Powershell: Automating AD Bulk Users Movement between OUs

  • Article

Introduction

One of the basic Administrative task by Active Directory Admins include Organizational Structuring of Users into OUs for easy user management. Users are organized into containers according to Regions, Branch Offices, Departments, Job Descriptions etc. This structure allows GPOs to be applied at different levels of the OUs.

As simple these task could be, It could be a pain in the neck especially when you have bulk users to be moved across OUs due to job rotation or any other reason. 

Windows Powershell CMDLETS

The cmdlet, Move-ADObject, which can move any AD Objects across OUs as  seen in the article below;

  1. –Identity
  2. -TargetPath

References

Drawback of Move-ADObject Cmdlets

The two required Parameters for Move-ADObject cmdlets, Identity and TargetPath, only accept Object DNs or GUID.

Get-help Move-ADObject –full

Excerpts from running Get-help Move-ADObject

-Identity <ADObject>

Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute.

Required?                    true

Position?                    1

Distinguished Name

       Example: CN=saradavis,OU=users, OU=asia, DC=corp, DC=contoso, DC=com

       GUID (objectGUID)      Example: 599c3d2e-f72d-4d20-8a88-030d99495f20

------------------------------------------------------

-TargetPath <string>

Specifies the new location for the object. This location must be the path to a container or organizational unit.

    Required?                    true

    Position?                    2

The following example shows how to specify a target path by providing the distinguished name.

      -TargetPath "ou=sales,dc=corp,dc=contoso,dc=com"

Move-BulkADuser

This Script moves Bulk AD Users from CSV to a specified Container or Organisation Unit without providing DN or Object GUID.

Download – Move-BulkADUser.ps1

The Move-BulkADUser extends Microsoft cmdlets to accept

  1.  Identity - samAccountName attribute of a user as Identity Parameter
  2.  TargetPath – Descriptive Name of Container or Organization Units(OU) e.g. specify “Users” OU instead of “CN=Users, DC=Domain, DC=COM”

 

Code breakdown

The scripts import Users list from the CSV in the below format

SamAccountName

MartiV

SamoY

OpemipoJ

 

$FilePath = "." + "\UserList.csv"
$Users = Import-Csv $FilePath | select -ExpandProperty SamAccountName 
$TargetOU_DN =  Get-OrganizationalUnit | where {$_.name -eq $TargetOU} | select -ExpandProperty DistinguishedName

Note:    CSV file should be in the same location with Scripts and Named UserList.csv

Parameter Definition:

****TargetOU - A required Parameter which defines the Target OU using the descriptive Name of the Container or OU.

**

[CmdletBinding()]
param ( 
        [Parameter(Position=0,Mandatory=$True,HelpMessage='Specify the target OU Name // Not DN')][string]$TargetOU 
      )

 

Download

Download – Move-BulkADUser.ps1

 Move Object ; The segment is broken into 2 in the For each loop.

  1. Using the provided SamAccountName, Get the DN of user;
  2. Move AD Object
foreach($user in $Users) {
$USer_DN = Get-ADUser $user | select -ExpandProperty DistinguishedName
Write-Host 'Moving User "'  $User '" "' $User_DN  '"to OU"' $TargetOU "'(DN ='" $TargetOU_DN "'" 
Move-ADObject -TargetPath $TargetOU_DN -Identity $User_DN -Verbose | Export-Csv -Path MoveADUSerLogs.txt
}

References

**