Powershell to remove MemberOf field

I am in the process of writing a few lines of code to remove the contents of the MemberOf field in Active Directory and am  getting the following error. does anyone know how to perform such an operation?

PS C:\Users\admin> $user.MemberOf = $null
Exception setting "MemberOf": "The adapter cannot set the value of property "MemberOf"."
At line:1 char:7
+ $user. <<<< MemberOf = $null
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : PropertyAssignmentException

The end goal of the script is going to be Search AD for accounts that have R,I,T in the extensionAttribute2 field and then replace the MemberOf field with $Null ( Removing all groups)  and set the extensionAttribute2 to "E" to finish the script, the part that is halting me is the MemberOf clearing so that the groups are removed.
Import-Module ac*
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010
$Users= Get-ADUser -filter * -Properties * -SearchBase "OU=Users,DC=Domain,DC=Local" -server Server.domain.local

$users| Foreach-Object {If ($_.extensionAttribute2 -ne "E") { Set-ADUser $_.samAccountname -Replace @{extensionAttribute2="E":MemberOf=$null} -server DomainController.local}}

Open in new window

LVL 1
MdismukesAsked:
Who is Participating?
 
soostibiCommented:
Try that.

But I have some remarks: it is not supported, to add the Exchange 2010 snapin directly, as this way you do not use the RBAC.
The get-aduser part could be optimized by specifying a filter different to '*', integrating {extensionAttribute2 -ne "E"} there.
Import-Module ac*  
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010  
$Users= Get-ADUser -filter * -Properties * -SearchBase "OU=Users,DC=Domain,DC=Local" -server Server.domain.local  
  
$users| Foreach-Object {If ($_.extensionAttribute2 -ne "E") { 
$u = $_; $u.memberof | Remove-ADGroupMember -Members $u -server DomainController.local
Set-ADUser $u -Replace @{extensionAttribute2="E"} -server DomainController.local}
}

Open in new window

0
 
Chris DentPowerShell DeveloperCommented:

There'a reason you can't do this:

> Set-ADUser ... -Replace @{extensionAttribute2="E":MemberOf=$null}

memberOf is a Constructed Attribute, it doesn't really exist as an attribute in AD, it's built when someone asks for it, and discarded afterwards. Changes to membership *must* be written to the group object either by calling methods to remove members, or by modifying the member attribute directly (as Remove-ADGroupMember does). Soostibi's example is perfect for this :)

Chris
0
 
Chris DentPowerShell DeveloperCommented:
Soostibi,

Curious about this: "it is not supported, to add the Exchange 2010 snapin directly". Do you have a source? Not suggesting you're wrong, just curious, I'll be quite upset if it is the case :)

Cheers,

Chris
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
MdismukesAuthor Commented:
I am in the process of testing this today I will have to modify the script to add a group to the tail end of this for said domain group if that runs into problems I will post the code and seek advice.
0
 
MdismukesAuthor Commented:
I had some time to run the code and play with a bit ? tho do I need to run Remove-ADGroupMember with a -confirm $false

?
0
 
soostibiCommented:
You can if you wish.

-confirm:$false
0
 
MdismukesAuthor Commented:
Worked like a champ!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.