Using PowerShell and a Text File to Delete Multiple Active Directory Groups

Hi All,

I recently had the task of having to remove several hundred Active Directory Groups that were no longer needed due to a legacy application that was being decommissioned. These groups were scattered throughout the directory and I was provided a list of group names that needed to be removed. Since it was several hundred groups, in the interest of time, I couldn’t sit there searching for the groups deleting them one at a time.

In this article I will show how I use the Get-Content, Get-ADGroup, Set-ADObject, and the Remove-ADGroup cmdlets to remove select Active Directory Groups in bulk. You will need to have the “Active Directory Module for PowerShell” installed to use the Active Directory specific cmdlets.

To start you will need to create a text file and list the groups that you would like to remove line by line as shown below. For the purpose of this example we will save the file as “RemoveGroups.txt” and save it to the “c:\scripts” directory.

Now that we have the text file saved, we are ready to run the script below. You can either save the following lines to a .ps1 file and run it or run them line by line from a PowerShell command prompt. Before actually executing the deletion of the groups I have added the “whatif” parameter to see what will actually be deleted before really deleting anything. This will let you have a test run to make sure you are not deleting anything you don’t want to.

The Script

Import-Module ActiveDirectory

$groups = get-content C:\Scripts\RemoveGroups.txt | Get-ADGroup -Properties ProtectedFromAccidentalDeletion

$groups | Set-ADObject -ProtectedFromAccidentalDeletion $false

$groups | Remove-ADGroup –whatif

Now that you have made sure the script is deleting the groups you want it to delete, you can simply just remove the -whatif parameter as shown below and run it again to actually delete the groups.

Import-Module ActiveDirectory

$groups = get-content C:\Scripts\RemoveGroups.txt | Get-ADGroup -Properties ProtectedFromAccidentalDeletion

$groups | Set-ADObject -ProtectedFromAccidentalDeletion $false

$groups | Remove-ADGroup

You will be prompted to confirm the group deletion as shown below. Type “a” to select “Yes to All”.

The groups will be removed.

To explain the script, first we ran the “Import-Module ActiveDirectory” command to import the “Active Directory Module for PowerShell”. If you are running PowerShell 3.0 and the “Active Directory Module for PowerShell” is installed, you will not need to run this command as the module will be imported automatically. Next we use the “Get-Content” cmdlet to get the list of groups from the text file. We then pipe it to the “Get-ADGroup” cmdlet also getting the “ProtectedFromAccidentalDeletion” property so we can manipulate it later. We assign all of this to the $groups variable. We then use the “Set-AdObject” cmdlet to set the “ProtectedFromAccidentalDeletion” property to false. Setting the “ProtectedFromAccidentalDeletion” to false will turn off Protect object from Accidental Deletion on the group object to make sure you will not get “Access Denied” when trying to delete the group. Finally, you pipe the $groups variable to the “Remove-ADGroup cmdlet to delete the groups.

I hope this helps. As always, if you have any questions or feedback, please leave a comment.

Related Links:

Using PowerShell to export Active Directory Group Members to a CVS File

Using PowerShell and Active Directory to Create a Server or Workstation Inventory

Using PowerShell to find Stale Computers in Active Directory

Moving Stale Computers in Active Directory to an OU using PowerShell