Please Help: Can't Get Move-ADObject to work

PowerShell Help
1

Hello,

Please help. The guys on this site have been awesome and I really appreciate all of your help, but I have 1 more issue. My script works almost perfectly, but I can’t get one thing to work and that’s the Move-ADObject to work. The script does everything I need it to, but Move the ADUser to the Disabled Users OU. Here’s my script.

Import-Module ActiveDirectory
$users= Import-Csv -Path “C:\Output\DisableADUsers91718C.csv”

$DisabledDate = Get-Date
$LeaveDate = Get-Date -Format “dddd dd MMMM yyyy”
$DisabledBy = Get-ADUser “$env:username” -properties Mail
$DisabledByEmail = $DisabledBy.Mail
$LegalHoldUser = Get-ADuser -Filter * -SearchBase ‘ou=LegalHold,dc=xxx,dc=com’ -Properties * | Select-object -Expand SamAccountName

$TargetOU = “ou=Disabled Users,dc=xxx,dc=com”

foreach ($user in $users)
{
$SamAccountName = $User.SamAccountName

  Set-ADUser $User.SamAccountName -Description "Disabled by $($DisabledBy.name) on $DisabledDate per Ticket INC0065513"
  $ADgroups = Get-ADPrincipalGroupMembership -Identity $User.SamAccountName | where { ($_.Name -ne 'Domain Users') -and ($_.Name -ne 'DisabledUsers') }

  If ($LegalHoldUser -contains $User.SamAccountname)
{
  Remove-ADPrincipalGroupMembership -Identity $($User.SamAccountname) -MemberOf $ADgroups.SamAccountName -Confirm:$false

  Add-ADGroupMember -Identity "DisabledUsers" -Members $User.SamAccountName

  Disable-ADAccount -Identity $($User.SamAccountname)
}
 else
{
  Remove-ADPrincipalGroupMembership -Identity $($User.SamAccountname) -MemberOf $ADgroups.SamAccountName -Confirm:$false

  Add-ADGroupMember -Identity "DisabledUsers" -Members $User.SamAccountName

  Get-ADUser -Identity $User.SamAccountName | Move-ADObject -targetpath $TargetOU
 
  Disable-ADAccount -Identity $($User.SamAccountname)  
}

}



This is the error I’m getting:


The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the input and its properties do not match any of the parameters that take pipeline input.

+ CategoryInfo          : InvalidArgument: (CN=Adam Abston,…DC=xxx,DC=com:PSObject) [Move-ADObject], ParameterBindingException

+ FullyQualifiedErrorId : InputObjectNotBound,Microsoft.ActiveDirectory.Management.Commands.MoveADObject

+ PSComputerName        : GGPDC01
2

Looking at the -Identity Parameter, we can see that it does accept pipeline input (ByValue), but it does not appear to support SamAccountName. “or the input and its properties do not match any of the parameters that take pipeline input.”

Perhaps try either .DistinguishedName or .ObjectGUID

Get-ADUser $User.DistinguishedName | Move-ADObject -TargetPath $TargetOU

-Identity
Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute.

Distinguished Name

Example: CN=saradavis,OU=users,OU=asia,DC=corp,DC=contoso,DC=com

GUID (objectGUID)

Example: 599c3d2e-f72d-4d20-8a88-030d99495f20

The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error.

This parameter can also get this object through the pipeline or you can set this parameter to an object instance.

Derived types, such as the following are also accepted:

Microsoft.ActiveDirectory.Management.ADGroup

Microsoft.ActiveDirectory.Management.ADUser

Microsoft.ActiveDirectory.Management.ADComputer

Microsoft.ActiveDirectory.Management.ADServiceAccount

Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy

Microsoft.ActiveDirectory.Management.ADDomain

This example shows how to set this parameter to an ADObject object instance named "ADObjectInstance".

-Identity   $ADObjectInstance

Required?                    true
Position?                    1
Default value
Accept pipeline input?       True (ByValue)
Accept wildcard characters?  false
3

Hi Kaj,

Thanks for responding. I tried both the ObjectGUID and the .DistinguishedName, but I’m still getting the same error.

4

Hey Frederick,

There will be a lot here, but later today I can piece this all together in a nicer format.

I noticed when I ran the script the $User did not contain a value so I made this change to call upon the header in the csv.

I also ran into an error at Remove-ADPrincipalGroupMembership, “Cannot validate argument on parameter ‘MemberOf’. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.”.

I have gotten around this previously by running a foreach loop with the group memberships. I have attached an example from another script I wrote last year.

[CmdletBinding()]

    Param (

        [Parameter(Mandatory=$True,
                   ValueFromPipeline=$True,
                   ValueFromPipelineByPropertyName=$True,
                   HelpMessage="Provide an Active Directory User.")]
                   
            [string]$Target,

        [Parameter(Mandatory=$True,
                   ValueFromPipeline=$True,
                   ValueFromPipelineByPropertyName=$True,
                   HelpMessage="Provide one or multiple Active Directory User(s).")]
            
            [string[]]$ADUser
        



    )

    Begin {
    
        Write-Verbose "Importing Module ActiveDirectory"
        Import-Module ActiveDirectory

        Write-Verbose "Preparing to export groups"
        $Export = Get-ADPrincipalGroupMembership -Identity $Target | Select distinguishedname | 
            Where-Object {$_.DistinguishedName -notlike 'Disabled'}
        
    } 
    
    Process {
    
           ForEach ($User in $ADUser) {
                Write-Verbose "Preparing to purge $User of all ADGroups"
                Get-ADPrincipalGroupMembership -Identity $User | ?{$_.DistinguishedName -notlike '*Domain*'} | 
                % {Remove-ADPrincipalGroupMembership -Identity $User -MemberOf $_ -Confirm:$False}
           }

           ForEach ($Group in $Export) {
                Write-Verbose "Preparing to mirror $User to $Target"
                Add-ADGroupMember $Group -Members $ADUser -Confirm:$False
           }
    
    } End {

        Write-Output "Purge Complete"

    }

My CSV:

Users
Test.user.101
Test.user.102

$users= Import-Csv -Path .\FR.csv

$DisabledDate = Get-Date
$LeaveDate = Get-Date -Format "dddd dd MMMM yyyy"
$DisabledBy = Get-ADUser "$env:username" -properties Mail
$DisabledByEmail = $DisabledBy.Mail
$LegalHoldUser = Get-ADuser -Filter * -SearchBase 'ou=LegalHold,dc=xxx,dc=com'

$TargetOU = "ou=Disabled Users,dc=xxx,dc=com"
foreach ($user in $users)
{
$AdUser = Get-ADUser $User.Users

Set-ADUser $AdUser -Description "Disabled by $($DisabledBy.name) on $DisabledDate per Ticket INC0065513"
$ADgroups = Get-ADPrincipalGroupMembership -Identity $AdUser | where { ($_.Name -ne 'Domain Users') -and ($_.Name -ne 'DisabledUsers') }

If ($LegalHoldUser -contains $AdUser)
{
Remove-ADPrincipalGroupMembership -Identity $($AdUser) -MemberOf $ADgroups.SamAccountName -Confirm:$false

#Add-ADGroupMember -Identity "DisabledUsers" -Members $AdUser

Disable-ADAccount -Identity $AdUser
}
else
{
Remove-ADPrincipalGroupMembership -Identity $($AdUser) -MemberOf $ADgroups.SamAccountName -Confirm:$false

#Add-ADGroupMember -Identity "DisabledUsers" -Members $AdUser

Move-ADObject $AdUser -targetpath $TargetOU

Disable-ADAccount -Identity $AdUser
}
}
5

ok. Thanks. I really appreciate all your help. I have been trying to get this to work for weeks. I would love to see the nicer format you have. I’m new at powershell and I know my script is a mess.

6

Hello Frederick,

I had some time to go through and work the csv flow. Since the purpose of this is to use a CSV, from my tests I was able to produce the desired results.

Notations
I commented out “DisabledUsers” since I did not create that group in my AD Environment
A few additional items I would change:
The check for the “Active Directory” Module
Turn $LegalHoldOu, $TargetOU into parameters
Turn “Ticket Number” into a parameter
Add a Help File
Better Error Handling

This should get you off the ground running.

CSV:
Users

Test.user.101
Test.user.102
test.user.103

[cmdletbinding()]

    PARAM(

        [parameter( Mandatory=$True,
                    ValueFromPipeline=$False,
                    ValueFromPipelineByPropertyName=$False
                    )]

                [string]$Path,
                

                
                [switch]$LogErrors
                )

BEGIN {

    Try {
        
        Write-Debug $Path
        Test-Path -Path $Path -ErrorAction Stop
        }

    Catch {
        
        Write-Warning "Unable to locate $Path"
        Exit
        }

    Try {

        
        Get-Module ActiveDirectory -ErrorAction Stop
        }

    Catch {

        Write-Warning "Module is not currently installed"
        Exit
        }
    
}

PROCESS {

    $Items = Import-csv $Path
    
    Foreach ($User in $Items) {

        Write-Debug $User

        $DisabledDate = Get-Date
        $LeaveDate = Get-Date -Format "dddd dd MMMM yyyy"
        $DisabledBy = Get-ADUser "$env:USERNAME" -Properties Mail
        $DisabledByEmail = $DisabledBy.Mail
        $LegalHoldOU = "*ou=LegalHold,dc=xxx,dc=com*"
        $TargetOU =  "ou=Disabled Users,dc=xxx,dc=com"

        Write-Debug "OUTPUT:$DisabledDate,$LeaveDate,$DisabledBy,$DisabledByEmail,$LegalHoldOU"

        Try {

            Write-Debug $User

            $AdUser = Get-Aduser $User.Users

            Write-Debug $AdUser
            Write-Verbose "Attempting to Set $AdUser"

            Set-ADUser $AdUser -Description "Disabled by $DisabledBy on $DisabledDate per Ticket INC0065513"
            
            Write-Debug $AdUser.DistinguishedName

                If ($AdUser.DistinguishedName -like $LegalHoldOU) {
            
                    Write-Verbose "$AdUser found in $LegalHoldOU"
            
                    Get-ADPrincipalGroupMembership -Identity $AdUser | ?{$_.DistinguishedName -notlike '*Domain*'} | % {Remove-ADPrincipalGroupMembership -Identity $AdUser -MemberOf $_ -Confirm:$False}
                    #Add-ADGroupMember -Identity "DisabledUsers" -Members $AdUser
                    Write-Verbose "Attempting to Disable $AdUser"
                    Disable-ADAccount -Identity $AdUser
                    }

                else {

                    Write-Verbose "Non-Legalhold, preparing to remove memberships."
                    Get-ADPrincipalGroupMembership -Identity $AdUser | ?{$_.DistinguishedName -notlike '*Domain*'} | % {Remove-ADPrincipalGroupMembership -Identity $AdUser -MemberOf $_ -Confirm:$False}
                    

                    #Add-ADGroupMember -Identity "DisabledUsers" -Members $AdUser

                    Write-Verbose "Attempting to move $AdUser"
                    Write-Debug "$TargetOU"
                    Write-Debug $AdUser.DistinguishedName
                    
                    Move-ADObject $AdUser -TargetPath $TargetOU

                    Write-Verbose "Attempting to Disable $AdUser"
                    Disable-ADAccount -Identity $AdUser
                    }

            }
        
        
        Catch {

            if ($LogErrors) {

                    $Logging = "$AdUser $(Get-Date) $_"
                    $Logging | Out-File C:\Users\$Env:UserName\Documents\ErrorLog.txt -Append
                    Write-Warning "Logged to C:\Users\$Env:UserName\Documents\ErrorLog.txt"
        
              }

        }

        }
        }

Output with -Verbose included
#Removed Company OU Information

VERBOSE: Attempting to Set CN=Test.User.101,“ou=LegalHold,dc=xxx,dc=com
VERBOSE: CN=Test.User.101,“ou=LegalHold,dc=xxx,dc=com” found in “ou=LegalHold,dc=xxx,dc=com
VERBOSE: Attempting to Disable CN=Test.User.101,OU=Sales,“ou=LegalHold,dc=xxx,dc=com
VERBOSE: Attempting to Set CN=Test.User.102,“ou=LegalHold,dc=xxx,dc=com
VERBOSE: CN=Test.User.102,“ou=LegalHold,dc=xxx,dc=com” found in “ou=LegalHold,dc=xxx,dc=com
VERBOSE: Attempting to Disable CN=Test.User.102,“ou=LegalHold,dc=xxx,dc=com
VERBOSE: Attempting to Set CN=Test.User.103,“ou=LegalHold,dc=xxx,dc=com
VERBOSE: CN=Test.User.103,“ou=LegalHold,dc=xxx,dc=com” found in “ou=LegalHold,dc=xxx,dc=com
VERBOSE: Attempting to Disable CN=Test.User.103,“ou=LegalHold,dc=xxx,dc=com

#Different OU from $LegalHoldOU

VERBOSE: Attempting to Set CN=Test.User.101,dc=xxx,dc=xxx
VERBOSE: Non-Legalhold, preparing to remove memberships.
VERBOSE: Attempting to move CN=Test.User.101,dc=xxx,dc=xxx
VERBOSE: Attempting to Disable CN=Test.User.101,OU=Sales,dc=xxx,dc=xxx
VERBOSE: Attempting to Set CN=Test.User.102,dc=xxx,dc=xxx
VERBOSE: Non-Legalhold, preparing to remove memberships.
VERBOSE: Attempting to move CN=Test.User.102,dc=xxx,dc=xxx
VERBOSE: Attempting to Disable CN=Test.User.102,dc=xxx,dc=xxx
VERBOSE: Attempting to Set CN=Test.User.103,dc=xxx,dc=xxx
VERBOSE: Non-Legalhold, preparing to remove memberships.
VERBOSE: Attempting to move CN=Test.User.103,dc=xxx,dc=xxx
VERBOSE: Attempting to Disable CN=Test.User.103,dc=xxx,dc=xxx

7

Hi Kaj,

With a few modifications, this works great. You have probably saved my job. Thanks again for all your help.

8

Normally something like this should work, unless get-aduser isn’t returning anything.

get-aduser myuser | move-adobject -targetpath $ou