Script not moving Active Directory Objects

Welcome Forums General PowerShell Q&A Script not moving Active Directory Objects

This topic contains 10 replies, has 5 voices, and was last updated by

 
Participant
2 months, 3 weeks ago.

  • Author
    Posts
  • #162756

    Participant
    Topics: 1
    Replies: 4
    Points: 23
    Rank: Member

    Hello PS Gurus,
    I have a PS script used to manipulate Active Directory accounts; it was working fine when running on one of our old Domain controllers (Win2008). However, we upgraded our DCs to Win2016 and decided to move this script to run on a separate Windows 2016 server. The main issue is that the script – which now runs on that separate server but invokes a session on the new DC – is no longer moving AD accounts to different OUs.
    -The log shows this error:
    "The input object cannot be bound to any parameters for the command either because the command does not take pipeline
    input or the input and its properties do not match any of the parameters that take pipeline input."
    – And here's the portion of the script that moves the AD account to a different OU but is not working:
    "Get-ADUser $Student.sAMAccountName | Move-ADObject -TargetPath "OU=Old,OU=Students,DC=CH,DC=MCC,DC=edu" -ErrorAction Continue -Confirm:$false"
    Searching online, it sounded like the Move-ADObject's -Identity switch (required) is not accepting the piped sAMAccount attribute value so the suggestions were to try with a different attribute such as Distinguished name, GUID, etc. However, none of these work.
    Appreciate your time and thanks in advance for any input!

  • #162764

    Participant
    Topics: 12
    Replies: 232
    Points: 466
    Helping Hand
    Rank: Contributor

    Well first does the $Student variable contain the correct info and does Get-ADUser command generate the desired output?

    If that becomes e.g. NULL then there is nothing to pipe to Move-ADObject.

    • #162768

      Participant
      Topics: 1
      Replies: 4
      Points: 23
      Rank: Member

      Fredrik –
      Thanks for your reply. Yes, the $Student variable has a value. The next line on the script is "$($Student.sAMAccountName) home moved at $Time " | out-file $logfile -append" . When I check the log file the $Student has been recorded.

    • #162863

      Participant
      Topics: 12
      Replies: 232
      Points: 466
      Helping Hand
      Rank: Contributor

      Well just because student has a value doesn't mean it's correct.
      E.g. "Hello world" is a value 🙂

      Just as kvprasson writes, does it contain the sAMAccountName property and does that sAMAccountName exist in the AD?
      If Get-ADUser don't find that user it will error out which will then cause the rest of that line to error out.

      When dealing with Get-ADuser and most other AD related commands in scripts you should do some error/exception handling.
      E.g.

      $user = Get-ADUser -Identity $Student.sAMAccountName
      
      if($null -ne $user.sAMAccountName){
          # Do whatever you need to do.
      }
      
    • #162888

      Participant
      Topics: 1
      Replies: 4
      Points: 23
      Rank: Member

      Yes, the AD object does contain the sAMAccountName property and the sAMAccountName exists. Moreover, some of the script actions are being successfully performed; for instance, the script is also supposed to remove group membership for the AD object/account and this is happening. So, the script correctly "finds" the object, successfully performs certain actions, but moving the object to a different OU is what's failing.

  • #162789

    Senior Moderator
    Topics: 8
    Replies: 1041
    Points: 3,439
    Helping Hand
    Rank: Community Hero

    Make sure the user is available in AD for each $student in the iteration.

    Get-AdUser -Identity $Student.sAMAccountName
    
    • #162887

      Participant
      Topics: 1
      Replies: 4
      Points: 23
      Rank: Member

      Thanks for your reply. I am not sure I follow your instructions, can you please clarify? thanks

    • #162962

      Senior Moderator
      Topics: 8
      Replies: 1041
      Points: 3,439
      Helping Hand
      Rank: Community Hero

      If there is no account in AD, that means no output from Get-AdUser, this can happen.

  • #162902

    Participant
    Topics: 2
    Replies: 3
    Points: 38
    Rank: Member

    I've been working on something similar. I removed the need for the pipe command although and it's been working for me.

     Move-ADObject -Identity ("Get-ADUser $Student.sAMAccountName ) -TargetPath "OU=Old,OU=Students,DC=CH,DC=MCC,DC=edu" -ErrorAction Continue -Confirm:$false"
  • #163248

    Participant
    Topics: 1
    Replies: 4
    Points: 23
    Rank: Member

    All – thank you much for your input. I tried all the different suggestions and, unfortunately, none solved the problem. So, I ended up moving the script back to the new domain controller and it seems to be working now. Thanks again

  • #163509

    Participant
    Topics: 0
    Replies: 13
    Points: 43
    Helping Hand
    Rank: Member

    I am not having a Domain Controller to test the script  right now. But try this:

    Get-ADUser $Student.sAMAccountName | %{Move-ADObject -TargetPath "OU=Old,OU=Students,DC=CH,DC=MCC,DC=edu"  -Confirm:$false"}

You must be logged in to reply to this topic.