Important Notice: On February 29th, this community was put into read-only mode. All existing posts will remain but customers are unable to add new posts or comment on existing. Please feel to join our Community Discord for any questions and discussions.

Calling POWERSHELL Guru's (non-pdq related)

I'm freshly learning more advanced powershell to help automate a few processes to make my life easier.   Was hoping someone could critique/help with the following script. 

My Goal - Move Separated Users to OU called tobeseperated -  Powershell script kicks off - Looks in that OU - Disables the User - Copies the Members Of to the Description - Removes the Memberships (except domain users) and then moves the disabled account to the SeperatedEmployees  OU.  I think I have everything except the Move to the new OU.

 

import-module activedirectory
$users=get-aduser -SearchBase "OU=tobeseperated,DC=domainname,DC=org" -Properties samaccountname,memberof |select samaccountname, @{n=’MemberOf’; e= { ( $_.memberof | % { (Get-ADObject $_).Name }) -join “,” }}

#set description
Foreach ($user in $users)
{ Set-ADUser $user.samaccountname -Description "Was a member of :- $($user.memberof)"
# Remove From all the Groups
Get-ADGroup -Filter {name -notlike "*domain users*"} | Remove-ADGroupMember -Members $user.samaccountname -Confirm:$False

}

0

Comments

5 comments
Date Votes
  • You are pretty close! Drop this in your Foreach block, and it should take care of the move:

     

    #set description 
    Foreach ($user in $users) 
    {

    Set-ADUser $user.samaccountname -Description "Was a member of :- $($user.memberof)" 


    # Remove From all the Groups 
    Get-ADGroup -Filter {name -notlike "*domain users*"} | Remove-ADGroupMember -Members $user.samaccountname -Confirm:$False 

    Move-ADObject -Identity $user -TargetPath "OU=SeparatedEmployees,DC=domainname,DC=org"

    }
    0
  • So the top part of my script is still good? Would that part search the tobeseperated OU only and then perform the rest?

     

    import-module activedirectory 
    $users=get-aduser -SearchBase "OU=tobeseperated,DC=domainname,DC=org" -Properties samaccountname,memberof |select samaccountname, @{n=’MemberOf’; e= { ( $_.memberof | % { (Get-ADObject $_).Name }) -join “,” }} 

    0
  • In looking at it a little closer I did see one thing in that top part that would cause you grief. You're going to want to use this for your Get-ADUser call:

    get-aduser -Filter * -SearchBase "OU=tobeseperated,DC=domainname,DC=org" -Properties samaccountname, memberof |
    Select-Object samaccountname, @{n = ’MemberOf’; e = { ($_.memberof|ForEach-Object { (Get-ADObject$_).Name })-join “,” }}
     
    That -Filter * parameter is important, otherwise it is going to throw an error at you cause you are not technically specifying *anything* to search FOR, just WHERE to search, and WHAT to return. 
     
    Let me know 
    0
  • It's almost there..It does everything except Disable the user, and it errors out at the move part. I'm going back through to make sure i didn't mistype something 

     

     

    #import AD module - search the tobeseperated OU - Disable the account - Copy Members of to Description Field - Move user to Seperated Users OU

    import-module activedirectory
    get-aduser -Filter * -SearchBase "OU=tobeseperated,DC=domainname,DC=org" -Properties samaccountname, memberof |
    Select-Object samaccountname, @{n = ’MemberOf’; e = { ($_.memberof|ForEach-Object { (Get-ADObject$_).Name })-join “,” }}

    #set description
    Foreach ($user in $users)
    {

    Set-ADUser $user.samaccountname -Description "Was a member of :- $($user.memberof)"

    # Remove From all the Groups
    Get-ADGroup -Filter {name -notlike "*domain users*"} | Remove-ADGroupMember -Members $user.samaccountname -Confirm:$False

    Move-ADObject -Identity $user -TargetPath "OU=Separated Employees,DC=safy,DC=org"

    }

    0
  • Hey Dan, I dont have the active directory module installed on the computer that I am trying this on so I couldn't fully test it. I believe I have the few additions to get the script working like you want. Take a look and see what you think of it. 

     

    import-module activedirectory
    $users = get-aduser -Filter * -SearchBase "OU=tobeseperated,DC=domainname,DC=org" -Properties samaccountname, memberof |
    Select-Object samaccountname, @{n ='MemberOf'; e = { ($_.memberof|ForEach-Object { (Get-ADObject$_).Name })-join “,” }}

    #set description
    Foreach ($user in $users) {

    Set-ADUser$user.samaccountname-Description "Was a member of :- $($user.memberof)"

    # Remove From all the Groups
    Get-ADGroup-Filter {name -notlike"*domain users*"} |Remove-ADGroupMember-Members $user.samaccountname-Confirm:$False
     
    ###Disable account and move to Separated OU
    disable-adaccount$user.samaccountname
    Move-ADObject-Identity $user.distinguishedName-TargetPath "OU=Separated Employees,DC=safy,DC=org"

    }
    0