>, ou<\/b>, and domain<\/b>. Instead of listing these parameters in a long line in the Function<\/b> declaration statement, I decided to move them inside the function script block and use the Param<\/b> statement. This is exactly the same thing, but I consider it a best practice when declaring more than one or two parameters. This is because it makes it easier to read the script. In addition, it will set you up to make an easier migration to Windows PowerShell 2.0 because of the rich parameter statements that become available. The Function<\/b> statement and the Param<\/b> statement for the Remove-AllgroupMembers<\/b> function is seen here: <\/p>\n

Function Remove-AllGroupMembers
{
 <\/span>Param(
   <\/span>[string]$group,
   <\/span>[string]$ou,
   <\/span>[string]$domain
 <\/span>) #end param<\/span><\/p>\n

<\/font><\/font><\/p>\n

It is time get to the nuts and bolts of the Remove-AllGroupMembers<\/b> function. First, a variable named $ads_Property_Clear<\/b> is created and set to a value of 1. The number 1 is the value from the ADS_PROPERTY_OPERATION_ENUM<\/font><\/a> <\/span>ADS_PROPERTY_CLEAR<\/b> constant. When this is set to 1, it instructs the directory service to remove all property values from the object:<\/p>\n

 <\/span>$ads_Property_Clear = 1<\/span><\/p>\n

<\/font><\/font><\/p>\n

When you need to work with an object in Active Directory, it generally involves connecting to the object first. To do this, you use the [adsi]<\/b> type accelerator, specify the protocol (LDAP), and supply the path to the object. This is seen here:  <\/span><\/p>\n

 <\/span>$de = [adsi]”LDAP:\/\/$group,$ou,$domain”<\/p>\n

<\/font><\/font><\/p>\n

To remove the members of the group, you use the putex<\/b> method, which uses one of the ADS_PROPERTY_OPERATION_ENUM<\/b> values seen in Table 1 in the first position of the method call. <\/p>\n

Table 1 ADS_PROPERTY_OPERATION_ENUM Values<\/strong><\/p>\n\n\n\n\n\n\n\n
\n
\n

Enumeration name<\/p>\n<\/div>\n<\/td>\n

\n
\n

Enumeration value<\/p>\n<\/div>\n<\/td>\n<\/tr>\n

\n
\n

  <\/span>ADS_PROPERTY_CLEAR    <\/span><\/p>\n<\/div>\n<\/td>\n

\n
\n

 <\/span>1<\/p>\n<\/div>\n<\/td>\n<\/tr>\n

\n
\n

  <\/span>ADS_PROPERTY_UPDATE   <\/span><\/p>\n<\/div>\n<\/td>\n

\n
\n

 <\/span>2<\/p>\n<\/div>\n<\/td>\n<\/tr>\n

\n
\n

  <\/span>ADS_PROPERTY_APPEND   <\/span><\/p>\n<\/div>\n<\/td>\n

\n
\n

 <\/span>3<\/p>\n<\/div>\n<\/td>\n<\/tr>\n

\n
\n

  <\/span>ADS_PROPERTY_DELETE   <\/span><\/p>\n<\/div>\n<\/td>\n

\n
\n

 <\/span>4 <\/p>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\n

 <\/p>\n<\/p>\n

In the second position of the putex<\/b> method call, you list the property you wish to work with. The third position must be filled out, but is ignored when you are clearing the contents of the property. After the changes have been made, you call the SetInfo<\/b> method. This is all seen here: <\/p>\n

 <\/span>$de.putex($ads_Property_Clear,”member”,$null)
 <\/span>$de.SetInfo()
} # end function Remove-AllGroupMembers<\/p>\n

<\/font><\/font><\/p>\n

When you have a script that deletes things, it is a best practice to implement a whatif<\/b> function. To do this, you create use the same parameters that are supplied to the Remove-AllGroupMembers<\/b> function and display the string that gets put together. This is helpful in that it provides confirmation information about what the script is attempting to accomplish. The Get-Whatif<\/b> function is seen here:  <\/span> <\/span><\/p>\n

Function Get-Whatif
{
  <\/span>Param(
   <\/span>[string]$group,
   <\/span>[string]$ou,
   <\/span>[string]$domain
 <\/span>) #end param
 <\/span>“WHATIF: Remove all members from $group,$ou,$domain”
} #end function Get-Whatif<\/span><\/p>\n

<\/font><\/font><\/p>\n

You now arrive at the entry point to the script. Because the script will fail if it does not receive the group name, ou name, and domain name, use an if<\/b> statement to check for the presence of the values from the command line. To do this, you use the not<\/b> operator and the and<\/b> operator as seen here. If the values are not available, the throw<\/b> command is used to raise an error. This is seen here: <\/p>\n

if(-not($group -and $ou -and $domain))
  <\/span>{ throw (“group ou and domain required”) }<\/span><\/p>\n

<\/font><\/font><\/p>\n

After checking for the group, ou and domain names, you next need to see if the script was run with the whatif<\/b> switch. If it was, the Get-Whatif<\/b> function is called and then the script exits. This is seen here: <\/p>\n

if($whatif) { Get-Whatif -group $group -ou $ou -domain $domain ; exit }<\/span><\/p>\n

<\/font><\/font><\/p>\n

If the script is run with the help<\/b> switch, it calls the Get-ScriptHelp<\/b> function and exits: <\/p>\n

<\/span><\/font><\/font><\/p>\n","protected":false},"excerpt":{"rendered":"

Hey Scripting Guy! I have several groups created in Active Directory whose membership has changed dramatically. Rather than go through a long list of users and try to manually clean up the list, I would like to just delete all the users from the group so that I can later add the newly approved members […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[7,44,3,45],"class_list":["post-52853","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-active-directory","tag-groups","tag-scripting-guy","tag-windows-powershell"],"acf":[],"blog_post_summary":"

Hey Scripting Guy! I have several groups created in Active Directory whose membership has changed dramatically. Rather than go through a long list of users and try to manually clean up the list, I would like to just delete all the users from the group so that I can later add the newly approved members […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/52853","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=52853"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/52853\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=52853"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=52853"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=52853"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}