Calling POWERSHELL Guru's (non-pdq related)

Follow

Dan Sadler

• April 18, 2018 12:40

I'm freshly learning more advanced powershell to help automate a few processes to make my life easier.   Was hoping someone could critique/help with the following script. 

My Goal - Move Separated Users to OU called tobeseperated -  Powershell script kicks off - Looks in that OU - Disables the User - Copies the Members Of to the Description - Removes the Memberships (except domain users) and then moves the disabled account to the SeperatedEmployees  OU.  I think I have everything except the Move to the new OU.

 

import-module activedirectory
$users=get-aduser -SearchBase "OU=tobeseperated,DC=domainname,DC=org" -Properties samaccountname,memberof |select samaccountname, @{n=’MemberOf’; e= { ( $_.memberof | % { (Get-ADObject $_).Name }) -join “,” }}

#set description
Foreach ($user in $users)
{ Set-ADUser $user.samaccountname -Description "Was a member of :- $($user.memberof)"
# Remove From all the Groups
Get-ADGroup -Filter {name -notlike "*domain users*"} | Remove-ADGroupMember -Members $user.samaccountname -Confirm:$False

}

0

• 

  Stephen Valdinger

  • April 18, 2018 13:05

  You are pretty close! Drop this in your Foreach block, and it should take care of the move:

   

  #set description 
  Foreach ($user in $users) 
  { 
  
  Set-ADUser $user.samaccountname -Description "Was a member of :- $($user.memberof)" 
  
  
  # Remove From all the Groups 
  Get-ADGroup -Filter {name -notlike "*domain users*"} | Remove-ADGroupMember -Members $user.samaccountname -Confirm:$False 
  
  Move-ADObject -Identity $user -TargetPath "OU=SeparatedEmployees,DC=domainname,DC=org"
  
  }

  0

  Comment actions Permalink
• 

  Dan Sadler

  • April 18, 2018 13:08

  So the top part of my script is still good? Would that part search the tobeseperated OU only and then perform the rest?

   

  import-module activedirectory 
  $users=get-aduser -SearchBase "OU=tobeseperated,DC=domainname,DC=org" -Properties samaccountname,memberof |select samaccountname, @{n=’MemberOf’; e= { ( $_.memberof | % { (Get-ADObject $_).Name }) -join “,” }} 

  0

  Comment actions Permalink
• 

  Stephen Valdinger

  • April 18, 2018 13:22

  In looking at it a little closer I did see one thing in that top part that would cause you grief. You're going to want to use this for your Get-ADUser call:

  get-aduser -Filter * -SearchBase "OU=tobeseperated,DC=domainname,DC=org" -Properties samaccountname, memberof |

  Select-Object samaccountname, @{n = ’MemberOf’; e = { ($_.memberof|ForEach-Object { (Get-ADObject$_).Name })-join “,” }}

   

  That -Filter * parameter is important, otherwise it is going to throw an error at you cause you are not technically specifying *anything* to search FOR, just WHERE to search, and WHAT to return. 

   

  Let me know 

  0

  Comment actions Permalink
• 

  Dan Sadler

  • April 18, 2018 20:35

  It's almost there..It does everything except Disable the user, and it errors out at the move part. I'm going back through to make sure i didn't mistype something 

   

   

  #import AD module - search the tobeseperated OU - Disable the account - Copy Members of to Description Field - Move user to Seperated Users OU

  import-module activedirectory
  get-aduser -Filter * -SearchBase "OU=tobeseperated,DC=domainname,DC=org" -Properties samaccountname, memberof |
  Select-Object samaccountname, @{n = ’MemberOf’; e = { ($_.memberof|ForEach-Object { (Get-ADObject$_).Name })-join “,” }}

  #set description
  Foreach ($user in $users)
  {

  Set-ADUser $user.samaccountname -Description "Was a member of :- $($user.memberof)"

  # Remove From all the Groups
  Get-ADGroup -Filter {name -notlike "*domain users*"} | Remove-ADGroupMember -Members $user.samaccountname -Confirm:$False

  Move-ADObject -Identity $user -TargetPath "OU=Separated Employees,DC=safy,DC=org"

  }

  0

  Comment actions Permalink
• 

  Steven Stoddard

  • April 24, 2018 13:05

  Hey Dan, I dont have the active directory module installed on the computer that I am trying this on so I couldn't fully test it. I believe I have the few additions to get the script working like you want. Take a look and see what you think of it. 

   

  import-module activedirectory

  $users = get-aduser -Filter * -SearchBase "OU=tobeseperated,DC=domainname,DC=org" -Properties samaccountname, memberof |

  Select-Object samaccountname, @{n ='MemberOf'; e = { ($_.memberof|ForEach-Object { (Get-ADObject$_).Name })-join “,” }}

  
  

  #set description

  Foreach ($user in $users) {

  
  

  Set-ADUser$user.samaccountname-Description "Was a member of :- $($user.memberof)"

  
  

  # Remove From all the Groups

  Get-ADGroup-Filter {name -notlike"*domain users*"} |Remove-ADGroupMember-Members $user.samaccountname-Confirm:$False

   

  ###Disable account and move to Separated OU

  disable-adaccount$user.samaccountname

  Move-ADObject-Identity $user.distinguishedName-TargetPath "OU=Separated Employees,DC=safy,DC=org"

  
  

  }

  0

  Comment actions Permalink

Please sign in to leave a comment.