powershell - 删除-ADPrincipalGroupMembership '权限不足'

问题描述

我有一个 Powershell 脚本，它可以从所有 AD 组中删除一个用户，当我向它抛出一组组时它会因“权限不足”而失败，但当我删除一个组时它不会。

$adcred = Get-Credential
$adUser = Read-Host 'Enter username'
$adGroups = Get-ADPrincipalGroupMembership -Identity $adUser | where {$_.name -ne 'Domain Users'}
Remove-ADPrincipalGroupMembership -Identity $adUser -MemberOf $adGroups -Credential $adcred

WARNING: Could not remove member(s) from ADGroup: '{-- snip --}'. Error is:
'Insufficient access rights to perform the operation'.
WARNING: Could not remove member(s) from ADGroup: '{-- snip --}'. Error is: 'Insufficient access rights to perform the operation'.
Remove-ADPrincipalGroupMembership : Could not remove member(s) to one or more ADGroup.
At line:1 char:1
+ Remove-ADPrincipalGroupMembership -Identity $adUser -MemberOf $adGrou ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Microsoft.Activ...ement.ADGroup[]:ADGroup[]) [Remove-ADPrincipalGroupMembership], ADExcep
   tion
    + FullyQualifiedErrorId : 1,Microsoft.ActiveDirectory.Management.Commands.RemoveADPrincipalGroupMembership

但是，如果我使用相同的凭据手动输入一个组名，它就会起作用。

Remove-ADPrincipalGroupMembership -Identity $adUser -MemberOf 'somegroup' -Credential $adcred

我的 Powershell Windows 在非域管理员帐户下运行，但我在脚本中提供了域管理员凭据。此外，如果我运行一个新的 Powershell 窗口“作为不同的用户”并提供我的域管理员凭据，那么即使我向它抛出一个集合，Remove-ADPrincipalGroupMembership 也将起作用。

标签： powershellactive-directory