Pleeeaaasseee Help Me. I have been working on a powershell script to compare a csv file to my LegalHold OU. If the user in the CSV file matches a user in the LegalHold OU, then just disable the account, add them to the Disabled Users group, change the discription field, and remove all the user’s distribution groups except Domain Users and Disabled Users groups. If the user in the CSV file does not match a user in the Legal Hold OU, then do all the things above, but also move the user to the Disabled OU. My script does all the above except move the user to the Disabled OU. I’m not sure if the If ($LegalHoldUser -eq $SamAccountName) statement is working. Or even if it’s correct. Please help. I have been working on this for 3 weeks with no answer. Here’s the script
Import-Module ActiveDirectory
$users= Import-Csv -Path “C:\Output\DisableADUsers91718C.csv”
$DisabledDate = Get-Date
$LeaveDate = Get-Date -Format “dddd dd MMMM yyyy”
$DisabledBy = Get-ADUser “$env:username” -properties Mail
$DisabledByEmail = $DisabledBy.Mail
$LegalHoldUser = Get-ADuser -Filter * -SearchBase ‘ou=LegalHold,dc=mecca,dc=com’ -Properties * | Select-object SamAccountName
$ADgroups = Get-ADPrincipalGroupMembership -Identity $User.SamAccountName | where { ($.Name -ne ‘Domain Users’) -and ($.Name -ne ‘DisabledUsers’) }
$TargetOU = “ou=Disabled Users,dc=xxxx,dc=com”
foreach ($user in $users)
{
$SamAccountName = $User.SamAccountName
Set-ADUser $User.SamAccountName -Description “Disabled by $($DisabledBy.name) on $DisabledDate per Ticket INC006551”
If ($LegalHoldUser -eq $SamAccountName)
{
Remove-ADPrincipalGroupMembership -Identity $User.SamAccountName -MemberOf $ADgroups -Confirm:$false
Add-ADGroupMember -Identity “DisabledUsers” -Members $User.SamAccountName
Move-ADObject -Identity $User.SamAccountName -targetpath $TargetOU
Disable-ADAccount -Identity $($User.SamAccountname)
}
else
{
Remove-ADPrincipalGroupMembership -Identity $User.SamAccountName -MemberOf $ADgroups -Confirm:$false
Add-ADGroupMember -Identity “DisabledUsers” -Members $User.SamAccountName
Disable-ADAccount -Identity $($User.SamAccountname)
}
}