Powershell: Automating AD Bulk Users Movement between OUs
Introduction
One of the basic Administrative task by Active Directory Admins include Organizational Structuring of Users into OUs for easy user management. Users are organized into containers according to Regions, Branch Offices, Departments, Job Descriptions etc. This structure allows GPOs to be applied at different levels of the OUs.
As simple these task could be, It could be a pain in the neck especially when you have bulk users to be moved across OUs due to job rotation or any other reason.
Windows Powershell CMDLETS
The cmdlet, Move-ADObject, which can move any AD Objects across OUs as seen in the article below;
- –Identity
- -TargetPath
References
Drawback of Move-ADObject Cmdlets
The two required Parameters for Move-ADObject cmdlets, Identity and TargetPath, only accept Object DNs or GUID.
Get-help Move-ADObject –full
Excerpts from running Get-help Move-ADObject
-Identity <ADObject>
Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute.
Required? true
Position? 1
Distinguished Name
Example: CN=saradavis,OU=users, OU=asia, DC=corp, DC=contoso, DC=com
GUID (objectGUID) Example: 599c3d2e-f72d-4d20-8a88-030d99495f20
------------------------------------------------------
-TargetPath <string>
Specifies the new location for the object. This location must be the path to a container or organizational unit.
Required? true
Position? 2
The following example shows how to specify a target path by providing the distinguished name.
-TargetPath "ou=sales,dc=corp,dc=contoso,dc=com"
Move-BulkADuser
This Script moves Bulk AD Users from CSV to a specified Container or Organisation Unit without providing DN or Object GUID.
Download – Move-BulkADUser.ps1
The Move-BulkADUser extends Microsoft cmdlets to accept
- Identity - samAccountName attribute of a user as Identity Parameter
- TargetPath – Descriptive Name of Container or Organization Units(OU) e.g. specify “Users” OU instead of “CN=Users, DC=Domain, DC=COM”
Code breakdown
The scripts import Users list from the CSV in the below format
SamAccountName |
MartiV |
SamoY |
OpemipoJ |
$FilePath = "." + "\UserList.csv"
$Users = Import-Csv $FilePath | select -ExpandProperty SamAccountName
$TargetOU_DN = Get-OrganizationalUnit | where {$_.name -eq $TargetOU} | select -ExpandProperty DistinguishedName
Note: CSV file should be in the same location with Scripts and Named UserList.csv
Parameter Definition:
****TargetOU - A required Parameter which defines the Target OU using the descriptive Name of the Container or OU.
**
[CmdletBinding()]
param (
[Parameter(Position=0,Mandatory=$True,HelpMessage='Specify the target OU Name // Not DN')][string]$TargetOU
)
Download
Download – Move-BulkADUser.ps1
Move Object ; The segment is broken into 2 in the For each loop.
- Using the provided SamAccountName, Get the DN of user;
- Move AD Object
foreach($user in $Users) { $USer_DN = Get-ADUser $user | select -ExpandProperty DistinguishedName Write-Host 'Moving User "' $User '" "' $User_DN '"to OU"' $TargetOU "'(DN ='" $TargetOU_DN "'" Move-ADObject -TargetPath $TargetOU_DN -Identity $User_DN -Verbose | Export-Csv -Path MoveADUSerLogs.txt }
References
**