Calling POWERSHELL Guru's (non-pdq related)

Comments

5 comments

  • Stephen Valdinger

    You are pretty close! Drop this in your Foreach block, and it should take care of the move:

     

    #set description 
    Foreach ($user in $users) 
    {

    Set-ADUser $user.samaccountname -Description "Was a member of :- $($user.memberof)" 


    # Remove From all the Groups 
    Get-ADGroup -Filter {name -notlike "*domain users*"} | Remove-ADGroupMember -Members $user.samaccountname -Confirm:$False 

    Move-ADObject -Identity $user -TargetPath "OU=SeparatedEmployees,DC=domainname,DC=org"

    }
    0
    Comment actions Permalink
  • Dan Sadler

    So the top part of my script is still good? Would that part search the tobeseperated OU only and then perform the rest?

     

    import-module activedirectory 
    $users=get-aduser -SearchBase "OU=tobeseperated,DC=domainname,DC=org" -Properties samaccountname,memberof |select samaccountname, @{n=’MemberOf’; e= { ( $_.memberof | % { (Get-ADObject $_).Name }) -join “,” }} 

    0
    Comment actions Permalink
  • Stephen Valdinger

    In looking at it a little closer I did see one thing in that top part that would cause you grief. You're going to want to use this for your Get-ADUser call:

    get-aduser -Filter * -SearchBase "OU=tobeseperated,DC=domainname,DC=org" -Properties samaccountname, memberof |
    Select-Object samaccountname, @{n = ’MemberOf’; e = { ($_.memberof|ForEach-Object { (Get-ADObject$_).Name })-join “,” }}
     
    That -Filter * parameter is important, otherwise it is going to throw an error at you cause you are not technically specifying *anything* to search FOR, just WHERE to search, and WHAT to return. 
     
    Let me know 
    0
    Comment actions Permalink
  • Dan Sadler

    It's almost there..It does everything except Disable the user, and it errors out at the move part. I'm going back through to make sure i didn't mistype something 

     

     

    #import AD module - search the tobeseperated OU - Disable the account - Copy Members of to Description Field - Move user to Seperated Users OU

    import-module activedirectory
    get-aduser -Filter * -SearchBase "OU=tobeseperated,DC=domainname,DC=org" -Properties samaccountname, memberof |
    Select-Object samaccountname, @{n = ’MemberOf’; e = { ($_.memberof|ForEach-Object { (Get-ADObject$_).Name })-join “,” }}

    #set description
    Foreach ($user in $users)
    {

    Set-ADUser $user.samaccountname -Description "Was a member of :- $($user.memberof)"

    # Remove From all the Groups
    Get-ADGroup -Filter {name -notlike "*domain users*"} | Remove-ADGroupMember -Members $user.samaccountname -Confirm:$False

    Move-ADObject -Identity $user -TargetPath "OU=Separated Employees,DC=safy,DC=org"

    }

    0
    Comment actions Permalink
  • Steven Stoddard

    Hey Dan, I dont have the active directory module installed on the computer that I am trying this on so I couldn't fully test it. I believe I have the few additions to get the script working like you want. Take a look and see what you think of it. 

     

    import-module activedirectory
    $users = get-aduser -Filter * -SearchBase "OU=tobeseperated,DC=domainname,DC=org" -Properties samaccountname, memberof |
    Select-Object samaccountname, @{n ='MemberOf'; e = { ($_.memberof|ForEach-Object { (Get-ADObject$_).Name })-join “,” }}

    #set description
    Foreach ($user in $users) {

    Set-ADUser$user.samaccountname-Description "Was a member of :- $($user.memberof)"

    # Remove From all the Groups
    Get-ADGroup-Filter {name -notlike"*domain users*"} |Remove-ADGroupMember-Members $user.samaccountname-Confirm:$False
     
    ###Disable account and move to Separated OU
    disable-adaccount$user.samaccountname
    Move-ADObject-Identity $user.distinguishedName-TargetPath "OU=Separated Employees,DC=safy,DC=org"

    }
    0
    Comment actions Permalink

Please sign in to leave a comment.