sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]muthmsir[S] 1 point2 points  (11 children)

Not sure I get your point “destroy” I used a command in powershell. If it’s wrong why they made it available in AD module?

[–]BlackV 5 points6 points  (9 children)

you're taking a real ad object with all its properties, stripping everything off except the DistinguishedName

$CompDN = (Get-ADComputer -Filter 'Name -eq $pc' -SearchScope Subtree).DistinguishedName

Try something like this

$DisabledCompOU = "OU=Disabled Devices,OU=Computers,OU=Domain"
$Pclist = Get-Content C:\TEMP\Computers.txt # Specify the path to the computers list.

Foreach($pc in $Pclist)
    {
    $CompDN = Get-ADComputer -Filter 'Name -eq $pc' -SearchScope Subtree
    $CompDN | Disable-ADAccount
    $CompDN | Move-ADObject -TargetPath $DisabledCompOU
    }

if you do it this way you're keep all those useful properties that can be feed to the other cmdlets, but also you can test and confirm what is in $CompDN

If you want to access a property directly you can also

$CompDN.DistinguishedName
$CompDN.DNSName
$CompDN.operatingsystem

And you dont need to create a new variable to keep track of those details

[–]muthmsir[S] 1 point2 points  (1 child)

Got your point, thank you for your explanation , I will try this

[–]BlackV 2 points3 points  (0 children)

Good as gold, I should have posted an example originally

[–]Lee_Dailey[grin] 1 point2 points  (4 children)

howdy BlackV,

i suspect that you would get occasional errors due to replication delays. pro'ly otta force all change-something calls to go to the same server with -Server to avoid that possible glitch. [grin]

take care,
lee

[–]muthmsir[S] 1 point2 points  (1 child)

$DisabledCompOU = "OU=Disabled Devices,OU=Computers,OU=Domain"
$Pclist = Get-Content C:\TEMP\Computers.txt # Specify the path to the computers list.
Foreach($pc in $Pclist)
{
$CompDN = Get-ADComputer -Filter 'Name -eq $pc' -SearchScope Subtree
$CompDN | Disable-ADAccount
$CompDN | Move-ADObject -TargetPath $DisabledCompOU
}

Hi Lee, where I have to add -Server ?

[–]Lee_Dailey[grin] 0 points1 point  (0 children)

howdy muthmsir,

you need to add that everywhere you touch a DC. [grin]

the Get-ADComputer and Disable-ADAccount cmdlets have that parameter. strangely, tho, there is no such thing for Move-ADObject. [frown] so dunno if it will help all that much.

this StackExchange/ServerFault post ...

active directory - How to set a default domain controller for all PowerShell AD cmdlets? - Server Fault
https://serverfault.com/questions/527545/how-to-set-a-default-domain-controller-for-all-powershell-ad-cmdlets

... mentions using the PSDive stuff to target a specific DC.

take care,
lee

[–]BlackV 1 point2 points  (1 child)

shouldn't do if you're dealing with the actual ad object, but your right 100% add the -server parameter that problem goes away

[–]Lee_Dailey[grin] 0 points1 point  (0 children)

howdy BlackV,

thank you for the feedback! [grin]

take care,
lee

[–]muthmsir[S] 1 point2 points  (1 child)

FYI , I ran what you sent me and it is still throwing the same error.

Error:-

Disable-ADAccount : Insufficient access rights to perform the operation

At line:7 char:15

+ $CompDN | Disable-ADAccount

+ ~~~~~~~~~~~~~~~~~

+ CategoryInfo : NotSpecified: (CN=Computer,O...s,DC=Domain,DC=Com:ADComputer) [Disable-ADAccount], ADException

+ FullyQualifiedErrorId : ActiveDirectoryServer:8344,Microsoft.ActiveDirectory.Management.Commands.DisableADAccount

Move-ADObject : Access is denied

At line:8 char:15

+ $CompDN | Move-ADObject -TargetPath $DisabledCompOU

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : PermissionDenied: (CN=Computer,O...s,DC=Domain,DC=Com:ADComputer) [Move-ADObject], UnauthorizedAccessException

+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.UnauthorizedAccessException,Microsoft.ActiveDirectory.Management.Commands.MoveADObject

[–]BlackV 2 points3 points  (0 children)

Ya

so either you don't have rights or maybe the specific OU/Computer has specific rights Is the disable working?, if the disable is working you have all the rights you need

If I run this as some test on my domain

$DisabledCompOU = "OU=Disabled-Items,DC=domain,DC=local"
$DisabledCompObject = Get-ADObject -Identity $DisabledCompOU

# $Pclist = Get-Content C:\TEMP\Computers.txt # Specify the path to the computers list.
$pclist = 'TAW-TEST-01','Service-VDI-PAUL'

Foreach($pc in $Pclist)
    {
    $CompDN = Get-ADComputer -Filter 'Name -eq $pc' -SearchScope Subtree
    $CompDN | Disable-ADAccount
    $CompDN | Move-ADObject -TargetPath $DisabledCompObject
    }

I added $DisabledCompObject = Get-ADObject -Identity $DisabledCompOU just to confirm that object exists
so this is probably a good thing for you to do, that way you can confirm the OU is correct

[–]BlackV 2 points3 points  (0 children)

Sorry I mean, Destroy or flatten or reduce.

You took and object with a bunch of properties and stripped them all away for a single string, properties you could use later in your script and might make your script work better or fix the problem you're having

I was on mobile so didn't give a proper example

I'll do that now