Adding and removing users from groups is a standard administrative task for AD
## remove users from groups $ou = "OU=BlogTests,DC=Manticore,DC=org" "`nMicrosoft" $name = "UserA" Get-ADUser -Identity $name -Properties * | Remove-ADPrincipalGroupMembership -MemberOf GroupGblSecA -Confirm:$false "`nAD provider" $name = "UserB" $grpmem = Get-ItemProperty ad:\"CN=GroupGblSecA,OU=TestGroups,DC=Manticore,DC=org" -Name member $members = @($grpmem.member) $members = $members -ne "cn=$name,$ou" Set-ItemProperty ad:\"CN=GroupGblSecA,OU=TestGroups,DC=Manticore,DC=org" -Name member -Value $members "`nQuest" $name = "UserC" Get-QADUser -Identity $name | Remove-QADGroupMember -Identity GroupGblSecA "`nScript" $group = [adsi]"LDAP://CN=GroupGblSecA,OU=TestGroups,DC=Manticore,DC=org" $name = "UserD" $group.Remove("LDAP://cn=$name,$ou")
In all cases it boils down to get the user & get the group – tell AD to remove the user from the group. The key is that the activity has to occur at the group. You can’t do this from the user side.