Powershell Automation - Find All Disabled AD Objects and Move to Disabled OU

Isaias Perez
Isaias Perez used Ask the Experts™
on
Trying to put together a script that i can run as a daily scheduled task to automate moving Disabled Objects in our OU to the disabled OU.  I put this together but its not working. Can you please help rewrite the script so that it makes sense.

$DisabledUsers = Get-ADUser -Filter * -Property Enabled | Where-Object {$_.Enabled -like “false”}
$TargetOU="OU=Disabled,OU=Users,OU=Contoso_Users_and_Groups,DC=Contoso,DC=net"

$DisabledUsers |
Select-Object SamAccountName |
Get-ADUser |
Move-ADObject -TargetPath $TargetOU

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Isaias PerezIT Operations Manager

Author

Commented:
Here is the error message I am getting.

Get-ADUser : Object reference not set to an instance of an object.
At C:\scripts\Move All Disabled Users to Disabled OU.ps1:6 char:1
+ Get-ADUser |
+ ~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (Microsoft.Activ...nagement.ADUser:ADUser) [Get-ADUser], NullReferenceException
    + FullyQualifiedErrorId : Object reference not set to an instance of an object.,Microsoft.ActiveDirectory.Management.Commands.GetADUser

Open in new window

Most Valuable Expert 2018
Distinguished Expert 2018

Commented:
No need for all those intermediate steps. You get the disabled users, and move them.
This here is in test mode and will only show which users it would move; remove the -WhatIf to run it for real:
$TargetOU = "OU=Disabled,OU=Users,OU=Contoso_Users_and_Groups,DC=Contoso,DC=net"
Get-ADUser -Filter "Enabled -eq 'false'" | Move-ADObject -TargetPath $TargetOU -WhatIf

Open in new window

Isaias PerezIT Operations Manager

Author

Commented:
Is there any way that we can just target User Objects? I am seeing the following and Im not sure i would want to move that.

What if: Performing the operation "Move" on target "CN=SystemMailbox{1f05a927-5b5c-496f-9004-b4ddfa745cd8},OU=Disabled,OU=Users,OU=Contoso_Users_and_Groups,DC=Contoso,DC=net".
What if: Performing the operation "Move" on target "CN=SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9},OU=Disabled,OU=Users,OU=Contoso_Users_and_Groups,DC=Contoso,DC=net".
What if: Performing the operation "Move" on target "CN=DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852},OU=Disabled,OU=Users,

Open in new window

Isaias PerezIT Operations Manager

Author

Commented:
Lastly is there a way to target users that are not already in the Disabled OU. In otherwise just users outside of the specified OU. "OU=Disabled,OU=Users,OU=Contoso_Users_and_Groups,DC=Contoso,DC=net"
Most Valuable Expert 2018
Distinguished Expert 2018
Commented:
It doesn't really matter if they are already in the target OU; the cmdlet will just ignore those.
This will exclude anything with "mailbox" in its name:
$TargetOU = "OU=Disabled,OU=Users,OU=Contoso_Users_and_Groups,DC=Contoso,DC=net"
Get-ADUser -Filter "Enabled -eq 'false'" | Where-Object {$_.Name -notlike '*mailbox*'} | Move-ADObject -TargetPath $TargetOU -WhatIf

Open in new window

Isaias PerezIT Operations Manager

Author

Commented:
As always thank you for everything!
Isaias PerezIT Operations Manager

Author

Commented:
hey OBDA although this script works, its giving me this error message. Is there a way to suppress this error message?
move-users-to-disabled-ou-error.png
Isaias PerezIT Operations Manager

Author

Commented:
I attempted to add -confirm:$false to the end of the script and that didn't work. I mean the script is still working but complaining about users that its trying to move to the disabled OU but they are already there i guess is what its saying.
move-users-to-disabled-ou-error2.png
Most Valuable Expert 2018
Distinguished Expert 2018

Commented:
Users can have the same RDN (the name displayed in the ADUC console as long as they are in different OUs.
The ones mentioned in the errors are probably users with a same RDN as a user already in the disabled OU, but a different SamAccountName.
So if there's a user John Doe and a SAM of jdoe1 in OU1, and a user John Doe in OU2 with a SAM of jdoe2, and both were disabled, one of them would be moved to the target OU, and the other one will fail because now there's already (the other) John Doe in there.
You need to define a way to resolve this.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial