Comparing CSV to AD LegalHold OU and then disabling User not in LegalHoldOU

Welcome Forums General PowerShell Q&A Comparing CSV to AD LegalHold OU and then disabling User not in LegalHoldOU

This topic contains 7 replies, has 3 voices, and was last updated by

 
Participant
1 month ago.

  • Author
    Posts
  • #112351

    Participant
    Points: 0
    Rank: Member

    Pleeeaaasseee Help Me. I have been working on a powershell script to compare a csv file to my LegalHold OU. If the user in the CSV file matches a user in the LegalHold OU, then just disable the account, add them to the Disabled Users group, change the discription field, and remove all the user's distribution groups except Domain Users and Disabled Users groups. If the user in the CSV file does not match a user in the Legal Hold OU, then do all the things above, but also move the user to the Disabled OU.   My script does all the above except move the user to the Disabled OU. I'm not sure if the If ($LegalHoldUser -eq $SamAccountName) statement is working.  Or even if it's correct.   Please help. I have been working on this for 3 weeks with no answer. Here's the script

     

    Import-Module ActiveDirectory

    $users= Import-Csv -Path "C:\Output\DisableADUsers91718C.csv"

    $DisabledDate = Get-Date

    $LeaveDate = Get-Date -Format "dddd dd MMMM yyyy"

    $DisabledBy = Get-ADUser "$env:username" -properties Mail

    $DisabledByEmail = $DisabledBy.Mail

    $LegalHoldUser = Get-ADuser -Filter * -SearchBase 'ou=LegalHold,dc=mecca,dc=com' -Properties * | Select-object SamAccountName

    $ADgroups = Get-ADPrincipalGroupMembership -Identity $User.SamAccountName | where { ($_.Name -ne 'Domain Users') -and ($_.Name -ne 'DisabledUsers') }

    $TargetOU = "ou=Disabled Users,dc=xxxx,dc=com"

     

     

    foreach ($user in $users)

    {

    $SamAccountName = $User.SamAccountName

    Set-ADUser $User.SamAccountName -Description "Disabled by $($DisabledBy.name)  on $DisabledDate per Ticket INC006551"

    If ($LegalHoldUser -eq $SamAccountName)

    {

    Remove-ADPrincipalGroupMembership -Identity  $User.SamAccountName -MemberOf $ADgroups -Confirm:$false

    Add-ADGroupMember -Identity "DisabledUsers" -Members $User.SamAccountName

    Move-ADObject -Identity $User.SamAccountName -targetpath $TargetOU

    Disable-ADAccount -Identity $($User.SamAccountname)

    }

    else

    {

    Remove-ADPrincipalGroupMembership -Identity  $User.SamAccountName -MemberOf $ADgroups -Confirm:$false

    Add-ADGroupMember -Identity "DisabledUsers" -Members $User.SamAccountName

    Disable-ADAccount -Identity $($User.SamAccountname)

    }

    }

     

  • #112369

    Keymaster
    Points: 7
    Rank: Member

    It's really hard to follow code when you don't apply the code formatting tags to it, as indicated in the bulleted list right above the text box.

    I'm not sure if the If ($LegalHoldUser -eq $SamAccountName) statement is working.  Or even if it's correct.

    I'd suggest using a breakpoint, either in the ISE or VS Code, so that you can stop script execution and execute line-at-a-time. That's how you tell if an If construct is working. But no, it's not correct. If I'm reading your code correctly, $LegalHoldUser is potential a collection of objects having a samAccountName property. So you're basically asking, "is this entire parking lot full of cars red?" PowerShell can't compare apples to apples, which is what you've asked.

    $LegalHoldUser = Get-ADuser -Filter * -SearchBase 'ou=LegalHold,dc=mecca,dc=com' -Properties * |
    
     Select-object -Expand SamAccountName

    That should make $LegalHoldUser into a collection of strings. Then:

    If ($LegalHoldUser -contains $SamAccountName)

    Should work. -Eq means literal equality; you can't ask if a collection of things is "equal to" a single thing, because it never will be.

    See if that doesn't help a bit.

    • #112387

      Participant
      Points: 0
      Rank: Member

      Hi Don,

      I do apologize for not applying the code formatting. I'm guessing I was so frustrated with my self and this script till I didn't see it.  Your tips above helped. The only thing not working now is the Move-ADObject. Says it can not find an object with identity: ADam.Abston under DC=mecca,DC=com.  I moved the Move-ADObject line under the "Else" statement just above the Disable-Account line.

      Import-Module ActiveDirectory
      $users= Import-Csv -Path "C:\Output\DisableADUsers91718C.csv"
      $DisabledDate = Get-Date
      $LeaveDate = Get-Date -Format "dddd dd MMMM yyyy"
      $DisabledBy = Get-ADUser "$env:username" -properties Mail
      $DisabledByEmail = $DisabledBy.Mail
      $LegalHoldUser = Get-ADuser -Filter * -SearchBase 'ou=LegalHold,dc=mecca,dc=com' -Properties * | Select-object -Expand SamAccountName
      $ADgroups = Get-ADPrincipalGroupMembership -Identity $User.SamAccountName | where { ($_.Name -ne 'Domain Users') -and ($_.Name -ne 'DisabledUsers') }
      $TargetOU = "ou=Disabled Users,dc=mecca,dc=com"

      foreach ($user in $users)
      {
      $SamAccountName = $User.SamAccountName

      Set-ADUser $User.SamAccountName -Description "Disabled by $($DisabledBy.name) on $DisabledDate per Ticket INC0065513"
      If ($LegalHoldUser -contains $SamAccountName)
      {
      Remove-ADPrincipalGroupMembership -Identity $User.SamAccountName -MemberOf $ADgroups -Confirm:$false

      Add-ADGroupMember -Identity "DisabledUsers" -Members $User.SamAccountName

      Disable-ADAccount -Identity $($User.SamAccountname)
      }
      else
      {
      Remove-ADPrincipalGroupMembership -Identity $User.SamAccountName -MemberOf $ADgroups -Confirm:$false

      Add-ADGroupMember -Identity "DisabledUsers" -Members $User.SamAccountName

      Move-ADObject -Identity $User.SamAccountName -targetpath $TargetOU
      Disable-ADAccount -Identity $($User.SamAccountname)
      }
      }

  • #112390

    Participant
    Points: 0
    Rank: Member

    The identity parameter of Move-ADObject only accepts either DistinguishedName or ObjectGUID property values. You're trying to use SamAccountName so that's why PowerShell is telling you that it can't find the user. Changing "$User.SamAccountName" to either "$User.ObjectGUID" or "$User.DistinguishedName" should do the trick.

    else{
         Remove-ADPrincipalGroupMembership -Identity $User.SamAccountName -MemberOf $ADgroups     Confirm:$false
         Add-ADGroupMember -Identity "DisabledUsers" -Members $User.SamAccountName
         Move-ADObject -Identity $User.ObjectGUID -targetpath $TargetOU
         Disable-ADAccount -Identity $($User.SamAccountName)
    }
    
    • #112399

      Participant
      Points: 0
      Rank: Member

      Hi Paul,

      Thx for our response, but no luck. I only have 3 names in my CVS File. The first one is in the LegalHold OU and the other are not. Do you think we need to declare the distinguished name as variable like I did the $SamAccountName = $User.SamAccountname? The error I'm getting is:

      Move-ADObject : Cannot validate argument on parameter 'Identity'. The argument is null. Provide a valid value for the argument, and then try running the command again.
      At line:20 char:31
      + Move-ADObject -Identity $User.DistinguishedName -targetpath $Ta ...
      + ~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : InvalidData: (:) [Move-ADObject], ParameterBindingValidationException
      + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.MoveADObject

      Move-ADObject : Cannot validate argument on parameter 'Identity'. The argument is null. Provide a valid value for the argument, and then try running the command again.
      At line:20 char:31
      + Move-ADObject -Identity $User.DistinguishedName -targetpath $Ta ...
      + ~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : InvalidData: (:) [Move-ADObject], ParameterBindingValidationException
      + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.MoveADObject

  • #112402

    Keymaster
    Points: 7
    Rank: Member

    Frankly, I'd use Get-ADUser to get the user you want to move, and pipe that to Move-ADObject. Get-ADUser is more flexible for getting users.

    • #112427

      Participant
      Points: 0
      Rank: Member

      Don, I will give it a shot.

    • #112429

      Participant
      Points: 0
      Rank: Member

      Hi Don,
      BooYaaahh!!!! You were right. It now works. Now I just have to figure out why one of my 3 users didn't get his groups removed. The other two, got their groups removed just fine. Once I figure that piece out, I'll have to apply this script to 1500 users.

      Import-Module ActiveDirectory
      $users= Import-Csv -Path "C:\Output\DisableADUsers91718C.csv"
      $DisabledDate = Get-Date
      $LeaveDate = Get-Date -Format "dddd dd MMMM yyyy"
      $DisabledBy = Get-ADUser "$env:username" -properties Mail
      $DisabledByEmail = $DisabledBy.Mail
      $LegalHoldUser = Get-ADuser -Filter * -SearchBase 'ou=LegalHold,dc=mecca,dc=com' -Properties * | Select-object -Expand SamAccountName
      $ADgroups = Get-ADPrincipalGroupMembership -Identity $User.SamAccountName | where { ($_.Name -ne 'Domain Users') -and ($_.Name -ne 'DisabledUsers') }
      $TargetOU = "ou=Disabled Users,dc=mecca,dc=com"

      foreach ($user in $users)
      {
      $SamAccountName = $User.SamAccountName

      Set-ADUser $User.SamAccountName -Description "Disabled by $($DisabledBy.name) on $DisabledDate per Ticket INC0065513"
      If ($LegalHoldUser -contains $SamAccountName)
      {
      Remove-ADPrincipalGroupMembership -Identity $User.SamAccountName -MemberOf $ADgroups -Confirm:$false

      Add-ADGroupMember -Identity "DisabledUsers" -Members $User.SamAccountName

      Disable-ADAccount -Identity $($User.SamAccountname)
      }
      else
      {
      Remove-ADPrincipalGroupMembership -Identity $User.SamAccountName -MemberOf $ADgroups -Confirm:$false

      Add-ADGroupMember -Identity "DisabledUsers" -Members $User.SamAccountName

      Get-AdUser $SamAccountName | Move-ADObject -targetpath $TargetOU

      Disable-ADAccount -Identity $($User.SamAccountname)
      }
      }

You must be logged in to reply to this topic.