none
Getting an odd result when trying to move-adobject RRS feed

  • Question

  • In this script I'm attempting to disable a list of AD Users and move them to their corresponding disabled OU. Most all accounts reside in their parent OU's "_users" OU. Some however reside in a sub OU called "temporary accounts". I've placed a condition statement to handle this and remove this from the distinguished name.  Here's my problem:

    When attempting to run, I receive the error "The operation could not be performed because the object's parent is either uninstantiated or deleted"





    import-module activedirectory
    import-csv c:\mylist.csv |


    foreach-object { 
    $newdn = $null
    $user = get-aduser $_.userid
    $user.DistinguishedName.split(",") | foreach{

    $newdn = ($newdn + "," + $_)

    if ($_ -match ("CN=" + $user.name)) {
    $newdn = ($_ + ",OU=disabled accounts") 
    }
        }
        
        $newdn -replace "OU=Temporary Accounts,",  ""


    Disable-ADAccount $_.userid

    Move-ADObject  $user.DistinguishedName -targetpath $newdn
      }
            

            

    Monday, March 17, 2014 12:11 AM

Answers

  • The following gets the parent from the user ID

    $dn=(get-aduser $_.userid).distinguishedname
    ([adsi]"LDAP://$dn").Parent

    Here is how it looks:

    import-csv c:\mylist.csv |
        foreach-object{
            $user=Get-AdUser $_.userid
            $dn=$user.distinguishedname
            $parent=([adsi]"LDAP://$dn").Parent.Remove('LDAP://')
            $newdn="OU=disabled accounts,$parent"
            $user | Disable-ADAccount
            $user | Move-ADObject -targetpath $newdn
        }
    If we want the parent's parent the we just do it once more.


    ¯\_(ツ)_/¯



    • Edited by jrv Monday, March 17, 2014 12:54 AM
    • Marked as answer by Breaker1253 Monday, March 17, 2014 12:59 AM
    Monday, March 17, 2014 12:47 AM

All replies

  • Is this what you are trying to do?

    import-csv c:\mylist.csv |
        foreach-object{ 
            $user=get-aduser $_.userid
            $parent=$user.parent
            $newdn='OU=disabled accounts' + $parent
            Disable-ADAccount $_.userid
            $user | Move-ADObject -targetpath $newdn
        }
    

    Or are you trying to move to an OU that is a sub OU of the parent's parent?

    The above code is an example but needs a couple of extra steps to make it work.


    ¯\_(ツ)_/¯


    • Proposed as answer by jrv Monday, March 17, 2014 12:36 AM
    • Edited by jrv Monday, March 17, 2014 12:40 AM
    Monday, March 17, 2014 12:30 AM
  • The user will be in one of many OU's  that represent their location. Within that OU is a "_users" container. From there the user will reside directly in "_users" or in a sub-OU located under users called "temporary users". Hope that explains it a little better. 

    After disabling the user, it needs to go in a sub-OU located in "_users" called "disabled accounts".

    When I run the script inside ISE I get a line showing the new modified DN for every user, which is odd because I don't have anything in script asking for output. Sorry I'm still pretty new to powershell, I really appreciate the help.

    Monday, March 17, 2014 12:40 AM
  • The following gets the parent from the user ID

    $dn=(get-aduser $_.userid).distinguishedname
    ([adsi]"LDAP://$dn").Parent

    Here is how it looks:

    import-csv c:\mylist.csv |
        foreach-object{
            $user=Get-AdUser $_.userid
            $dn=$user.distinguishedname
            $parent=([adsi]"LDAP://$dn").Parent.Remove('LDAP://')
            $newdn="OU=disabled accounts,$parent"
            $user | Disable-ADAccount
            $user | Move-ADObject -targetpath $newdn
        }
    If we want the parent's parent the we just do it once more.


    ¯\_(ツ)_/¯



    • Edited by jrv Monday, March 17, 2014 12:54 AM
    • Marked as answer by Breaker1253 Monday, March 17, 2014 12:59 AM
    Monday, March 17, 2014 12:47 AM
  • Upon running your version of the script I'm receiving

    "Cannot convert argument "0", with value: "LDAP://", for "Remove" to type "System.Int32": "Cannot convert value "LDAP://" to type "System.Int32". Error: "Input string was not in a correct format.""

    Monday, March 17, 2014 12:10 PM
  • Sorry typo.  "Remove" should be "Replace".

    $parent=([adsi]"LDAP://$dn").Parent.Replace('LDAP://','')


    ¯\_(ツ)_/¯

    Monday, March 17, 2014 12:18 PM
  • That seem's to have fixed it. Although I'm recieving the same error I did in my previous script for each object:

    Move-ADObject : The operation could not be performed because the object's parent is either uninstantiated or deleted

    Edit: When specifying a -targetserver, I receive error:

    Move-ADObject : Can't move objects with memberships across domain boundaries as on
    ce moved, this would violate the membership conditions of the account group. Remov
    e the object from any account group memberships and retry

    I'm assuming I'll have to query for the DC they reside on and make that the target for each object?

    • Edited by Breaker1253 Monday, March 17, 2014 12:57 PM
    Monday, March 17, 2014 12:34 PM
  • You do not need to use DC.  You need to give us the correct information about your OU structure.

    Print this value and see if the OU actually exists:

    $newdn="OU=disabled accounts,$parent"


    ¯\_(ツ)_/¯

    Monday, March 17, 2014 3:40 PM