Using ADSI to move computer object to another OU

Welcome Forums General PowerShell Q&A Using ADSI to move computer object to another OU

This topic contains 10 replies, has 4 voices, and was last updated by

 
Participant
2 weeks, 3 days ago.

  • Author
    Posts
  • #131606

    Participant
    Points: 26
    Rank: Member

    Use ADSI not powershell AD cmdlets

    Move computer from one OU to another OU
    remove members from computer object before moving
    Move computer to OU
    Add members to computer in OU

    When I say members these are software titles deployed to computer objects in OU

  • #131669

    Participant
    Points: 1,124
    Helping Hand
    Rank: Community Hero

    Are these instructions to develop a script ? if so, sorry nobody here write script for others. We help other to write script on their own. If you have started with anything , please share where you are stuck or getting error .

  • #131717

    Participant
    Points: 26
    Rank: Member

    Thanks, I am attempting to use ADSI searcher and can display software titles this computer is a member of but cannot figure out how to remove them before moving the computer object to a new OU. I am off work for the holidays and do not have access to my ws but when I return I can upload my code.

     

    Cheers

  • #131723

    Participant
    Points: 513
    Helping Hand
    Rank: Major Contributor

    If you did a search for your exact points of interest, you'd get many results of exactly how to do each, and then all you'd need to do is merge that together in a single script.

    Example:
    'adsi move computer to ou'
    … and you'd get...

    Move Computer to a different OU without AD cmdlets using PowerShell
    https://social.technet.microsoft.com/Forums/lync/en-US/3ead225f-f417-40d6-aadf-687e96cb2141/move-computer-to-a-different-ou-without-ad-cmdlets-using-powershell

    Using ADSI and LDAP to move to an OU
    https://social.technet.microsoft.com/forums/scriptcenter/en-US/37ab13a4-4ddb-460a-8a6a-0eac5887e0c0/using-adsi-and-ldap-to-move-to-an-ou

    Working with Active Directory using PowerShell ADSI adapter
    https://social.technet.microsoft.com/wiki/contents/articles/4231.working-with-active-directory-using-powershell-adsi-adapter.aspx

    The same thing would happen with each of your other data points. Now, you may not find all you need in one link of course, so, retooling your point in your search would get you more to start with.

  • #131726

    Participant
    Points: 26
    Rank: Member

    Thank you postanote, I will review the links you provided.

    Cheers

  • #131730

    Participant
    Points: 513
    Helping Hand
    Rank: Major Contributor

    No worries.

    I am a firm believer in listing out things I want to do in bullet points, then attacking each bullet point one at a time and making sure that is working as expected before moving to the next.

    All the individual pieces make up only a starting point, then you refine to the level of operational functionality needed, the refine future to go for optimization, elegance, and ease of maintenance.

    This allows for avoidance of analysis paralysis, unnecessary self confusion, and a very liner approach to the resolution.

    Define what you want you results to be (meaning know your answer before you begin)
    Then via the step thru build to your end result.

  • #132512

    Participant
    Points: 26
    Rank: Member

    Here is a sample of code I found online, I modified the section to remove the groups. It seems to work but may be sloppy. The requirements are this is run before a computer object is moved from one OU to another. I wanted to remove the need to install RSAT.

    
    $ComputerN = "W10-1809$"
    $ObjFilter = "(&(Objectclass=Computer)(samaccountName=$ComputerN))"
    $objSearch = New-Object System.DirectoryServices.DirectorySearcher
    $objSearch.PageSize = 5000
    $objSearch.Filter = $ObjFilter
    $objSearch.SearchRoot = "LDAP://DC=corp,DC=contoso,DC=com"
    $AllObj = $objSearch.FindOne()
    $objItemS = $AllObj.Properties
    $CompDN = $objItemS.distinguishedname
    $Comp = [ADSI] "LDAP://$CompDN"
    $groupname = ($AllObj.GetDirectoryEntry()).memberof | %{ [adsi]"LDAP://$_" }
    foreach($group in $groupname)
    {
    $group.remove($comp.adspath)
    }
    
    
  • #132899

    Participant
    Points: 513
    Helping Hand
    Rank: Major Contributor

    AS for this:

    I wanted to remove the need to install RSAT.

    You never need to install RSAT if you have admin permissions to connect to any DC. You'd use PowerShell Implicit Remoting to proxy the use of those cmdlets to the machine you are on. This approach allows you to use the cmdlets a if they were actually installed on your system, even though they are not.

    You use the cmdlet in your script at your workstation, they run on the DC, and return results back to you. The moment you close the PSRemoting session, the are no longer available.

    https://blogs.technet.microsoft.com/heyscriptingguy/2011/10/04/use-powershell-active-directory-cmdlets-without-installing-any-software

    You never have to install other stuff on your workstation just to work with cmdlets. As long as you can administratively, connect to AD, Exchange, SharePoint, Skype, SQL, via implicit removing, you can use those cmdlets from those hosts.

  • #132918

    Participant
    Points: 201
    Helping Hand
    Rank: Participant

    You never need to install RSAT if you have admin permissions to connect to any DC. You'd use PowerShell Implicit Remoting to proxy the use of those cmdlets to the machine you are on. This approach allows you to use the cmdlets a if they were actually installed on your system, even though they are not.

    I have tried a few times implicit remoting with Import-PSSession and Export-PSSession as well.
    However, the output display is often not really neat. I guess it is because the Format.ps1xml file is not present on the local computer.
    My favorite method is since a long time explicit remoting with Enter-PSSession. All the stuff is done by the remote computer and the display is like when you install modules on your local computer.

    And when I want to get back some data I want to process further, then I use Invoke-Command.

  • #132980

    Participant
    Points: 513
    Helping Hand
    Rank: Major Contributor

    AS for …

    However, the output display is often not really neat

    … I am not sure what this translates into for you, but I've not had or seen any display issues when doing removing of any flavor.
    Yet, environments are different and things will happen to some that are not manifested by others.

  • #132983

    Participant
    Points: 26
    Rank: Member

    Thanks Luc, connecting to a remote dc will not allow me to use out-gridview -passthru, to assign my selection to a variable $target. I would then use $target to perform the move of the computer object to the target OU. The following is what I have so far:

    
    function computer-ADSpath($computername)
    {
    $searcher = [adsisearcher]"(name=$computername)"
    $comp_dn = $searcher.FindOne().Properties.distinguishedname
    $global:computer_adspath = ([adsi]"LDAP://$comp_dn")
    }
    
    function computer-memberof($computername)
    {
    $searcher = [adsisearcher]"(name=$computername)"
    $global:membersof_adspath = ($searcher.FindOne().Properties.memberof | % {[adsi]"LDAP://$_"}).path
    }
    
    function get-targetOU()
    {
    $searcher = [adsisearcher]("ou=win*")
    $target = $searcher.Findall()
    $name = $target.properties.name | Out-GridView -PassThru
    $global:target_ou = ([adsi]"LDAP://OU=$name,OU=CORP,DC=corp,DC=contoso,DC=com").path
    }
    
    get-targetOU #this function allows me to select the target OU from out-gridview and assign to a viariable
    #I can't do this in a remote session connected to the DC
    computer-ADSpath "w10-1809"
    computer-memberof("w10-1809")
    $computer_adspath.MoveTo($target_ou)
    
    

    I have the output from gridview but I cannot post the image.

     

You must be logged in to reply to this topic.