Please Help: Can't Get Move-ADObject to work

Welcome Forums General PowerShell Q&A Please Help: Can't Get Move-ADObject to work

This topic contains 7 replies, has 3 voices, and was last updated by

js
 
Participant
2 months ago.

  • Author
    Posts
  • #114363

    Participant
    Points: 23
    Rank: Member

    Hello,

    Please help. The guys on this site have been awesome and I really appreciate all of your help, but I have 1 more issue. My script works almost perfectly, but I can't get one thing to work and that's the Move-ADObject to work. The script does everything I need it to, but Move the ADUser to the Disabled Users OU. Here's my script.

    Import-Module ActiveDirectory
    $users= Import-Csv -Path "C:\Output\DisableADUsers91718C.csv"

    $DisabledDate = Get-Date
    $LeaveDate = Get-Date -Format "dddd dd MMMM yyyy"
    $DisabledBy = Get-ADUser "$env:username" -properties Mail
    $DisabledByEmail = $DisabledBy.Mail
    $LegalHoldUser = Get-ADuser -Filter * -SearchBase 'ou=LegalHold,dc=xxx,dc=com' -Properties * | Select-object -Expand SamAccountName

    $TargetOU = "ou=Disabled Users,dc=xxx,dc=com"

    foreach ($user in $users)
    {
    $SamAccountName = $User.SamAccountName

    Set-ADUser $User.SamAccountName -Description "Disabled by $($DisabledBy.name) on $DisabledDate per Ticket INC0065513"
    $ADgroups = Get-ADPrincipalGroupMembership -Identity $User.SamAccountName | where { ($_.Name -ne 'Domain Users') -and ($_.Name -ne 'DisabledUsers') }

    If ($LegalHoldUser -contains $User.SamAccountname)
    {
    Remove-ADPrincipalGroupMembership -Identity $($User.SamAccountname) -MemberOf $ADgroups.SamAccountName -Confirm:$false

    Add-ADGroupMember -Identity "DisabledUsers" -Members $User.SamAccountName

    Disable-ADAccount -Identity $($User.SamAccountname)
    }
    else
    {
    Remove-ADPrincipalGroupMembership -Identity $($User.SamAccountname) -MemberOf $ADgroups.SamAccountName -Confirm:$false

    Add-ADGroupMember -Identity "DisabledUsers" -Members $User.SamAccountName

    Get-ADUser -Identity $User.SamAccountName | Move-ADObject -targetpath $TargetOU

    Disable-ADAccount -Identity $($User.SamAccountname)
    }
    }

    
    This is the error I'm getting:
    
    The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the input and its properties do not match any of the parameters that take pipeline input.
        + CategoryInfo          : InvalidArgument: (CN=Adam Abston,...DC=xxx,DC=com:PSObject) [Move-ADObject], ParameterBindingException
        + FullyQualifiedErrorId : InputObjectNotBound,Microsoft.ActiveDirectory.Management.Commands.MoveADObject
        + PSComputerName        : GGPDC01
  • #114393
    Kaj

    Participant
    Points: 1
    Rank: Member

    Looking at the -Identity Parameter, we can see that it does accept pipeline input (ByValue), but it does not appear to support SamAccountName. "or the input and its properties do not match any of the parameters that take pipeline input."

    Perhaps try either .DistinguishedName or .ObjectGUID

    Get-ADUser $User.DistinguishedName | Move-ADObject -TargetPath $TargetOU

    -Identity
    Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute.

    Distinguished Name

    Example: CN=saradavis,OU=users,OU=asia,DC=corp,DC=contoso,DC=com

    GUID (objectGUID)

    Example: 599c3d2e-f72d-4d20-8a88-030d99495f20

    The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error.

    This parameter can also get this object through the pipeline or you can set this parameter to an object instance.

    Derived types, such as the following are also accepted:

    Microsoft.ActiveDirectory.Management.ADGroup

    Microsoft.ActiveDirectory.Management.ADUser

    Microsoft.ActiveDirectory.Management.ADComputer

    Microsoft.ActiveDirectory.Management.ADServiceAccount

    Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy

    Microsoft.ActiveDirectory.Management.ADDomain

    This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance".

    -Identity $ADObjectInstance

    Required? true
    Position? 1
    Default value
    Accept pipeline input? True (ByValue)
    Accept wildcard characters? false

    • #114396

      Participant
      Points: 23
      Rank: Member

      Hi Kaj,

      Thanks for responding. I tried both the ObjectGUID and the .DistinguishedName, but I'm still getting the same error.

  • #114403
    Kaj

    Participant
    Points: 1
    Rank: Member

    Hey Frederick,

    There will be a lot here, but later today I can piece this all together in a nicer format.

    I noticed when I ran the script the $User did not contain a value so I made this change to call upon the header in the csv.

    I also ran into an error at Remove-ADPrincipalGroupMembership, "Cannot validate argument on parameter 'MemberOf'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.".

    I have gotten around this previously by running a foreach loop with the group memberships. I have attached an example from another script I wrote last year.

    [CmdletBinding()]
    
        Param (
    
            [Parameter(Mandatory=$True,
                       ValueFromPipeline=$True,
                       ValueFromPipelineByPropertyName=$True,
                       HelpMessage="Provide an Active Directory User.")]
                       
                [string]$Target,
    
            [Parameter(Mandatory=$True,
                       ValueFromPipeline=$True,
                       ValueFromPipelineByPropertyName=$True,
                       HelpMessage="Provide one or multiple Active Directory User(s).")]
                
                [string[]]$ADUser
            
    
    
    
        )
    
        Begin {
        
            Write-Verbose "Importing Module ActiveDirectory"
            Import-Module ActiveDirectory
    
            Write-Verbose "Preparing to export groups"
            $Export = Get-ADPrincipalGroupMembership -Identity $Target | Select distinguishedname | 
                Where-Object {$_.DistinguishedName -notlike 'Disabled'}
            
        } 
        
        Process {
        
               ForEach ($User in $ADUser) {
                    Write-Verbose "Preparing to purge $User of all ADGroups"
                    Get-ADPrincipalGroupMembership -Identity $User | ?{$_.DistinguishedName -notlike '*Domain*'} | 
                    % {Remove-ADPrincipalGroupMembership -Identity $User -MemberOf $_ -Confirm:$False}
               }
    
               ForEach ($Group in $Export) {
                    Write-Verbose "Preparing to mirror $User to $Target"
                    Add-ADGroupMember $Group -Members $ADUser -Confirm:$False
               }
        
        } End {
    
            Write-Output "Purge Complete"
    
        }
    

    My CSV:

    Users
    Test.user.101
    Test.user.102

    $users= Import-Csv -Path .\FR.csv
    
    $DisabledDate = Get-Date
    $LeaveDate = Get-Date -Format "dddd dd MMMM yyyy"
    $DisabledBy = Get-ADUser "$env:username" -properties Mail
    $DisabledByEmail = $DisabledBy.Mail
    $LegalHoldUser = Get-ADuser -Filter * -SearchBase 'ou=LegalHold,dc=xxx,dc=com'
    
    $TargetOU = "ou=Disabled Users,dc=xxx,dc=com"
    foreach ($user in $users)
    {
    $AdUser = Get-ADUser $User.Users
    
    Set-ADUser $AdUser -Description "Disabled by $($DisabledBy.name) on $DisabledDate per Ticket INC0065513"
    $ADgroups = Get-ADPrincipalGroupMembership -Identity $AdUser | where { ($_.Name -ne 'Domain Users') -and ($_.Name -ne 'DisabledUsers') }
    
    If ($LegalHoldUser -contains $AdUser)
    {
    Remove-ADPrincipalGroupMembership -Identity $($AdUser) -MemberOf $ADgroups.SamAccountName -Confirm:$false
    
    #Add-ADGroupMember -Identity "DisabledUsers" -Members $AdUser
    
    Disable-ADAccount -Identity $AdUser
    }
    else
    {
    Remove-ADPrincipalGroupMembership -Identity $($AdUser) -MemberOf $ADgroups.SamAccountName -Confirm:$false
    
    #Add-ADGroupMember -Identity "DisabledUsers" -Members $AdUser
    
    Move-ADObject $AdUser -targetpath $TargetOU
    
    Disable-ADAccount -Identity $AdUser
    }
    }
    
  • #114421

    Participant
    Points: 23
    Rank: Member

    ok. Thanks. I really appreciate all your help. I have been trying to get this to work for weeks. I would love to see the nicer format you have. I'm new at powershell and I know my script is a mess.

  • #114441
    Kaj

    Participant
    Points: 1
    Rank: Member

    Hello Frederick,

    I had some time to go through and work the csv flow.  Since the purpose of this is to use a CSV, from my tests I was able to produce the desired results.

    Notations
    I commented out "DisabledUsers" since I did not create that group in my AD Environment
    A few additional items I would change:
    The check for the "Active Directory" Module
    Turn $LegalHoldOu, $TargetOU into parameters
    Turn "Ticket Number" into a parameter
    Add a Help File
    Better Error Handling

    This should get you off the ground running.

    CSV:
    Users
    —–
    Test.user.101
    Test.user.102
    test.user.103

    [cmdletbinding()]
    
        PARAM(
    
            [parameter( Mandatory=$True,
                        ValueFromPipeline=$False,
                        ValueFromPipelineByPropertyName=$False
                        )]
    
                    [string]$Path,
                    
    
                    
                    [switch]$LogErrors
                    )
    
    BEGIN {
    
        Try {
            
            Write-Debug $Path
            Test-Path -Path $Path -ErrorAction Stop
            }
    
        Catch {
            
            Write-Warning "Unable to locate $Path"
            Exit
            }
    
        Try {
    
            
            Get-Module ActiveDirectory -ErrorAction Stop
            }
    
        Catch {
    
            Write-Warning "Module is not currently installed"
            Exit
            }
        
    }
    
    PROCESS {
    
        $Items = Import-csv $Path
        
        Foreach ($User in $Items) {
    
            Write-Debug $User
    
            $DisabledDate = Get-Date
            $LeaveDate = Get-Date -Format "dddd dd MMMM yyyy"
            $DisabledBy = Get-ADUser "$env:USERNAME" -Properties Mail
            $DisabledByEmail = $DisabledBy.Mail
            $LegalHoldOU = "*ou=LegalHold,dc=xxx,dc=com*"
            $TargetOU =  "ou=Disabled Users,dc=xxx,dc=com"
    
            Write-Debug "OUTPUT:$DisabledDate,$LeaveDate,$DisabledBy,$DisabledByEmail,$LegalHoldOU"
    
            Try {
    
                Write-Debug $User
    
                $AdUser = Get-Aduser $User.Users
    
                Write-Debug $AdUser
                Write-Verbose "Attempting to Set $AdUser"
    
                Set-ADUser $AdUser -Description "Disabled by $DisabledBy on $DisabledDate per Ticket INC0065513"
                
                Write-Debug $AdUser.DistinguishedName
    
                    If ($AdUser.DistinguishedName -like $LegalHoldOU) {
                
                        Write-Verbose "$AdUser found in $LegalHoldOU"
                
                        Get-ADPrincipalGroupMembership -Identity $AdUser | ?{$_.DistinguishedName -notlike '*Domain*'} | % {Remove-ADPrincipalGroupMembership -Identity $AdUser -MemberOf $_ -Confirm:$False}
                        #Add-ADGroupMember -Identity "DisabledUsers" -Members $AdUser
                        Write-Verbose "Attempting to Disable $AdUser"
                        Disable-ADAccount -Identity $AdUser
                        }
    
                    else {
    
                        Write-Verbose "Non-Legalhold, preparing to remove memberships."
                        Get-ADPrincipalGroupMembership -Identity $AdUser | ?{$_.DistinguishedName -notlike '*Domain*'} | % {Remove-ADPrincipalGroupMembership -Identity $AdUser -MemberOf $_ -Confirm:$False}
                        
    
                        #Add-ADGroupMember -Identity "DisabledUsers" -Members $AdUser
    
                        Write-Verbose "Attempting to move $AdUser"
                        Write-Debug "$TargetOU"
                        Write-Debug $AdUser.DistinguishedName
                        
                        Move-ADObject $AdUser -TargetPath $TargetOU
    
                        Write-Verbose "Attempting to Disable $AdUser"
                        Disable-ADAccount -Identity $AdUser
                        }
    
                }
            
            
            Catch {
    
                if ($LogErrors) {
    
                        $Logging = "$AdUser $(Get-Date) $_"
                        $Logging | Out-File C:\Users\$Env:UserName\Documents\ErrorLog.txt -Append
                        Write-Warning "Logged to C:\Users\$Env:UserName\Documents\ErrorLog.txt"
            
                  }
    
            }
    
            }
            }

    Output with -Verbose included
    #Removed Company OU Information

    VERBOSE: Attempting to Set CN=Test.User.101,"*ou=LegalHold,dc=xxx,dc=com*"
    VERBOSE: CN=Test.User.101,"*ou=LegalHold,dc=xxx,dc=com*" found in "*ou=LegalHold,dc=xxx,dc=com*"
    VERBOSE: Attempting to Disable CN=Test.User.101,OU=Sales,"*ou=LegalHold,dc=xxx,dc=com*"
    VERBOSE: Attempting to Set CN=Test.User.102,"*ou=LegalHold,dc=xxx,dc=com*"
    VERBOSE: CN=Test.User.102,"*ou=LegalHold,dc=xxx,dc=com*" found in "*ou=LegalHold,dc=xxx,dc=com*"
    VERBOSE: Attempting to Disable CN=Test.User.102,"*ou=LegalHold,dc=xxx,dc=com*"
    VERBOSE: Attempting to Set CN=Test.User.103,"*ou=LegalHold,dc=xxx,dc=com*"
    VERBOSE: CN=Test.User.103,"*ou=LegalHold,dc=xxx,dc=com*" found in "*ou=LegalHold,dc=xxx,dc=com*"
    VERBOSE: Attempting to Disable CN=Test.User.103,"*ou=LegalHold,dc=xxx,dc=com*"

    #Different OU from $LegalHoldOU

    VERBOSE: Attempting to Set CN=Test.User.101,dc=xxx,dc=xxx
    VERBOSE: Non-Legalhold, preparing to remove memberships.
    VERBOSE: Attempting to move CN=Test.User.101,dc=xxx,dc=xxx
    VERBOSE: Attempting to Disable CN=Test.User.101,OU=Sales,dc=xxx,dc=xxx
    VERBOSE: Attempting to Set CN=Test.User.102,dc=xxx,dc=xxx
    VERBOSE: Non-Legalhold, preparing to remove memberships.
    VERBOSE: Attempting to move CN=Test.User.102,dc=xxx,dc=xxx
    VERBOSE: Attempting to Disable CN=Test.User.102,dc=xxx,dc=xxx
    VERBOSE: Attempting to Set CN=Test.User.103,dc=xxx,dc=xxx
    VERBOSE: Non-Legalhold, preparing to remove memberships.
    VERBOSE: Attempting to move CN=Test.User.103,dc=xxx,dc=xxx
    VERBOSE: Attempting to Disable CN=Test.User.103,dc=xxx,dc=xxx

  • #114474

    Participant
    Points: 23
    Rank: Member

    Hi Kaj,

    With a few modifications, this works great. You have probably saved my job. Thanks again for all your help.

  • #114477
    js

    Participant
    Points: 327
    Helping Hand
    Rank: Contributor

    Normally something like this should work, unless get-aduser isn't returning anything.

    get-aduser myuser | move-adobject -targetpath $ou
    

You must be logged in to reply to this topic.