Calling POWERSHELL Guru's (non-pdq related)
I'm freshly learning more advanced powershell to help automate a few processes to make my life easier. Was hoping someone could critique/help with the following script.
My Goal - Move Separated Users to OU called tobeseperated - Powershell script kicks off - Looks in that OU - Disables the User - Copies the Members Of to the Description - Removes the Memberships (except domain users) and then moves the disabled account to the SeperatedEmployees OU. I think I have everything except the Move to the new OU.
import-module activedirectory
$users=get-aduser -SearchBase "OU=tobeseperated,DC=domainname,DC=org" -Properties samaccountname,memberof |select samaccountname, @{n=’MemberOf’; e= { ( $_.memberof | % { (Get-ADObject $_).Name }) -join “,” }}
#set description
Foreach ($user in $users)
{ Set-ADUser $user.samaccountname -Description "Was a member of :- $($user.memberof)"
# Remove From all the Groups
Get-ADGroup -Filter {name -notlike "*domain users*"} | Remove-ADGroupMember -Members $user.samaccountname -Confirm:$False
}
Comments
You are pretty close! Drop this in your Foreach block, and it should take care of the move:
So the top part of my script is still good? Would that part search the tobeseperated OU only and then perform the rest?
import-module activedirectory
$users=get-aduser -SearchBase "OU=tobeseperated,DC=domainname,DC=org" -Properties samaccountname,memberof |select samaccountname, @{n=’MemberOf’; e= { ( $_.memberof | % { (Get-ADObject $_).Name }) -join “,” }}
In looking at it a little closer I did see one thing in that top part that would cause you grief. You're going to want to use this for your Get-ADUser call:
It's almost there..It does everything except Disable the user, and it errors out at the move part. I'm going back through to make sure i didn't mistype something
#import AD module - search the tobeseperated OU - Disable the account - Copy Members of to Description Field - Move user to Seperated Users OU
import-module activedirectory
get-aduser -Filter * -SearchBase "OU=tobeseperated,DC=domainname,DC=org" -Properties samaccountname, memberof |
Select-Object samaccountname, @{n = ’MemberOf’; e = { ($_.memberof|ForEach-Object { (Get-ADObject$_).Name })-join “,” }}
#set description
Foreach ($user in $users)
{
Set-ADUser $user.samaccountname -Description "Was a member of :- $($user.memberof)"
# Remove From all the Groups
Get-ADGroup -Filter {name -notlike "*domain users*"} | Remove-ADGroupMember -Members $user.samaccountname -Confirm:$False
Move-ADObject -Identity $user -TargetPath "OU=Separated Employees,DC=safy,DC=org"
}
Hey Dan, I dont have the active directory module installed on the computer that I am trying this on so I couldn't fully test it. I believe I have the few additions to get the script working like you want. Take a look and see what you think of it.