Powershell 删除ADPrincipalGroupMembership';权利不足';
我有一个Powershell脚本,可以从所有广告组中删除用户,当我向其抛出组集合时,它会失败,并且“权限不足”,但当我删除单个组时,它不会失败Powershell 删除ADPrincipalGroupMembership';权利不足';,powershell,active-directory,Powershell,Active Directory,我有一个Powershell脚本,可以从所有广告组中删除用户,当我向其抛出组集合时,它会失败,并且“权限不足”,但当我删除单个组时,它不会失败 $adcred = Get-Credential $adUser = Read-Host 'Enter username' $adGroups = Get-ADPrincipalGroupMembership -Identity $adUser | where {$_.name -ne 'Domain Users'} Remove-ADPrincipal
$adcred = Get-Credential
$adUser = Read-Host 'Enter username'
$adGroups = Get-ADPrincipalGroupMembership -Identity $adUser | where {$_.name -ne 'Domain Users'}
Remove-ADPrincipalGroupMembership -Identity $adUser -MemberOf $adGroups -Credential $adcred
WARNING: Could not remove member(s) from ADGroup: '{-- snip --}'. Error is:
'Insufficient access rights to perform the operation'.
WARNING: Could not remove member(s) from ADGroup: '{-- snip --}'. Error is: 'Insufficient access rights to perform the operation'.
Remove-ADPrincipalGroupMembership : Could not remove member(s) to one or more ADGroup.
At line:1 char:1
+ Remove-ADPrincipalGroupMembership -Identity $adUser -MemberOf $adGrou ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (Microsoft.Activ...ement.ADGroup[]:ADGroup[]) [Remove-ADPrincipalGroupMembership], ADExcep
tion
+ FullyQualifiedErrorId : 1,Microsoft.ActiveDirectory.Management.Commands.RemoveADPrincipalGroupMembership
Remove-ADPrincipalGroupMembership -Identity $adUser -MemberOf 'somegroup' -Credential $adcred
我的Powershell Windows在非域管理员帐户下运行,但我在脚本中提供域管理员凭据。此外,如果我以“其他用户”身份运行新的Powershell窗口并提供域管理员凭据,则即使我向其抛出集合,删除ADPrincipalGroupMembership也会起作用。这应该可以解决此问题。不只是给它一个字符串,而是给整个AD用户对象
$adcred = Get-Credential
$adUser = Read-Host 'Enter username' | get-aduser
$adGroups = Get-ADPrincipalGroupMembership -Identity $adUser | where {$_.name -ne
'Domain Users'}
Remove-ADPrincipalGroupMembership -Identity $adUser -MemberOf $adGroups -Credential $adcred
$adcred = Get-Credential
$adUser = Read-Host 'Enter username'
$adGroups = Get-ADPrincipalGroupMembership -Identity $adUser | where {$_.name -ne
'Domain Users'}
$aduser | Get-Aduser | Remove-ADPrincipalGroupMembership -MemberOf $adGroups -Credential $adcred
这应该可以解决这个问题。不只是给它一个字符串,而是给整个AD用户对象
$adcred = Get-Credential
$adUser = Read-Host 'Enter username' | get-aduser
$adGroups = Get-ADPrincipalGroupMembership -Identity $adUser | where {$_.name -ne
'Domain Users'}
Remove-ADPrincipalGroupMembership -Identity $adUser -MemberOf $adGroups -Credential $adcred
$adcred = Get-Credential
$adUser = Read-Host 'Enter username'
$adGroups = Get-ADPrincipalGroupMembership -Identity $adUser | where {$_.name -ne
'Domain Users'}
$aduser | Get-Aduser | Remove-ADPrincipalGroupMembership -MemberOf $adGroups -Credential $adcred
感谢您对脚本用户部分的改进,但我的问题不在于用户;这是与团体有关的。如上所述,控制台仅在我提供组集合时写入错误“执行操作的访问权限不足”,而不是在我提供单个组时写入错误。虽然我加入了你的改进,但并没有解决问题。也许是某个特定的群体?您是否确认您可以单独完成每个有问题的小组?你的帖子只是说“如果我只做一个小组”,它并不局限于一个特定的小组。$adGroups中的任何组都会显示它,但在手动列出这些组时不会显示,如“-memberof'group1','group2'尝试将其添加到脚本集ExecutionPolicy unrestricted-Scope CurrentUser-force的开头。此外,仅为了进行合理性检查,请运行此命令并共享输出get命令Remove adprincipalgroupmembership感谢您对脚本用户部分的改进,但我的问题不在用户身上;这是与团体有关的。如上所述,控制台仅在我提供组集合时写入错误“执行操作的访问权限不足”,而不是在我提供单个组时写入错误。虽然我加入了你的改进,但并没有解决问题。也许是某个特定的群体?您是否确认您可以单独完成每个有问题的小组?你的帖子只是说“如果我只做一个小组”,它并不局限于一个特定的小组。$adGroups中的任何组都会显示它,但在手动列出这些组时不会显示,如“-memberof'group1','group2'尝试将其添加到脚本集ExecutionPolicy unrestricted-Scope CurrentUser-force的开头。另外,为了检查是否正常运行,请运行此命令并共享输出get命令Remove adprincipalgroupmembership我需要用今天上午学到的内容完善我的帖子。我可以删除单个组或组数组,如果我将其手动写入以下行:remove ADPrincipalGroupMembership-Identity$adUser-MemberOf'group1','group2'-Credential$adcred。但是Remove ADPrincipalGroupMembership对于$adGroups变量根本不起作用。因此,我收集$adGroups变量的方式肯定有什么地方做错了。我需要用今天上午学到的内容来完善我的帖子。我可以删除单个组或组数组,如果我将其手动写入以下行:remove ADPrincipalGroupMembership-Identity$adUser-MemberOf'group1','group2'-Credential$adcred。但是Remove ADPrincipalGroupMembership对于$adGroups变量根本不起作用。因此,我收集$adGroups变量的方式肯定有问题。