locked
Moving Object from one OU to another OU RRS feed

  • Question

  • This is my first attempt at creating a PS script. My goal is to disable then move computer objects from one OU to another OU if its been at the source OU for at least 3 days. I got the Get-AdComputer cmdlet working but is having issue with the foreach loop. Below is the script I wrote. Thank you for all your assistance! 

    Get-ADComputer -Filter * -Properties *  -SearchBase "ou=testPC,ou=clients,ou=sales,dc=xyz,dc=com" | 
    FT Name,WhenCreated,WhenChanged, @{Name="DAYS";Expression={$PSItem.whencreated - $PSItem.whenchanged}}

    # Specifies the source OU to look in
    $SourcePath = "ou=TestPC,ou=clients,ou=sales,dc=xyz,dc=com"
    # Specifies the target OU to move objects to
    $TargetOU = "ou=tombstonedclients,ou=clients,ou=sales,dc=xyz,dc=com"
    # Specifies computers contained in source OU
    $Computers = Get-ADComputer -Filter * -Properties *  -SearchBase "ou=TestPC,ou=clients,ou=sales,dc=xyz,dc=com"
    #Specifies when oject was created
    [int]$CreateDate = $PSItem.whencreated
    #Specifies when object was modified
    [int]$ChangedDate = $PSItem.whenchanged

    foreach ($computer in $computers) {
    if ($CreateDate - $ChangedDate -gt 3) 
    {Disable-ADAccount | Move-ADObject -Identity "CN=$computer,$SourcePath" `
    -TargetPath "$TargetOU"}
    #Writes customized output to a host.
    write-host "$computer will be moved to tombstone OU"

    }

    Thursday, June 30, 2016 12:01 AM

Answers

  • I understand what your trying to do, but it's not going to work.  Your assuming that the only time the, whenchanged, attribute gets updated is if the computer object is moved from one OU to another.  This will never work.  The, whenchanged, attribute gets updated for any change to the computer object....to include when the computer account updates it's password with the domain.

    The only way you can be certain that the computer account has been in a particular OU for longer than 3 days is by running the script I'm posting, once a day.  Put it in task scheduler.

    The script is tagging each computer object it finds with the current date into extensionattribute10.  If a date is already there, then it evaluates that date by comparing it to todays date.  If it's greater than 3 days, it gets moved.

    $SourceOU = "ou=testPC,ou=clients,ou=sales,dc=xyz,dc=com"
    $DestinationOU = "ou=tombstonedclients,ou=clients,ou=sales,dc=xyz,dc=com"
    
    $Computers = get-adcomputer -filter * -searchbase $SourceOU -properties extensionattribute10
    $FD = get-date
    $FDS = $FD.ToString()
    
    Foreach ($computer in $Computers)
    {
        $EA10 = $null
        $EA10 = $computer.extensionattribute10
        if ($EA10 -eq $null)
        {
            Set-ADComputer $computer -replace @{extensionattribute10=$FDS}
        }else
        {
            $FDC = [datetime]$EA10
            if (($FD - $FDC).days -gt 3){move-adobject $Computer $DestinationOU}
        }
    }
    


    • Edited by Xecros Thursday, June 30, 2016 5:26 AM
    • Proposed as answer by Richard MuellerMVP Thursday, June 30, 2016 10:14 AM
    • Marked as answer by Wendy Jiang Monday, July 4, 2016 9:21 AM
    Thursday, June 30, 2016 5:23 AM

All replies

  • What is the error?

    Just saying "it is having a problem" does not help us help you.


    \_(ツ)_/

    Thursday, June 30, 2016 12:40 AM
  • You might also format and post you script so that it is readable.  Please use the code posting tool.


    \_(ツ)_/

    Thursday, June 30, 2016 12:42 AM
  • I understand what your trying to do, but it's not going to work.  Your assuming that the only time the, whenchanged, attribute gets updated is if the computer object is moved from one OU to another.  This will never work.  The, whenchanged, attribute gets updated for any change to the computer object....to include when the computer account updates it's password with the domain.

    The only way you can be certain that the computer account has been in a particular OU for longer than 3 days is by running the script I'm posting, once a day.  Put it in task scheduler.

    The script is tagging each computer object it finds with the current date into extensionattribute10.  If a date is already there, then it evaluates that date by comparing it to todays date.  If it's greater than 3 days, it gets moved.

    $SourceOU = "ou=testPC,ou=clients,ou=sales,dc=xyz,dc=com"
    $DestinationOU = "ou=tombstonedclients,ou=clients,ou=sales,dc=xyz,dc=com"
    
    $Computers = get-adcomputer -filter * -searchbase $SourceOU -properties extensionattribute10
    $FD = get-date
    $FDS = $FD.ToString()
    
    Foreach ($computer in $Computers)
    {
        $EA10 = $null
        $EA10 = $computer.extensionattribute10
        if ($EA10 -eq $null)
        {
            Set-ADComputer $computer -replace @{extensionattribute10=$FDS}
        }else
        {
            $FDC = [datetime]$EA10
            if (($FD - $FDC).days -gt 3){move-adobject $Computer $DestinationOU}
        }
    }
    


    • Edited by Xecros Thursday, June 30, 2016 5:26 AM
    • Proposed as answer by Richard MuellerMVP Thursday, June 30, 2016 10:14 AM
    • Marked as answer by Wendy Jiang Monday, July 4, 2016 9:21 AM
    Thursday, June 30, 2016 5:23 AM