Delete a windows group in Active Directory

I am doing a cleanup of some AD groups that are no longer used. One of the AD groups I could not delete because it seems that a member has this group set as the primary group (which I assume someone did by accident). Is there an easy way to find out who has this group set as primary?


You'll need to get the primaryGroupToken value of the group in question:

  1. Use adsiedit to examine the group you want to get delete. Make note of the primaryGroupToken attribute's value.
  2. Create a Saved Query in Active Directory Users and Computers using the following "Custom Search" where XXX= the value you found for primaryGroupToken:

    (&(objectCategory=person)(objectClass=user)(primaryGroupID=XXX))

  3. Refresh the query to see who shows up

Alternatively - If all users are expected to be members of Domain Users as their primary group, just define the query using(513 is the typical value for Domain Users):

(&(objectCategory=person)(objectClass=user)(!primaryGroupID=513))

Additional Links:

http://support.microsoft.com/default.aspx?scid=kb;en-us;321360 http://support.microsoft.com/default.aspx?scid=kb;en-us;297951

Great Question!


Just by giving the privileges

To delete windows group in Active directory

  1. Open notepad

  2. Copy and paste below text to notepad

  3. Save the file with .ps1 extension.

---------- SCRIPT STARTS HERE--------------

VERSION 2

4/19/2010

script to modify termed users

1.pull termed users from CSV

remove user group membership

2.Clear Manager property

3.Hide from GAL

4.move to disabed OU

5.rename csv to completed date, move to completed

$groupmembershiplog="c:\removeADAttributes\group_membership_log.csv" $erroractionpreference = "SilentlyContinue" $termfile=Test-Path -Path "C:\removeADAttributes\termed_employees.csv" If ($termfile -eq "True") { $inputcsv="C:\removeADAttributes\termed_employees.csv" $completeddir="C:\removeADAttributes\completed\" $date=Get-Date -format d

import-CSV $inputcsv | foreach-object { $username=$_.account

export groups to file

$groups=(Get-QADUser $username).memberof Add-Content $groupmembershiplog $username","$groups

remove groups

$groups | Get-QADGroup | where {$_.name -ne "domain users"} | Remove-QADGroupMember -Member $name Set-QADUser -Identity $username -objectattributes @{"Manager"="$null"} $currentuser=Get-QADUser -Identity $username -SizeLimit 1 $currentOU=$currentuser.parentcontainer $currentOU = $currentOU.Split('/') $currentOU = $currentOU[1] Move-QADObject -identity $username -NewParentContainer "domainname.com/$ou/Disabled Accounts" }

import-CSV $inputcsv | foreach-object { $username=$.account Add-PSSnapin Microsoft.Exchange.Management.PowerShell.Admin Set-Mailbox -Identity $username -HiddenFromAddressListsEnabled $true } import-CSV $inputcsv | foreach-object { $username=$.account Add-Content "C:\removeADAttributes\removeADAttributes_log.csv" $date","$username }

Move-Item $inputcsv -Destination $completeddir $todaydate=$date.replace("/","_") $newfilename=$todaydate+".csv" Rename-Item "C:\removeADAttributes\completed\termed_employees.csv" -NewName $newfilename

} else { $date=Get-Date -format d Add-Content "C:\removeADAttributes\removeADAttributes_log.csv" $date",no term user, no term user" exit }

---------- SCRIPT ENDSS HERE------------

Hope this scripts will be useful for you