Append AD description vs overwrite

Hi all,

I have the below script that will search for the last logon time stamp that is older than X amount of days. It will then take the results and disable overwrite the description field then move to a disabled users OU. I’m struggling to figure out to append the existing AD description field and not actually overwrite it. For example existing description for a user is “Finance - New York, New York” and I want the script to append and have “Finance - New York, New York Disabled and moved date script runs”

Any help would be greatly appreciated.

#Import AD PS Module
Import-Module ActiveDirectory
#Domain name
$domain = “mydomain.COM”
#Number of days to consider a user stale
$daysInactive = 365
$time = (Get-Date).Adddays(-($daysInactive))
#Get stale AD users, filtering out some OUs and object names
$staleUsers = Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp -SearchBase “DC=mydomain,DC=COM” | Where-Object { `
$.DistinguishedName -notmatch ‘OU=Users,DC=mydomain,DC=COM’ `
-and $.DistinguishedName -notmatch ‘OU=IT,DC=mydomain,DC=COM’ `
-and $.SamAccountName -notlike “IWAM” `
-and $.SamAccountName -notlike “SRV*” `
-and $.SamAccountName -notlike “IUSR” `
-and $.SamAccountName -notlike “WMUS” `
-and $_.SamAccountName -notlike “Mailbox” ` }

#Modify stale user’s description, disable them, and move them to Disabled OU
$staleUsers | ForEach {
#Set description and disable account
Set-ADUser $_ -Description “Disabled and moved on $(Get-Date)” -Enabled $false
#Move account
Move-ADObject $_ -TargetPath “OU=Disabled accounts,OU=Users,DC=mydomain,DC=COM”
}

Hi Joel,

You’ll need to handle this in your script.

1. Get the current value of the Description field
2. Append the text if not already present
3. Overwrite the Description field with the new value

Joel,

I provided the example of how to do this in the other thread you created:

https://powershell.org/forums/topic/for-each-to-disable-move-to-specific-ou-append-ad-discription-with-text/

Original text + additional text doesn’t incur extra cost.

Sorry, I missed that some how. I’m trying to use it and keep getting the below prompt.

cmdlet Set-ADUser at command pipeline position 1
Supply values for the following parameters:
Identity:

Below is the entire script. I’m not sure what I’m missing. The goal is find every users that match the search criteria and add the text to the description field, disable, and move them. I’m not sure what I’m missing.

#Import AD PS Module
Import-Module ActiveDirectory
#Domain name
$domain = “mydomain.COM”
#Number of days to consider a user stale
$daysInactive = 90
$time = (Get-Date).Adddays(-($daysInactive))
$Today = Get-Date -format d
$oldDescription = $Query.Description
$addDescription = “*** Disabled and moved $Today **"
$newDescription = “$addDescription; oldDescription”
$Query = $staleUsers
#Get stale AD users, filtering out some OUs and object names
$staleUsers = Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp -SearchBase “DC=mydomain,DC=COM” | Where-Object { `
$.DistinguishedName -notmatch ‘OU=Users,DC=mydomain,DC=COM’ `
-and $.DistinguishedName -notmatch ‘OU=IT,DC=mydomain,DC=COM’ `
-and $.SamAccountName -notlike “IWAM” `
-and $.SamAccountName -notlike "SRV” `
-and $.SamAccountName -notlike “IUSR” `
-and $.SamAccountName -notlike “WMUS” `
-and $.SamAccountName -notlike “Mailbox” ` }
#Modify stale users description, disable them, and moved them to Disabled OU
$staleUsers | ForEach {
Set-ADUser -Description $newDescription
#Move Account
Move-ADObject $ -TargetPath “OU=Disabled accounts,OU=Users,mydomain,DC=COM”
}

This line is incorrect:

$newDescription = "$addDescription; oldDescription"

You need to use something like this:

$oldDescription = "Old Description"
$today = Get-Date -Format d

$newDescription = "*** Disabled and moved $today ***; $oldDescription"
#or
$newDescription = "*** Disabled and moved $today ***; " + $oldDescription
#or
$newDescription = "*** Disabled and moved {0} ***; {1}" -f  $today, $oldDescription

Thanks for your info. I’ve updated to the below. Should this work?

#Import AD PS Module
Import-Module ActiveDirectory
#Domain name
$domain = “mydomain.COM”
#Number of days to consider a user stale
$daysInactive = 90
$time = (Get-Date).Adddays(-($daysInactive))
$Today = Get-Date -format d
$oldDescription = $Query.Description
$newDescription = “$*** Disabled and moved $Today **; oldDescription"
$Query = $staleUsers
#Get stale AD users, filtering out some OUs and object names
$staleUsers = Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp -SearchBase “DC=mydomain,DC=COM” | Where-Object { `
$.DistinguishedName -notmatch ‘OU=Users,DC=mydomain,DC=COM’ `
-and $.DistinguishedName -notmatch ‘OU=IT,DC=mydomain,DC=COM’ `
-and $.SamAccountName -notlike “IWAM” `
-and $.SamAccountName -notlike "SRV” `
-and $.SamAccountName -notlike “IUSR” `
-and $.SamAccountName -notlike “WMUS” `
-and $.SamAccountName -notlike “Mailbox” ` }
#Modify stale users description, disable them, and moved them to Disabled OU
$staleUsers | ForEach {
Set-ADUser -Description $newDescription
#Move Account
Move-ADObject $ -TargetPath “OU=Disabled accounts,OU=Users,mydomain,DC=COM”
}

Hey Joel,

Sorry I realized that there was a typo in my code. Rob is correct. olddescription is a variable, so it should have a $ preceding it in the declaration of newdescription.

$newDescription = "*** Disabled and moved $Today ***; $oldDescription"

Sorry for making this so difficult. I have updated but still not working for me. This part of the script is where it is prompting.

$staleUsers | ForEach {
Set-ADUser -Description $newDescription -Enabled $false
#Move Account
Move-ADObject $_ -TargetPath “OU=Disabled accounts,OU=Users,DC=CBI,DC=CH1B,DC=CBIEPC,DC=COM”
}

The prompt I receive
cmdlet Set-ADUser at command pipeline position 1
Supply values for the following parameters:
Identity:

Also, here are the variables in play for this section of the code. I’m thinking that maybe I have the old description variable wrong?

$newDescription = “*** Disabled and moved $Today **; $oldDescription"
$Today = Get-Date -format d
$oldDescription = $Query.Description
$Query = $staleUsers
$staleUsers = Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp -SearchBase “DC=CBI,DC=CH1B,DC=CBIEPC,DC=COM” | Where-Object { `
$.DistinguishedName -notmatch ‘OU=Users,DC=CBI,DC=CH1B,DC=CBIEPC,DC=COM’ `
-and $.DistinguishedName -notmatch ‘OU=IT,DC=CBI,DC=CH1B,DC=CBIEPC,DC=COM’ `
-and $.SamAccountName -notlike “IWAM” `
-and $.SamAccountName -notlike "SRV” `
-and $.SamAccountName -notlike “IUSR” `
-and $.SamAccountName -notlike “WMUS” `
-and $_.SamAccountName -notlike “Mailbox” ` }

I believe it is asking for the identity because there is nothing specified after Set-ADUser. You should be able to just add the $_ same as you did to the Move-ADObject.

$staleUsers | ForEach {
Set-ADUser $_ -Description $newDescription -Enabled $false
#Move Account
Move-ADObject $_ -TargetPath "OU=Disabled accounts,OU=Users,DC=CBI,DC=CH1B,DC=CBIEPC,DC=COM"
}

Another way to construct your foreach statement to better understand it is

ForEach ($user in $staleUsers) {
Set-ADUser $user -Description $newDescription -Enabled $false
#Move Account
Move-ADObject $user -TargetPath "OU=Disabled accounts,OU=Users,DC=CBI,DC=CH1B,DC=CBIEPC,DC=COM"
}

As far as the declaration of $oldDescription, you are pulling the description of everyone in the whole query and the declaration is in the wrong order. You need to make sure that the variable definitions are looking for variables that already exist. Forget about using $Query and try something like this:

$Today = Get-Date -format d
ForEach ($user in $staleUsers) {
$oldDescription = $user.Description
$newDescription = "*** Disabled and moved $Today ***; $oldDescription"
Set-ADUser $user -Description $newDescription -Enabled $false
#Move Account
Move-ADObject $user -TargetPath "OU=Disabled accounts,OU=Users,DC=CBI,DC=CH1B,DC=CBIEPC,DC=COM"
}