Comparing CSV to AD LegalHold OU and then disabling User not in LegalHoldOU

starlord · September 21, 2018, 11:48am

Pleeeaaasseee Help Me. I have been working on a powershell script to compare a csv file to my LegalHold OU. If the user in the CSV file matches a user in the LegalHold OU, then just disable the account, add them to the Disabled Users group, change the discription field, and remove all the user’s distribution groups except Domain Users and Disabled Users groups. If the user in the CSV file does not match a user in the Legal Hold OU, then do all the things above, but also move the user to the Disabled OU. My script does all the above except move the user to the Disabled OU. I’m not sure if the If ($LegalHoldUser -eq $SamAccountName) statement is working. Or even if it’s correct. Please help. I have been working on this for 3 weeks with no answer. Here’s the script

Import-Module ActiveDirectory

$users= Import-Csv -Path “C:\Output\DisableADUsers91718C.csv”

$DisabledDate = Get-Date

$LeaveDate = Get-Date -Format “dddd dd MMMM yyyy”

$DisabledBy = Get-ADUser “$env:username” -properties Mail

$DisabledByEmail = $DisabledBy.Mail

$LegalHoldUser = Get-ADuser -Filter * -SearchBase ‘ou=LegalHold,dc=mecca,dc=com’ -Properties * | Select-object SamAccountName

$ADgroups = Get-ADPrincipalGroupMembership -Identity $User.SamAccountName | where { ($.Name -ne ‘Domain Users’) -and ($.Name -ne ‘DisabledUsers’) }

$TargetOU = “ou=Disabled Users,dc=xxxx,dc=com”

foreach ($user in $users)

{

$SamAccountName = $User.SamAccountName

Set-ADUser $User.SamAccountName -Description “Disabled by $($DisabledBy.name) on $DisabledDate per Ticket INC006551”

If ($LegalHoldUser -eq $SamAccountName)

{

Remove-ADPrincipalGroupMembership -Identity $User.SamAccountName -MemberOf $ADgroups -Confirm:$false

Add-ADGroupMember -Identity “DisabledUsers” -Members $User.SamAccountName

Move-ADObject -Identity $User.SamAccountName -targetpath $TargetOU

Disable-ADAccount -Identity $($User.SamAccountname)

}

else

{

Remove-ADPrincipalGroupMembership -Identity $User.SamAccountName -MemberOf $ADgroups -Confirm:$false

Add-ADGroupMember -Identity “DisabledUsers” -Members $User.SamAccountName

Disable-ADAccount -Identity $($User.SamAccountname)

}

donj · September 21, 2018, 12:14pm

It’s really hard to follow code when you don’t apply the code formatting tags to it, as indicated in the bulleted list right above the text box.

I'm not sure if the If ($LegalHoldUser -eq $SamAccountName) statement is working. Or even if it's correct.

I'd suggest using a breakpoint, either in the ISE or VS Code, so that you can stop script execution and execute line-at-a-time. That's how you tell if an If construct is working. But no, it's not correct. If I'm reading your code correctly, $LegalHoldUser is potential a collection of objects having a samAccountName property. So you're basically asking, "is this entire parking lot full of cars red?" PowerShell can't compare apples to apples, which is what you've asked.

$LegalHoldUser = Get-ADuser -Filter * -SearchBase 'ou=LegalHold,dc=mecca,dc=com' -Properties * |

 Select-object -Expand SamAccountName

That should make $LegalHoldUser into a collection of strings. Then:

If ($LegalHoldUser -contains $SamAccountName)

Should work. -Eq means literal equality; you can’t ask if a collection of things is “equal to” a single thing, because it never will be.

See if that doesn’t help a bit.

starlord · September 21, 2018, 1:41pm

Hi Don,

I do apologize for not applying the code formatting. I’m guessing I was so frustrated with my self and this script till I didn’t see it. Your tips above helped. The only thing not working now is the Move-ADObject. Says it can not find an object with identity: ADam.Abston under DC=mecca,DC=com. I moved the Move-ADObject line under the “Else” statement just above the Disable-Account line.

Import-Module ActiveDirectory
$users= Import-Csv -Path “C:\Output\DisableADUsers91718C.csv”
$DisabledDate = Get-Date
$LeaveDate = Get-Date -Format “dddd dd MMMM yyyy”
$DisabledBy = Get-ADUser “$env:username” -properties Mail
$DisabledByEmail = $DisabledBy.Mail
$LegalHoldUser = Get-ADuser -Filter * -SearchBase ‘ou=LegalHold,dc=mecca,dc=com’ -Properties * | Select-object -Expand SamAccountName
$ADgroups = Get-ADPrincipalGroupMembership -Identity $User.SamAccountName | where { ($.Name -ne ‘Domain Users’) -and ($.Name -ne ‘DisabledUsers’) }
$TargetOU = “ou=Disabled Users,dc=mecca,dc=com”

foreach ($user in $users)
{
$SamAccountName = $User.SamAccountName

  Set-ADUser $User.SamAccountName -Description "Disabled by $($DisabledBy.name) on $DisabledDate per Ticket INC0065513"
  If ($LegalHoldUser -contains $SamAccountName)
{
  Remove-ADPrincipalGroupMembership -Identity  $User.SamAccountName -MemberOf $ADgroups -Confirm:$false

  Add-ADGroupMember -Identity "DisabledUsers" -Members $User.SamAccountName

  Disable-ADAccount -Identity $($User.SamAccountname)
}
 else
{
  Remove-ADPrincipalGroupMembership -Identity  $User.SamAccountName -MemberOf $ADgroups -Confirm:$false

  Add-ADGroupMember -Identity "DisabledUsers" -Members $User.SamAccountName

  Move-ADObject -Identity $User.SamAccountName -targetpath $TargetOU
  Disable-ADAccount -Identity $($User.SamAccountname)  
}

}

ni-pfe · September 21, 2018, 2:14pm

The identity parameter of Move-ADObject only accepts either DistinguishedName or ObjectGUID property values. You’re trying to use SamAccountName so that’s why PowerShell is telling you that it can’t find the user. Changing “$User.SamAccountName” to either “$User.ObjectGUID” or “$User.DistinguishedName” should do the trick.

else{
     Remove-ADPrincipalGroupMembership -Identity $User.SamAccountName -MemberOf $ADgroups     Confirm:$false
     Add-ADGroupMember -Identity "DisabledUsers" -Members $User.SamAccountName
     Move-ADObject -Identity $User.ObjectGUID -targetpath $TargetOU
     Disable-ADAccount -Identity $($User.SamAccountName)
}

starlord · September 21, 2018, 2:31pm

Hi Paul,

Thx for our response, but no luck. I only have 3 names in my CVS File. The first one is in the LegalHold OU and the other are not. Do you think we need to declare the distinguished name as variable like I did the $SamAccountName = $User.SamAccountname? The error I’m getting is:

Move-ADObject : Cannot validate argument on parameter ‘Identity’. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:20 char:31

  Move-ADObject -Identity $User.DistinguishedName -targetpath $Ta ...

```
                          ~~~~~~~~~~~~~~~~~~~~~~~
```
- CategoryInfo : InvalidData: ( [Move-ADObject], ParameterBindingValidationException
- FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.MoveADObject

Move-ADObject : Cannot validate argument on parameter ‘Identity’. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:20 char:31

  Move-ADObject -Identity $User.DistinguishedName -targetpath $Ta ...

```
                          ~~~~~~~~~~~~~~~~~~~~~~~
```
- CategoryInfo : InvalidData: ( [Move-ADObject], ParameterBindingValidationException
- FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.MoveADObject

donj · September 21, 2018, 2:35pm

Frankly, I’d use Get-ADUser to get the user you want to move, and pipe that to Move-ADObject. Get-ADUser is more flexible for getting users.

starlord · September 21, 2018, 4:00pm

Don, I will give it a shot.

starlord · September 21, 2018, 4:32pm

Hi Don,
BooYaaahh!!! You were right. It now works. Now I just have to figure out why one of my 3 users didn’t get his groups removed. The other two, got their groups removed just fine. Once I figure that piece out, I’ll have to apply this script to 1500 users.

Import-Module ActiveDirectory
$users= Import-Csv -Path “C:\Output\DisableADUsers91718C.csv”
$DisabledDate = Get-Date
$LeaveDate = Get-Date -Format “dddd dd MMMM yyyy”
$DisabledBy = Get-ADUser “$env:username” -properties Mail
$DisabledByEmail = $DisabledBy.Mail
$LegalHoldUser = Get-ADuser -Filter * -SearchBase ‘ou=LegalHold,dc=mecca,dc=com’ -Properties * | Select-object -Expand SamAccountName
$ADgroups = Get-ADPrincipalGroupMembership -Identity $User.SamAccountName | where { ($.Name -ne ‘Domain Users’) -and ($.Name -ne ‘DisabledUsers’) }
$TargetOU = “ou=Disabled Users,dc=mecca,dc=com”

foreach ($user in $users)
{
$SamAccountName = $User.SamAccountName

  Set-ADUser $User.SamAccountName -Description "Disabled by $($DisabledBy.name) on $DisabledDate per Ticket INC0065513"
  If ($LegalHoldUser -contains $SamAccountName)
{
  Remove-ADPrincipalGroupMembership -Identity  $User.SamAccountName -MemberOf $ADgroups -Confirm:$false

  Add-ADGroupMember -Identity "DisabledUsers" -Members $User.SamAccountName

  Disable-ADAccount -Identity $($User.SamAccountname)
}
 else
{
  Remove-ADPrincipalGroupMembership -Identity  $User.SamAccountName -MemberOf $ADgroups -Confirm:$false

  Add-ADGroupMember -Identity "DisabledUsers" -Members $User.SamAccountName

  Get-AdUser $SamAccountName | Move-ADObject -targetpath $TargetOU
 
  Disable-ADAccount -Identity $($User.SamAccountname)  
}

}

Topic		Replies	Views
Disabling AD users via CSV import sort of... PowerShell Help	2	165	August 17, 2014
Comparing users in an AD group to a CSV file PowerShell Help	7	196	June 3, 2022
Compare elements in arrays PowerShell Help	6	224	September 3, 2021
Too many if statements, how to simplify PowerShell Help	5	153	August 31, 2023
Help script disable user on AD PowerShell Help	1	179	December 14, 2013

Comparing CSV to AD LegalHold OU and then disabling User not in LegalHoldOU

Related Topics