Remove users from group with PowerShell

How to bulk remove users from AD security group with PowerShell? You can select multiple users in AD and remove them from the group, but what if you have a list of users and you don’t want to find them one by one? This is an excellent way to automate the task with PowerShell. In this article, you will learn how to bulk remove users from a group with PowerShell script.

Information

You need to remove a list of users in CSV file from a security group. The list is populated with the UserPrincipalName attribute.

There are two options to accomplish the task:

• Manually search for the users in Active Directory Users and Computers, and remove them from the security group. If you have a long list, this is time-consuming. Not only that, it’s possible that you miss a user from the list.
• Automate the search with PowerShell, and remove the users from the security group. It will take less time, and you will not miss any users.

PowerShell is great for automation, and that’s what we recommend using.

Check security group

In this example, we have the security group Pilot. The members section is filled with the users.

Read more: List all users in a Security Group through PowerShell »

Check CSV file with Import-Csv cmdlet

Check the CSV file and that you use the correct header. In our case, it’s the CSV file Users.csv and the header UserPrincipalName.

Important: Check that there are no empty spaces behind each line. If so, you will get errors, and the script will fail to remove the users.

An excellent way is to add quotation marks to surround the field.

Place the CSV file in C:\Temp folder. Create a temp folder if you don’t have one.

Run Windows PowerShell as administrator. Make sure that PowerShell can read the file, run Import-Csv cmdlet.

PS C:\> Import-Csv "C:\Temp\Users.csv"

UserPrincipalName
-----------------
Amanda.Morgan@exoip.com
Max.Fraser@exoip.com
Kylie.Davidson@exoip.com
Richard.Grant@exoip.com
Boris.Campbell@exoip.com
Nicholas.Murray@exoip.com
Leonard.Clark@exoip.com
Ruth.Dickens@exoip.com
John.Maverick@exoip.com
Ali.Tajran@exoip.com
Alysia.Maverick@exoip.com
Mohammad.Fistak@exoip.com

Remove users from group PowerShell script

Download Remove-ADUsers.ps1 PowerShell script or copy and paste the below code in Notepad. Give it the name Remove-ADUsers.ps1 and place it in the C:\scripts folder. Create a scripts folder if you don’t have one.

# Start transcript
Start-Transcript -Path C:\Temp\Remove-ADUsers.log -Append

# Import AD Module
Import-Module ActiveDirectory

# Import the data from CSV file and assign it to variable
$Users = Import-Csv "C:\Temp\Users.csv"

# Specify target group where the users will be removed from
# You can add the distinguishedName of the group. For example: CN=Pilot,OU=Groups,OU=Company,DC=exoip,DC=local
$Group = "Pilot" 

foreach ($User in $Users) {
    # Retrieve UPN
    $UPN = $User.UserPrincipalName

    # Retrieve UPN related SamAccountName
    $ADUser = Get-ADUser -Filter "UserPrincipalName -eq '$UPN'" | Select-Object SamAccountName
    
    # User from CSV not in AD
    if ($ADUser -eq $null) {
        Write-Host "$UPN does not exist in AD" -ForegroundColor Red
    }
    else {
        # Retrieve AD user group membership
        $ExistingGroups = Get-ADPrincipalGroupMembership $ADUser.SamAccountName | Select-Object Name

        # User member of group
        if ($ExistingGroups.Name -eq $Group) {

            # Remove user from group
            Remove-ADGroupMember -Identity $Group -Members $ADUser.SamAccountName -Confirm:$false -WhatIf
            Write-Host "Removed $UPN from $Group" -ForeGroundColor Green
        }
        else {
            # User not member of group
            Write-Host "$UPN does not exist in $Group" -ForeGroundColor Yellow
        }
    }
}
Stop-Transcript

• Line 8: Edit the CSV file name and the path.
• Line 12: Edit the target OU.

In the next step, we will have a look at the bulk remove AD Users PowerShell script.

Bulk remove users from group with CSV file

Run Windows PowerShell as administrator. Change the path to the scripts folder and run Remove-ADUsers.ps1 PowerShell script to bulk remove AD users from group.

The script will go through all the users in the CSV file. The -WhatIf parameter is added in the script on line 33. If you run the script, nothing will happen in the environment. You will get an output showing what will happen.

The Remove-ADUsers.ps1 script will show:

• If the user is removed from the group
• If the user does not exist in the group
• If the user does not exist in Active Directory

PS C:\> cd c:\scripts
Transcript started, output file is C:\Temp\Remove-ADUsers.log
What if: Performing the operation "Set" on target "CN=Pilot,OU=Groups,OU=Company,DC=exoip,DC=local".
Removed Amanda.Morgan@exoip.com from Pilot
What if: Performing the operation "Set" on target "CN=Pilot,OU=Groups,OU=Company,DC=exoip,DC=local".
Removed Max.Fraser@exoip.com from Pilot
Kylie.Davidson@exoip.com does not exist in Pilot
What if: Performing the operation "Set" on target "CN=Pilot,OU=Groups,OU=Company,DC=exoip,DC=local".
Removed Richard.Grant@exoip.com from Pilot
What if: Performing the operation "Set" on target "CN=Pilot,OU=Groups,OU=Company,DC=exoip,DC=local".
Removed Boris.Campbell@exoip.com from Pilot
Nicholas.Murray@exoip.com does not exist in AD
What if: Performing the operation "Set" on target "CN=Pilot,OU=Groups,OU=Company,DC=exoip,DC=local".
Removed Leonard.Clark@exoip.com from Pilot
What if: Performing the operation "Set" on target "CN=Pilot,OU=Groups,OU=Company,DC=exoip,DC=local".
Removed Ruth.Dickens@exoip.com from Pilot
What if: Performing the operation "Set" on target "CN=Pilot,OU=Groups,OU=Company,DC=exoip,DC=local".
Removed John.Maverick@exoip.com from Pilot
What if: Performing the operation "Set" on target "CN=Pilot,OU=Groups,OU=Company,DC=exoip,DC=local".
Removed Ali.Tajran@exoip.com from Pilot
What if: Performing the operation "Set" on target "CN=Pilot,OU=Groups,OU=Company,DC=exoip,DC=local".
Removed Alysia.Maverick@exoip.com from Pilot
What if: Performing the operation "Set" on target "CN=Pilot,OU=Groups,OU=Company,DC=exoip,DC=local".
Removed Mohammad.Fistak@exoip.com from Pilot
Transcript stopped, output file is C:\Temp\Remove-ADUsers.log

Remove the -WhatIf parameter from the PowerShell script and rerun the script. The users from the CSV are removed from the group.

PS C:\scripts> .\Remove-ADUsers.ps1
Transcript started, output file is C:\Temp\Remove-ADUsers.log
Removed Amanda.Morgan@exoip.com from Pilot
Removed Max.Fraser@exoip.com from Pilot
Kylie.Davidson@exoip.com does not exist in Pilot
Removed Richard.Grant@exoip.com from Pilot
Removed Boris.Campbell@exoip.com from Pilot
Nicholas.Murray@exoip.com does not exist in AD
Removed Leonard.Clark@exoip.com from Pilot
Removed Ruth.Dickens@exoip.com from Pilot
Removed John.Maverick@exoip.com from Pilot
Removed Ali.Tajran@exoip.com from Pilot
Removed Alysia.Maverick@exoip.com from Pilot
Removed Mohammad.Fistak@exoip.com from Pilot
Transcript stopped, output file is C:\Temp\Remove-ADUsers.log

Verify security group with removed users

When the script finishes, have a look at Active Directory Users and Computers. Go to the security group and validate that you don’t see the users from the CSV file in the members tab. In this case, the Pilot group.

The output will show in the Windows PowerShell console. Not only that, it will show the output in a log because a transcript is added to the PS script. Go to the C:\temp folder and open the Remove-ADUsers.log file.

Everything looks great! Did this help you to bulk remove users from security group with PowerShell?

Keep reading: Active Directory country code list »

Conclusion

In this article, you learned how to remove users from group with PowerShell. Download the Remove-ADUsers.ps1 PowerShell script, edit the CSV path and the target group. Run the script and verify that the AD users are removed successfully from the group. PowerShell is great for automating the process.

Did you enjoy this article? You may also like PowerShell remove quotation marks from a text file. Don’t forget to follow us and share this article.