Issue passing list items into Get-ADUser

Kiwi Apes 1 Reputation point
2022-05-10T11:31:32.447+00:00

Apologies if this has already been answered else where, I'm trying to run the code below but it's giving me 'Cannot validate argument on parameter 'identity'. The identity property on the argument is null or empty'.
I know this is going to be something simple but can someone provide some pointers, many thanks, the first member of the list works all ok, it's just from the second member the above error appears, when I check $account I get a correct value for an expected SAM account name.

$AccountList = (Get-ADUser -Filter "SAMAccountName -like '*$SAMAccountName'" | select SAMAccountName)
ForEach($Account in $AccountList){

Get Group List

Try {
$GroupList = (Get-ADUser $Account -properties memberOf).memberOf
Set-ADUser -Identity $Account -clear extensionattribute2
ForEach($group in $groupList) {
Remove-ADGroupMember -Identity $group -Members $Account -Confirm:$False
}
} catch {
$completionDetails = "There was an error removing the groups: $($error.Exception)"
$completionDetails += "nPlease investigate manually.n"
}}

Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,455 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Rich Matheisen 45,831 Reputation points
    2022-05-10T14:05:36.87+00:00

    The first line of your script looks like it's the problem:

    $AccountList = (Get-ADUser -Filter "SAMAccountName -like '*$SAMAccountName'" | select SAMAccountName)
    

    The variable $AccountList now holds a PSCustomObject (or an array of them). When you do this:

    $GroupList = (Get-ADUser $Account -Properties memberOf).memberOf
    

    You're not using the samaccountname (which you assume to be in $Account), but a PSCustomObject. as the identity in the first position parameter of Get-ADUser.

    Change that first line to:

    $AccountList = (Get-ADUser -Filter "SAMAccountName -like '*$SAMAccountName'" | Select-Object -Expand SAMAccountName)
    

    Now you'll have a string (or an array of strings) that holds the user's samaccountname.

    Also, there's no need for the parentheses on that line, either.

    1 person found this answer helpful.
    0 comments No comments

  2. Newbie Jones 1,331 Reputation points
    2022-05-10T13:02:17.157+00:00

    Which line is it failing on?

    The Set-ADUser or the Remove-ADGroupMember?

    Please use the code sample (101010) when posting code.

    Try the following for troubleshooting purposes.

    $AccountList = (Get-ADUser -Filter "SAMAccountName -like '*$SAMAccountName'" -properties memberof, extensionattribute2)
    
    ForEach ($Account in $AccountList) {
    # Get Group List
    
        Try {
            $GroupList = $Account.memberOf
            Write-Host Clearing $Account.extensionattribute2 from $Account.SamAccountName 
            # Set-ADUser -Identity $Account -clear extensionattribute2
            ForEach($group in $groupList) {
                Write-Host Removing $Account.SamAccountName from $group 
                # Remove-ADGroupMember -Identity $group -Members $Account -Confirm:$False
            }
        } 
    
        Catch {
            $completionDetails = "There was an error removing the groups: $($error.Exception)"
            $completionDetails += "`nPlease investigate manually.`n"
        }
    }
    
    0 comments No comments

  3. Newbie Jones 1,331 Reputation points
    2022-05-10T13:31:03.723+00:00
    # You could also consider the following
    
    Remove-ADPrincipalGroupMembership -Identity $user -MemberOf (Get-ADPrincipalGroupMembership -Identity $user) -Confirm:$false
    
    # With a bit of error handling.
    
    Try {
        Get-ADUser -Identity $user
        #User exists
    
        $ADgroups = Get-ADPrincipalGroupMembership -Identity $user | Where {$_.Name -ne "Domain Users"} 
        # Domain users is most likely the users primary group which you can't remove.
    
        If ($ADgroups -ne $null) {
            Remove-ADPrincipalGroupMembership -Identity $user -MemberOf $ADgroups -Confirm:$false
        }
    }
    
    Catch{
        Write-Host "$user is not in AD"
    }
    
    0 comments No comments