删除禁用用户的组成员

Question

我正在尝试编写脚本来查找属于AD中特定OU中的一个或多个组的成员的禁用用户。然后它将删除所有禁用用户的所有组。但我想要生成一个用户列表，但名称列表除外。假设我不想为某些特定的残疾用户删除组。

$SearchBase = "OU=Disabled Users,DC=contoso,DC=com" 
$Users = Get-ADUser -filter * -SearchBase $SearchBase -Properties MemberOf 
$ExcludeUsers =@("SM_82786dfdc96642ed9","SM_516a93b689334db1a") 
$Users = $Users | where-Object { $ExcludeUsers -notcontains $_.samaccountname } 
ForEach($User in $Users){ 
$User.MemberOf | Remove-ADGroupMember -Member $User -Confirm:$false 
} 

错误：

Remove-ADGroupMember : Cannot validate argument on parameter 'Identity'. The argument is null. Provide a valid value for the argument, and then try running the command again. 
At line:3 char:22 
+  $User.MemberOf | Remove-ADGroupMember -Member $User -Confirm:$false 
+      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
    + CategoryInfo   : InvalidData: (:) [Remove-ADGroupMember], ParameterBindingValidationException 
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.RemoveADGroupMember 

Answer 1

好像你发现没有任何组的用户（域用户不是memberof一部分）。使用类似Where-Object的东西来过滤掉空对象。例如：

$User.MemberOf | Where-Object { $_ } | Remove-ADGroupMember -Member $User -Confirm:$false