Wednesday, September 8, 2010

PowerShell Script - Move Computers to the Correct OU

I'm not sure if this is a problem for many other organizations, however we have had a problem with "Domain Admin Bloat". Simply put we have over the course of many projects and many years ended up with many people in the Domain Admin group that don't have any need to be in there. One of these reasons was that we had problems with delegation of privileges (probably because we had too many Domain Admins).

I got this idea from Dan Holme's book Windows Administration Resource Kit: Productivity Solutions for IT Professionals. We delegated the proper permissions to the single OU, moved all the computers to the appropriate OU and now execute this script on a schedule. This has completely fixed our computer account permission problems.
A little setup our systems are named [W,V,L,M]##### so for this to work you will need to do the same or modify the script. Also in AD our computers go into the appropriate OU under the Workstations OU and this is where the delegation starts.

This should give some ideas on how to move or even some additional ideas on how to help manage AD with PowerShell.
Import-Module ActiveDirectory

$Domain = [ADSI]""
[string]$DomainName = $Domain.DistinguishedName

$NewComputers = Get-ADComputer -filter {Name -like "M*" -or Name -like "V*" -or Name -like "W*" -or Name -like "L*"} -SearchBase "OU=NewComputers,$DomainName"

ForEach ($Computer in $NewComputers){
    $Number = [string]$Computer.Name.Substring(1)
    $SubNum = $Number.Substring(0,1)
    If ($SubNum -eq (0) -or $SubNum -eq (1) -or $SubNum -eq (2) -or $SubNum -eq (3) -or $SubNum -eq (4) -or $SubNum -eq (5) `
        -or $SubNum -eq (6) -or $SubNum -eq (7) -or $SubNum -eq (8) -or $SubNum -eq (9)){
        [int]$Number = $Number
    $MemberType = $Number.GetType()
    If ($MemberType.Name -eq "Int32") {
        $Prefix = [string]$Computer.Name.Substring(0,1)
        write-host $Computer.Name, $Number, $Prefix
        Switch ($Prefix)
                M {Move-ADObject $Computer -TargetPath "OU=MobileDevices,OU=Workstations,$DomainName"}
                L {Move-ADObject $Computer -TargetPath "OU=Laptops,OU=Workstations,$DomainName"}
                V {Move-ADObject $Computer -TargetPath "OU=VirtualDesktops,OU=Workstations,$DomainName"}
                W {Move-ADObject $Computer -TargetPath "OU=Desktops,OU=Workstations,$DomainName"}
    Remove-Variable Number


  1. How about putting all your valid integers into an array, and using the -contains operator to check if $SubNum is inside of it?

    $ValidNums = @(0,1,2,3,4,5,6,7,8,9)
    if ($ValidNums -contains $SubNum)

    Trevor Sullivan

  2. Great idea - honestly I didn't think about doing it that way. I think I'll make the adjustments to my script running here!

  3. Many people will choose to hire a laptop for their business needs this year. They know that buying a laptop is not always cost-effective for their business.