删除-ADPrincipalGroupMembership '权限不足'

Question

我有一个 Powershell 脚本，它可以从所有 AD 组中删除一个用户，但当我向它抛出一组组时它会因“权限不足”而失败，但在我删除单个组时不会。

$adcred = Get-Credential
$adUser = Read-Host 'Enter username'
$adGroups = Get-ADPrincipalGroupMembership -Identity $adUser | where {$_.name -ne 'Domain Users'}
Remove-ADPrincipalGroupMembership -Identity $adUser -MemberOf $adGroups -Credential $adcred

WARNING: Could not remove member(s) from ADGroup: '{-- snip --}'. Error is:
'Insufficient access rights to perform the operation'.
WARNING: Could not remove member(s) from ADGroup: '{-- snip --}'. Error is: 'Insufficient access rights to perform the operation'.
Remove-ADPrincipalGroupMembership : Could not remove member(s) to one or more ADGroup.
At line:1 char:1
+ Remove-ADPrincipalGroupMembership -Identity $adUser -MemberOf $adGrou ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Microsoft.Activ...ement.ADGroup[]:ADGroup[]) [Remove-ADPrincipalGroupMembership], ADExcep
   tion
    + FullyQualifiedErrorId : 1,Microsoft.ActiveDirectory.Management.Commands.RemoveADPrincipalGroupMembership

但如果我使用相同的凭据手动输入一个组名，它会起作用。

Remove-ADPrincipalGroupMembership -Identity $adUser -MemberOf 'somegroup' -Credential $adcred

我的 Powershell Windows 在非域管理员帐户下运行，但我在脚本中提供了域管理员凭据。此外，如果我运行一个新的 Powershell 窗口“作为不同的用户”并提供我的域管理员凭据，那么即使我向它抛出一个集合，Remove-ADPrincipalGroupMembership 也将起作用。

Answer 1

这应该可以解决问题。而不是只给它一个字符串，而是给整个 AD 用户对象。

$adcred = Get-Credential
$adUser = Read-Host 'Enter username' | get-aduser
$adGroups = Get-ADPrincipalGroupMembership -Identity $adUser | where {$_.name -ne 
'Domain Users'}
Remove-ADPrincipalGroupMembership -Identity $adUser -MemberOf $adGroups -Credential $adcred

我已经进行了彻底的测试，并且可以正常工作。用户中的管道也是如此

$adcred = Get-Credential
$adUser = Read-Host 'Enter username'
$adGroups = Get-ADPrincipalGroupMembership -Identity $adUser | where {$_.name -ne 
'Domain Users'}
$aduser |  Get-Aduser | Remove-ADPrincipalGroupMembership -MemberOf $adGroups -Credential $adcred