Today I’ve been asked to find all disabled user accounts in a OU named “Branch Offices”.
Next, we wanted to move those accounts to an OU named “Disabled Users”.
It seems this is fairly simple by using the Search-ADAccount and Move-ADObject cmdlets:
|
1 2 |
Search-ADAccount –AccountDisabled –UsersOnly –SearchBase “OU=Branch Offices, DC=Company,DC=LAN” | Move-ADObject –TargetPath “OU=Disabled Users, DC=Company,DC=LAN” |
But… what if the user objects are in a OU protected against accidental deletion? You’ll get an error:
So you could either use the GUI to remove this setting, move the users and then re-apply the setting… or you can script it:
|
1 2 3 4 5 6 7 8 9 10 11 |
# To remove the protection Get-ADOrganizationalUnit –Filter “Name –eq ‘Branch Offices’” -Properties ProtectedFromAccidentalDeletion | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $False # To move the users Search-ADAccount –AccountDisabled –UsersOnly –SearchBase “OU=Branch Offices, DC=Company,DC=LAN” | Move-ADObject –TargetPath “OU=Disabled Users, DC=Company,DC=LAN” # To re-apply the protection Get-ADOrganizationalUnit –Filter “Name –eq ‘Branch Offices’” -Properties ProtectedFromAccidentalDeletion | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $True |
thanks a lot, it’s working well
You’re welcome 🙂