Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5512
  • Last Modified:

Bulk remove Computers from AD Groups

We are are facing trouble performing bulk removal of computers from multile AD groups.

For several weeks we have been using the DSMOD GROUP command to remove the computers in a batch file, this works well but the script takes hours to perform the removals.

We have thousands of machines which we need to remove from hundreds of groups, we use the below command for each group/machine in a batch file:

DSMOD GROUP "CN=abcgrp,OU=abcOU,DC=abcinc,DC=com" -RMMBR "CN=Comp1XXX,OU=Computers,DC=abcinc,DC=com"
DSMOD GROUP "CN=xyzgrp,OU=abcOU,DC=abcinc,DC=com" -RMMBR "CN=Comp2ABC,OU=Computers,DC=abcinc,DC=com"

Our batch file has several hundred lines of commands similar to the above and this obviously takes hours to finish.

Is there any better way to perform the removals in bulk and fairly very quickly?

Like we have list of groups in a file and device list in other file, loop through each group and remove the devices listed in the other file? Will this approach works faster?

Appreciate if someone can post a Batch script to achieve the above as we are really struggling with this and we end up staying hours in office to check if the removals have completed based on which we proceed to perform other activities.
0
Freshandeasy
Asked:
Freshandeasy
  • 5
  • 4
  • 2
1 Solution
 
McKnifeCommented:
Hi.

Did you try and test if the batch command "net group" would work faster?
0
 
yo_beeDirector of ITCommented:
What if you piped it.

DSquery Group "OU=Test,DC=Contoso,DC=Local" | DSMOD -RMMBR

Open in new window


What this does is query an OU you point to for all groups and for each group it will then pipe that group DN to the DSMOD and remove the group.

Edit:

Please ignore my response. I did not read your question correctly prior to responding.
0
 
yo_beeDirector of ITCommented:
Are these computers being completely removed from your domain?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
FreshandeasyAuthor Commented:
No the computers are not being removed from the domain, they are being removed from the groups membership.

Basically these computers are memberof several application groups and we are cleaning up them to move them to new structure.
0
 
McKnifeCommented:
What about my suggestion?  net group works just as well on domain groups as the powershell but maybe faster.
0
 
yo_beeDirector of ITCommented:
Do you have a list of the computers DN.
You can user the Import-CSV |Get-ADGroup |Remove-ADGroupMember

The CSV should have the Group DN and the Computer DN to help facilitate this in a bulk manner.
0
 
yo_beeDirector of ITCommented:
Here is the Powershell Script i have and tested with both DN and samAccount

To Prompt Confirmation of Delete
Import-module activedirectory

$List = Import-CSV C:\test.csv
ForEach ($item in $list)
{
$Group = $($item.GroupDN)
$computer= $($item.ComputerDN)

Remove-ADGroupMember -Identity $Group -Member $Computer 

}

Open in new window


Suppress Confirmation
Import-module activedirectory

$List = Import-CSV C:\test.csv
ForEach ($item in $list)
{
$Group = $($item.GroupDN)
$computer= $($item.ComputerDN)

Remove-ADGroupMember -Identity $Group -Member $Computer -Confirm:$false 

}

Open in new window


here is another way you can use Powershell
Import-CSV C:\test.csv | ForEach {Remove-ADGroupMember -Identity $_.GroupDN -Member $_.ComputerDN -confirm:$false}

Open in new window

0
 
FreshandeasyAuthor Commented:
Thanks Yo-bee, I will try this cript today and let you know. Can the script be coded to automatically retrieve the Distinguished Name instead of me running a separate script to retrieve it?

McKnife, please can you let me know how we can use the Net group as I'm not sure of the entire syntax to remove a machine from a group?
0
 
yo_beeDirector of ITCommented:
Yes, but you still need to have a reference point like computer name.
0
 
McKnifeCommented:
The simple syntax is net group /delete group1 user1
This command does not care for OUs.
0
 
McKnifeCommented:
...this is not the first time I see powershell solutions being preferred to simple batch... where a split could have been made... oh well.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 5
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now