Ja Che
asked on
Automated Script to Move Disabled Active Directory Accounts
Hello, what's the best way to automate moving disabled user accounts in Active Directory to another OU?
I want to search Active Directory and if disabled users are found, move them to the "Tombstone" OU.
I understand this can be done through the AD Module for Powershell manually, but I want to see if it can be automatically completed on a weekly basis.
Any input is greatly appreciated!
Thanks.
I want to search Active Directory and if disabled users are found, move them to the "Tombstone" OU.
I understand this can be done through the AD Module for Powershell manually, but I want to see if it can be automatically completed on a weekly basis.
Any input is greatly appreciated!
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the reply guys.
@Will So in my case, do I just update the Disabled Account references to Tombstoned (in my specific case).
@Will So in my case, do I just update the Disabled Account references to Tombstoned (in my specific case).
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@Will So in my case, do I just update the Disabled Account references to Tombstoned (in my specific case).
Yeah just change line 2 TargetOU to the actual path of where you want to move the disabled objects.
Will.
ASKER
Awesome. That worked perfectly. Is there any way to automate that command?
You would need to setup a scheduled task and set it to run X number of days.
Glad that it worked for you.
Will.
Glad that it worked for you.
Will.
ASKER
Ideally, should it be something like a batch file or VBS? Just want to know best practice.
Thanks again!
Thanks again!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you, Will!!
ASKER
The script worked from my Windows 7 machine, but when I attempted to run the script as a standalone test on Server 2008 R2 I received the following error:
Move-ADObject : Access is denied
At C:\scripts_new\tombstoned.
+ Move-ADObject <<<< -Identity $account.distinguishedName
U
+ CategoryInfo : PermissionDenied: (CN=XXXXXX,OU=XXXXXX,DC=XX
+ FullyQualifiedErrorId : Access is denied,Microsoft.ActiveDir
ement.Commands.MoveADObjec
This shows up for each account it's attempting to move, but most are already in the desired OU. There's one user account I'm working on that does not get moved, even though it's disabled.
I've searched various parts of the error, but had no resolution. I also installed KB2806748, which is supposed to address this issue and no success either.
Any ideas on how to get past the access denied message?
Thanks!
Move-ADObject : Access is denied
At C:\scripts_new\tombstoned.
+ Move-ADObject <<<< -Identity $account.distinguishedName
U
+ CategoryInfo : PermissionDenied: (CN=XXXXXX,OU=XXXXXX,DC=XX
+ FullyQualifiedErrorId : Access is denied,Microsoft.ActiveDir
ement.Commands.MoveADObjec
This shows up for each account it's attempting to move, but most are already in the desired OU. There's one user account I'm working on that does not get moved, even though it's disabled.
I've searched various parts of the error, but had no resolution. I also installed KB2806748, which is supposed to address this issue and no success either.
Any ideas on how to get past the access denied message?
Thanks!
Khandu,
You need to configure powershell on w2k8 to run script.
first powershell run as admin and type the following command.
Set-ExecutionPolicy RemoteSigned
Set-ExecutionPolicy Unrestricted
and try to run command.
good luck!
You need to configure powershell on w2k8 to run script.
first powershell run as admin and type the following command.
Set-ExecutionPolicy RemoteSigned
Set-ExecutionPolicy Unrestricted
and try to run command.
good luck!
Open in new window
Not exactly sure this is what you were looking for.