I want to remove a user from membership of all the access groups in AD. Some of the access groups belong to another domain. Below is my code, but it doesn't work and I get the error message "Remove-ADGroupMember : A referral was returned from the server". Below is my code:
#getting the decommissioned account user name
$StoreName = Read-Host -Prompt 'Enter the Store name'
$ADStore = Get-ADUser -Identity $StoreName -Server hostname.abc.def.com.au
#statement to strip the access groups from the store account
Get-ADUser -Identity $ADStore -Properties MemberOf | ForEach-Object { $_.MemberOf | Remove-ADGroupMember -Members $_.DistinguishedName -Confirm:$false }
It must be noted that some of the access groups belong to the domain "def.com.au" which is hosted on another server "hostname02.def.com.au"
The error message "A referral was returned from the server" in Active Directory context always means the following:
The domain controller you connect against is not responsible for the operation or the object you are trying to retrieve. You are getting "referred" to a domain controller in another domain.
That means for those groups outside of your own domain, you must specify the target domain controller explicitly.
Of course you also need to make sure that the current executing user has permissions for the operation in the other domain. If that is not the case, you might need to split the script logic to run once in your domain and once in the other domain.