基于OU的用户移动脚本

tag-icon tag-icon active-directory powershell
基于OU的用户移动脚本

任何脚本都将读取用户的部门属性(在 OU 和子 OU 下)并将其移动到名为部门的不同 OU(已创建的 OU 结构名称与其属性中的部门相同)..

我们创建了 OU 和子 OU,它们具有不同的名称作为部门属性

如果您有任何问题请帮忙

我已经尝试了下面的脚本..它运行良好...但不适用于子 OU...您能让它也适用于子 OU 吗(现在子 OU 下的用户无法搜索也无法移动到子 OU,即使子 OU 被创建为部门名称)....

# Moves User Accounts from the given Root OU into sub OUs by looking up the company Attribute of the User Object
# If the OU does not exist, it will be created (the regular expression filter is removing special characters)
Import-Module ActiveDirectory
$RootOU = "OU=Move,DC=testad,DC=com"
$LogFile=".\ADS_MoveUsersToOU.txt"
$strFilter = "(&(objectCategory=User))"
$objDomain = New-Object System.DirectoryServices.DirectoryEntry "LDAP://$RootOU"
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "OneLevel"
$colProplist = "name", "department", "sAMAccountName", "cn"
Function Write-Log {
     [cmdletbinding()]
    Param(
     [Parameter(Position=0)]
     [ValidateNotNullOrEmpty()]
     [string]$Message
     )
     Write-Host $Message
     Write-Output "$(Get-Date) $Message" | Out-File -FilePath $LogFile -Append
} #end function
foreach ($i in $colPropList){
    $objSearcher.PropertiesToLoad.Add($i)
    }
$colResults = $objSearcher.FindAll()
foreach ($objResult in $colResults) {
    $objItem = $objResult.Properties;
    $strCompany = $objItem.department
    $strCN = $objItem.cn
    $strName = $objItem.name
    $strCompany = [System.Text.RegularExpressions.Regex]::Replace($strCompany,"[^1-9a-zA-Z_ ]","")
    Write-Log "INFO User found       : $strName"
    Write-Log "INFO Company         : $strCompany"
    Write-Log "INFO Canonical Name   : $strCN"
    Write-Log "INFO Distinguished Name : $strdistinguishedName"
    if (!$strCompany) {
        Write-Log "WARNING No Company Name found for User: $strName"
        }
    else {
        $fullOU = "OU=$strCompany,$RootOU"
        $OUExists = [ADSI]::Exists("LDAP://$fullOU")
        if ($OUExists) {
            Write-Log "INFO OU exists already:$fullOU"
            }
        else {
            Write-Log "INFO Creating new OU: $fullOU"
            $objDomain = [ADSI]"LDAP://$RootOU"
            $objOU = $objDomain.Create("OrganizationalUnit", "OU=$strCompany")
            try {
                $objOU.SetInfo()
                }
            catch {
                Write-Log "ERROR  Unable to set AD Info (Creating OU: $strCompany)"
                Write-Log "ERRMSG $($_.Exception.Message)"
                }
            }
            try {
                Move-ADObject -Identity "CN=$strCN,$RootOU" -TargetPath "OU=$strCompany,$RootOU"
                }
            catch {
                Write-Log "ERROR  Unable to move User:CN=$strCN,$RootOU"
                Write-Log "$($_.Exception.Message)"
                }
        }
    }

答案1

您需要进行 3 项更改:

首先,$searchScopeOneLevel改为Subtree

接下来,由于您现在正在搜索子树,因此您还需要在 foreach 循环中检查,以便仅在当前用户位置与 $fullOU 不匹配时才尝试移动。否则,它将尝试将每个对象移动到其当前位置,这将出错,并且效率低下。

最后,您需要更改 的参数Move-Adobject -Identity。您当前的代码假设每个对象始终存在于根 OU 中。当您搜索子树时,可能不存在。使用Move-Adobject -Identity $_.distinguishedName

相关内容