Bulk remove Computers from AD Groups

We are are facing trouble performing bulk removal of computers from multile AD groups.

For several weeks we have been using the DSMOD GROUP command to remove the computers in a batch file, this works well but the script takes hours to perform the removals.

We have thousands of machines which we need to remove from hundreds of groups, we use the below command for each group/machine in a batch file:

DSMOD GROUP "CN=abcgrp,OU=abcOU,DC=abcinc,DC=com" -RMMBR "CN=Comp1XXX,OU=Computers,DC=abcinc,DC=com"
DSMOD GROUP "CN=xyzgrp,OU=abcOU,DC=abcinc,DC=com" -RMMBR "CN=Comp2ABC,OU=Computers,DC=abcinc,DC=com"

Our batch file has several hundred lines of commands similar to the above and this obviously takes hours to finish.

Is there any better way to perform the removals in bulk and fairly very quickly?

Like we have list of groups in a file and device list in other file, loop through each group and remove the devices listed in the other file? Will this approach works faster?

Appreciate if someone can post a Batch script to achieve the above as we are really struggling with this and we end up staying hours in office to check if the removals have completed based on which we proceed to perform other activities.
FreshandeasyAsked:
Who is Participating?
 
yo_beeDirector of Information TechnologyCommented:
Here is the Powershell Script i have and tested with both DN and samAccount

To Prompt Confirmation of Delete
Import-module activedirectory

$List = Import-CSV C:\test.csv
ForEach ($item in $list)
{
$Group = $($item.GroupDN)
$computer= $($item.ComputerDN)

Remove-ADGroupMember -Identity $Group -Member $Computer 

}

Open in new window


Suppress Confirmation
Import-module activedirectory

$List = Import-CSV C:\test.csv
ForEach ($item in $list)
{
$Group = $($item.GroupDN)
$computer= $($item.ComputerDN)

Remove-ADGroupMember -Identity $Group -Member $Computer -Confirm:$false 

}

Open in new window


here is another way you can use Powershell
Import-CSV C:\test.csv | ForEach {Remove-ADGroupMember -Identity $_.GroupDN -Member $_.ComputerDN -confirm:$false}

Open in new window

0
 
McKnifeCommented:
Hi.

Did you try and test if the batch command "net group" would work faster?
0
 
yo_beeDirector of Information TechnologyCommented:
What if you piped it.

DSquery Group "OU=Test,DC=Contoso,DC=Local" | DSMOD -RMMBR

Open in new window


What this does is query an OU you point to for all groups and for each group it will then pipe that group DN to the DSMOD and remove the group.

Edit:

Please ignore my response. I did not read your question correctly prior to responding.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
yo_beeDirector of Information TechnologyCommented:
Are these computers being completely removed from your domain?
0
 
FreshandeasyAuthor Commented:
No the computers are not being removed from the domain, they are being removed from the groups membership.

Basically these computers are memberof several application groups and we are cleaning up them to move them to new structure.
0
 
McKnifeCommented:
What about my suggestion?  net group works just as well on domain groups as the powershell but maybe faster.
0
 
yo_beeDirector of Information TechnologyCommented:
Do you have a list of the computers DN.
You can user the Import-CSV |Get-ADGroup |Remove-ADGroupMember

The CSV should have the Group DN and the Computer DN to help facilitate this in a bulk manner.
0
 
FreshandeasyAuthor Commented:
Thanks Yo-bee, I will try this cript today and let you know. Can the script be coded to automatically retrieve the Distinguished Name instead of me running a separate script to retrieve it?

McKnife, please can you let me know how we can use the Net group as I'm not sure of the entire syntax to remove a machine from a group?
0
 
yo_beeDirector of Information TechnologyCommented:
Yes, but you still need to have a reference point like computer name.
0
 
McKnifeCommented:
The simple syntax is net group /delete group1 user1
This command does not care for OUs.
0
 
McKnifeCommented:
...this is not the first time I see powershell solutions being preferred to simple batch... where a split could have been made... oh well.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.