I'm trying to remove some domain users from the local Administrators group using PowerShell, specifically with .Net and ADSI methods. I've been running into an issue where the .Remove() method fails with an error: 'No principal matching the specified parameters was found' when I'm attempting to remove active domain accounts. I've successfully used the method for local accounts and AzureAD users, but domain accounts just won't budge. I've tried both SAM account names and SIDs, but to no avail. Has anyone faced a similar issue or found a workaround for this?
3 Answers
Have you checked if the machines are managed through Intune? If they are, consider using the policy at 'Endpoint Security > Account protection > Create Policy > Local user group membership' instead of PowerShell. There are guides available on calculating the SIDs required for Entra groups, so you can avoid mistakenly removing important accounts like the Entra Device Administrator role.
You might want to consider using Group Policy to clear out all members from the group altogether. It could be a more straightforward approach!
Why not just upgrade to PowerShell 7? I wasn't aware that 5.1 had issues with this. I’ve been using 7 for ages, so I might have missed any concerns related to it.
The local accounts module struggles with AD users that were deleted from Active Directory, which might be causing your headaches.
Unfortunately, I can’t upgrade to 7 right now. Stuck with 5.1 for the time being.
Different setups here—these devices aren't on AzureAD, just the regular local domain. I've tried this script across environments, and it's only the one in the domain that’s giving me trouble with removing users. The same code works fine for local and AzureAD users elsewhere!