Remove AD Users from Domain-Cross Group with PowerShell

Within groups and enterprises, there are usually more than one domains in the forest. If you want to change a group-based permission, you must add or remove a user from a group.

If the group and the user are in same domain, it’s simple; if they are in different domains, trouble come. You may not find the group in domain A, or not find the user in domain B. How can you achieve that?

If you logged on a domain controller

In general, Active Directory Domain Service (AD DS) management tools are installed on domain controllers, and the Active Directory module of PowerShell is installed as well. Assume the group_name is in domain sub1.domain.com, and the user_name is in sub2.domain.com, it’s how we break the relationship between group and user:

$domain_user = Get-ADUser "user_name" -Server "sub2.domain.com"
Remove-ADGroupMember -Identity "group_name" -Members $domain_user -Server "sub1.domain.com"

If you connect to domain controller via a session

The above method doesn’t work if you connect to domain controller via a PowerShell session. Instead, you need to try another solution.

$domain_user = (Get-ADUser "user_name" -Server "sub2.domain.com").DistinguishedName
Set-ADGroup -Identity "group_name" -Remove @{member=$domain_user} -Server "sub1.domain.com"