question

AnthonyForeman-1540 avatar image
0 Votes"
AnthonyForeman-1540 asked RichMatheisen-8856 edited

Issue passing list items into Get-ADUser

Apologies if this has already been answered else where, I'm trying to run the code below but it's giving me 'Cannot validate argument on parameter 'identity'. The identity property on the argument is null or empty'.
I know this is going to be something simple but can someone provide some pointers, many thanks, the first member of the list works all ok, it's just from the second member the above error appears, when I check $account I get a correct value for an expected SAM account name.

$AccountList = (Get-ADUser -Filter "SAMAccountName -like '*$SAMAccountName'" | select SAMAccountName)
ForEach($Account in $AccountList){


Get Group List

Try {
$GroupList = (Get-ADUser $Account -properties memberOf).memberOf
Set-ADUser -Identity $Account -clear extensionattribute2
ForEach($group in $groupList) {
Remove-ADGroupMember -Identity $group -Members $Account -Confirm:$False
}
} catch {
$completionDetails = "There was an error removing the groups: $($error.Exception)"
$completionDetails += "`nPlease investigate manually.`n"
}}

windows-server-powershell
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

3 Answers

NewbieJones-6218 avatar image
0 Votes"
NewbieJones-6218 answered

Which line is it failing on?

The Set-ADUser or the Remove-ADGroupMember?

Please use the code sample (101010) when posting code.

Try the following for troubleshooting purposes.

 $AccountList = (Get-ADUser -Filter "SAMAccountName -like '*$SAMAccountName'" -properties memberof, extensionattribute2)
    
 ForEach ($Account in $AccountList) {
 # Get Group List
        
     Try {
         $GroupList = $Account.memberOf
         Write-Host Clearing $Account.extensionattribute2 from $Account.SamAccountName 
         # Set-ADUser -Identity $Account -clear extensionattribute2
         ForEach($group in $groupList) {
             Write-Host Removing $Account.SamAccountName from $group 
             # Remove-ADGroupMember -Identity $group -Members $Account -Confirm:$False
         }
     } 
        
     Catch {
         $completionDetails = "There was an error removing the groups: $($error.Exception)"
         $completionDetails += "`nPlease investigate manually.`n"
     }
 }
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NewbieJones-6218 avatar image
0 Votes"
NewbieJones-6218 answered 
 # You could also consider the following
    
 Remove-ADPrincipalGroupMembership -Identity $user -MemberOf (Get-ADPrincipalGroupMembership -Identity $user) -Confirm:$false
    
 # With a bit of error handling.
    
 Try {
     Get-ADUser -Identity $user
     #User exists
    
     $ADgroups = Get-ADPrincipalGroupMembership -Identity $user | Where {$_.Name -ne "Domain Users"} 
     # Domain users is most likely the users primary group which you can't remove.
        
     If ($ADgroups -ne $null) {
         Remove-ADPrincipalGroupMembership -Identity $user -MemberOf $ADgroups -Confirm:$false
     }
 }
    
 Catch{
     Write-Host "$user is not in AD"
 }
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RichMatheisen-8856 avatar image
1 Vote"
RichMatheisen-8856 answered RichMatheisen-8856 edited

The first line of your script looks like it's the problem:

 $AccountList = (Get-ADUser -Filter "SAMAccountName -like '*$SAMAccountName'" | select SAMAccountName)

The variable $AccountList now holds a PSCustomObject (or an array of them). When you do this:

 $GroupList = (Get-ADUser $Account -Properties memberOf).memberOf

You're not using the samaccountname (which you assume to be in $Account), but a PSCustomObject. as the identity in the first position parameter of Get-ADUser.

Change that first line to:

 $AccountList = (Get-ADUser -Filter "SAMAccountName -like '*$SAMAccountName'" | Select-Object -Expand SAMAccountName)

Now you'll have a string (or an array of strings) that holds the user's samaccountname.

Also, there's no need for the parentheses on that line, either.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.