We want to have an automatic OU assignment in our ActiveDirectory.
I tried to use the Move-ADObject cmdlet. But since we want that every object which CN starts for example with "Notebook" to move in to the "Notebooks" OU I have to use some kind of a wildcard but I couldn't figure out how to do it yet.
The code I use (I know it doesn't work):
Move-ADObject CN=Notebook*,CN=Computers,DC=ivstlu,DC=ch -TargetPath 'OU=Notebooks,DC=ivstlu,DC=ch'
I would do something like this:
get-adcomputer -filter "name -like '*Notebook*'" -searchbase "CN=Computers,DC=contoso,DC=net" | move-adobject -targetpath "OU=Notebooks,DC=contoso,DC=net"
Related
I am kinda new to powershell and started a role in support. Working on a powershell script that will do the following things:
Disable a user account
Remove all AD Groups except for Domain Users
Edit the description
Move AD object to a disabled users OU
I think I can probalby change the "$TargetOU = OUPath" because the disabled users OU is never really going to change...if that's the issue then i'll feel like a dumby lol.
I am trying and failing to complete this! I don't know what is going wrong. Powershell isn't faulting out or anything it is just not executing?
Thank you for any help!
My code is here:
Import-Module ActiveDirectory
$TargetOU = "OU=DisabledUsers"
Import-Csv "C:temp\DisableTest.csv" | ForEach-Object {
$samAccountName = $_."samAccountName"
Get-AdPrincipalGroupMembership -Identity $samAccountName {Where-Object -Property Name -Ne -Value 'Domain Users' | Remove-AdGroupMember -Members $samAccountName}
Get-ADUser -Identity $samAccountName | Disable-ADAccount
Get-ADUser -Identity $samAccountName -Description "Disabled Per Request XXXX"
Move-ADObject -Identity $UserDN -TargetPath $TargetOU
}
Need it to do four things:
Disable a user account
Remove all AD Groups except for Domain Users
Edit the description
Move AD object to a disabled users OU
You have several issues:
$TargetOU = "OU=DisabledUsers"
This should be the full distinguished name, so something like OU=DisabledUsers,DC=example,DC=com
Get-AdPrincipalGroupMembership -Identity $samAccountName {Where-Object -Property Name -Ne -Value 'Domain Users' | Remove-AdGroupMember -Members $samAccountName}
The sytax here is messed up. You want to pipe (|) the results from Get-AdPrincipalGroupMembership into Where-Object, but you have braces ({). The closing brace at the end of the line is thus unnecessary. The Where-Object cmdlet also lets you simplify the syntax to something more readable, like Where Name -ne 'Domain Users'.
Get-ADUser -Identity $samAccountName -Description "Disabled Per Request XXXX"
This should be Set-ADUser, which is explains why this isn't changing anything.
Move-ADObject -Identity $UserDN -TargetPath $TargetOU
You haven't defined $UserDN, so it's not going to find the user. And as already mentioned , the target path should be the full distinguished name.
You're also looking up the account several times. Every time you pass just the username, it has to search for the account. As you have it, it would be searching for the account 5 times. You can avoid that (and speed things up) by calling Get-ADUser once and passing the result into each of the other commands.
And just for simplicity, you can omit -Identity since the first parameter is assumed to be the identity.
Putting everything together, it would look something like this:
Import-Module ActiveDirectory
$TargetOU = "OU=DisabledUsers,DC=example,DC=com" #Change this to the real value
Import-Csv "C:temp\DisableTest.csv" | ForEach-Object {
$user = Get-ADUser $_."samAccountName"
Get-AdPrincipalGroupMembership $user | Where Name -ne 'Domain Users' | Remove-AdGroupMember -Members $user
Disable-ADAccount $user
Set-ADUser $user -Description "Disabled Per Request XXXX"
Move-ADObject $user -TargetPath $TargetOU
}
I'm trying to remove all computers from the wk_test security group and then add all the computers in the default 'Computers' container in AD to the (now-empty) wk_test security group.
However, I don't want to export the computers to a list and then import them back into the security group.
I have the first part of the script working properly, and it removes the computers from the wk_test group with no errors. My issue is adding the computers to the wk_test group from the "computers" container.
Remove-ADGroupMember "wk_test" -Members (Get-ADGroupMember "wk_test") -Confirm:$false
Add-ADGroupMember -Identity "wk_test" -Members (Get-ADComputer -SearchBase "CN=computers,DC=ad,dc=org") -filter*
I think the main problem is that I am attempting to copy from the computers container. Most of the advice on the internet refers to copying from an OU and not a container.
The Add-ADGroupMember documentation says:
You cannot pass user, computer, or group objects through the pipeline to this cmdlet.
Which I think is what you are trying to do.
I've used this method before to add computers from an OU to a group:
Get-ADComputer -SearchBase "CN=computers,DC=ad,dc=org" -Filter * | foreach {Add-ADGroupMember "wk_test" -Members $_.DistinguishedName }
But I think you could also modify your code like this, but I've not tested this as I'm not on domain at the moment.
$Computers = Get-ADComputer -SearchBase "CN=computers,DC=ad,dc=org" -filter* | select -ExpandProperty DistinguishedName
Add-ADGroupMember -Identity "wk_test" -Members $Computers
If you are moving them, why not use Move-ADObject.
So it would be:
Get-ADGroupMember "wk_test" | Move-ADObject -TargetPath <ou path>
Using the command line, how can I:
Move a user to a new Organizational Unit?
Get the current Organizational Unit of a user?
Get-ADUser UserName | Move-ADObject -TargetPath (Get-ADOrganizationalUnit -Filter "Name -eq 'Your OU Name'")
Get-ADUser UserName | Select DistinguishedName
This may help you: Move Active Directory users with PowerShell
Use the ActiveDirectory-Module of Powershell:
Import-Module activedirectory
Move-ADObject -Identity "CN=John Doe,OU=Accounting,DC=Fabrikam,DC=com" -TargetPath "OU=NewOU,DC=Fabrikam,DC=com"
See: http://go.microsoft.com/fwlink/p/?linkid=291059
And:
Import-Module activedirectory
Get-ADUser -Identity foobar|FT DistinguishedName
See: https://technet.microsoft.com/library/251aa5e1-8d5d-4eda-82b5-f0092b44ec3f%28v=wps.630%29.aspx
In the second example you need to do some string handling to get the OU
I have an online learning management system with most of its data in sql server but its page structure and contents in an AD LDS instance. I have a few classes which have already been set up with 50 pages called "Unused Portfolio 01" through "Unused Portfolio 50". These are their displaynames. Their CNs are "Portfolio 01" through "Portfolio 50".
I need to change the displaynames to each have a different student's name, in the format "Last, First". I am trying to use Active Directory Module for Windows Powershell. Right now I am on a test server trying to make this work for just a few pages. I can't manage to change more than one displayname at a time.
I can get a list of the objects for these pages:
Get-ADObject -Server localhost:389 -filter 'displayname -like "*Portfolio*" -and cn -like "Portfolio*"' -searchbase 'CN=DMIN2013-LMS 101-02,CN=LMS 101,CN=LMS,CN=Academics,CN=Portal,O=Jenzabar,C=US'
I get the distinguishedname, name, objectclass, and objectguid for all three expected objects and no unexpected objects. Great.
I can change any one object's displayname at a time:
set-adobject -Server localhost:389 -identity "CN=Portfolio 01,CN=DMIN2013-LMS 101-02,CN=LMS 101,CN=LMS,CN=Academics,CN=Portal,O=Jenzabar,C=US" -displayname "testing"
The specified object has its displayname changed to "testing". Awesome.
I'm trying to use this to change all of the displaynames for these three objects to "testing" at once, and obviously I have something wrong because it is not working:
Get-ADObject -Server localhost:389 -filter 'displayname -like "*Portfolio*" -and cn -like "Portfolio*"' -searchbase 'CN=DMIN2013-LMS 101-02,CN=LMS 101,CN=LMS,CN=Academics,CN=Portal,O=Jenzabar,C=US' | foreach-object 'set-adobject -Server localhost:389 -identity $_ -displayname "testing"'
The ultimate goal is that I will have a csv file (which I will have gotten from an sql query from the sql server) containing a "number" column 01 to 50, a "lastname" column, and a "firstname" column, and I will change each page's display name to match ", " for each student, but I'm not at that point yet.
Thanks for any help you can offer.
Foreach-Object uses a script block and not a string, so use:
something | Foreach-Object {Do something with $_}
This might be due to the fact that $_ contains an object and not its DN. $_.DistinguishedName. Also what ojk says
Get-ADObject -Server localhost:389 -filter 'displayname -like "*Portfolio*" -and cn -like "Portfolio*"' -searchbase 'CN=DMIN2013-LMS 101-02,CN=LMS 101,CN=LMS,CN=Academics,CN=Portal,O=Jenzabar,C=US' | foreach-object {set-adobject -Server localhost:389 -identity $_.DistinguishedName -displayname "testing"}
I'm trying to remove all the principal group memberships starting with the name of all computer accounts in one specific ou.
I've tried browsing to the OU with the AD provider, typing gci and getting a list of all the computers in the ou to find their ADPrincipalGroupMembership which works. Also, using get-adcomputer -searchbase <ou> -filter * works too. But I can't then remove every group that each machine is a member of.
When I then try to expand on that with remove-ADPrincipalGroupMembership, my input for the groups to remove are system.string and remove-ADPrincipalGroupMembership won't accept that. I have something like this so far/
Get-ADComputer -SearchBase 'OU=blahblah' -Filter * |
Remove-ADPrincipalGroupMembership -MemberOf (Get-ADGroup -Filter 'name -like "17"')
I've read help and examples but I can't find how to do this. I don't want to give up and just use the gui :)
thank you
You can try this...I am not able to test it to confirm it works, but I think it should.
$Comps = Get-ADComputer -SearchBase 'OU=blahblah' -Filter * -Prop MemberOf
Foreach ($Comp in $Comps)
{
$Groups = $Comp.MemberOf | ? {$_ -like "CN=17*"}
if ($Groups)
{
Remove-ADPrincipalGroupMembership -Identity $Comp -MemberOf $Groups -Whatif #-Confirm $False
}
}
Assuming it works with the -whatif statement, by default I believe that command will prompt you if you're sure about each removal which could be a pain so you could uncomment -confirm $false to try and avoid that.
Also it is assuming the distinguished name of each group is going to be something along the lines of
CN=17groupA,OU=Computer Groups,OU=Computer,DC=TEST,DC=NET