Author Posts

April 24, 2014 at 12:06 pm

Here's my scenario: we currently have OUs based on the locations of our facilities, we also have a sub-OU(?) underneath it for users that need a group policy applied to them where whitelist applications allowed to run. From time to time we have need to pull users out of that sub-OU for a short period of time to let them run applications they normally wouldn't be able to and won't need to run long term. Sometimes we also forget to add these people back into that policy controlled sub-OU because we get busy do other things. Server is 2008 R2.

Here's what I'm looking for: A script that prompts for the users name, pulls that user out of the sub-OU, puts them in the main OU but only for 24 hours. After that time limit is up, a script/command runs that puts the user back in the policy controlled sub-OU. I'm thinking a PS script would be the best way to do this.

Research: Looking at these posts here and here I'm thinking I should be able to Frankenstein something together but I have very limited PS scripting experience.

Can anyone help me create this?

April 24, 2014 at 12:46 pm

Your task breaks down into 2 parts.

First part – move the user from the sub-OU to the OU
Second part – move the user back.

if you try to do this in one script it means you have a process running for 24 hours. Even if you run the script through a PowerShell job you will have to leave the job running for 24 hours. What happens to your user if that process or job is terminated? The object is left in the wrong OU.

I'd split the processing.
1) Write a script that you can run on demand to move the user between OUs.
2) Write a script to move the user back. Make this run through a scheduled task. Get this script to check the modification date of the user object and anything that was modified more than 24 hours ago is moved back. You may get the odd account staying in the OU for too long if another modification is performed e.g. password reset but it should be infrequent

Alternatively get your fist script to write the userid to a text file together with the time. Get script 2 to read that file and move anything back to the original OU once its time has expired. Remember to clean up the file.

Hope these ideas help – if you want help with specifics please let me know

April 24, 2014 at 12:47 pm

What bits are you stuck on?

I mean, prompt for user name – easy. Save user name, original OU, and date/time to a CSV file, easy. Move the user, easy. Write a second script that runs every x hours, reads that file, and moves anyone who's "expired"... straightforward.

Happy to help, but you'll have to give us a starting point...