Moving AD objects

Another new cmdlet in the 1.0.4 pack is Move-QADObject which allows you to move AD objects: users, groups, computers, OUs within the current domain.

The syntax is pretty easy:

Move-QADObject -Identity object-to-move -NewParentContainer target

Identity is the default parameter so you can skip the switch. You can supply almost anything as the parameter as long is it can identify the object in a unique fashion: samAccountName, DN, canonical name, domain\user, UPN, SID, GUID, etc.

The -NewParentContainer switch has a handy alias -to. The actual parameter is again pretty much anything unique enough. In my opinion DN or canonical name would make sense in most cases.

And the best of that all: the cmdlet accepts pipeline.

Here’s a bunch of examples of how this all works:

# Move a user
Move-QADObject dsotnikov -to qsft.local/employees/cto

# Move by location
Get-QADUser -City London | Move-QADObject -to qsft.local/employees/london

# Move all disabled account
Get-QADUser -Disabled | Move-QADObject -to qsft.local/disabled_accounts

# Use csv: first row is "object,target",
# then each column has comma-separated object and container identities

Import-CSV c:\tomove.csv | ForEach { Move-QADObject $_.object -to $_.target }

# Move groups, computers, etc.
Move-QADObject qsft\researchers -to qsft.local/groups

Get-QADComputer ny* | Move-QADObject -to qsft.local/ny/computers

# Move OU (with all objects and subcontainers)
Move-QADObject qsft.local/users/london -to qsft.local/employees/eu/uk

So next time you have to completely reconfigure your AD domain you know what to do, right?😉

Dmitry

My Recent Tweets

Set API visibility in your Developer Portal: public, hidden, internal-only, partner-access and so on buff.ly/2cR5CZ2 #WSO2 18 hours ago

There are multiple layers at which you can set throttling to APIs: API, REST resource, backend, application: buff.ly/2cWTJFi #WSO2 1 day ago

RT @sanjiva: WSO2 API Cloud can get into your backend in many ways. twitter.com/dsotnikov/stat… 2 days ago

@maxbeard12 We also have Puppet scripts. :) Seriously though, just download the zip, drop it on a box or VM with JVM, and start it. Easy. :) 2 days ago

All the ways to connect & secure API gateway to backend: reverse proxy, VPN, IP whitelisting, mutual SSL, auth buff.ly/2cvXJcn #WSO2 2 days ago

13 Responses to “Moving AD objects”

Feed for this Entry Trackback Address

1 Don February 18, 2008 at 6:47 pm

Does this need to be ran from a Domain Controller or can I run it from my XP box with the 2003 Admin Pack installed?

2 dmitrysotnikov February 18, 2008 at 7:52 pm

Any workstation which has PowerShell and AD cmdlets [http://www.quest.com/activeroles_server/arms.aspx] installed

3 Jeff May 15, 2008 at 5:31 pm

When I try to import a computer name and DN from a csv file and then use the move-qadobject as in your example above, I get the error: ‘$’ was not followed by a valid variable name character. Consider using ${} to delimit… Any idea what I am doing wrong?

4 dmitrysotnikov May 15, 2008 at 7:53 pm

Jeff,

It is very hard to tell what is going wrong without seeing the CSV and the command you are using.

Could you post both of them to the AD PowerShell discussion forum: http://www.powergui.org/forum.jspa?forumID=173

Dmitry

5 Jeff May 15, 2008 at 9:46 pm

Thanks, just figured it out though!

6 Mike June 12, 2008 at 2:12 pm

Has anyone had a problem with using Move-QADObject -to ‘domain.local/test-ou/sub ou with spaces’

when i try to run the full command
Get-QADUser -Disabled | Move-QADObject -to ‘domain.local/test-ou/sub ou with spaces’

it returns
Move-QADObject : Cannot resolve DN for the given identity: domain.local/test-ou/sub ou with spaces’

seems weird that it wouldn’t let me go that deep then again I could very well be doing this wrong.

7 dmitrysotnikov June 12, 2008 at 2:17 pm

Mike,

Cannot test it right now, but a few suggestions:

1. Complain to the AD cmdlets forum: http://powergui.org/forum.jspa?forumID=173 – the team is normally there and eager to help troubleshoot issues.

2. Try using a DN instead of the canonical name.

Dmitry

8 Mike June 12, 2008 at 2:57 pm

That worked better (the DN rather than the CN) thanks for the fast response!

9 zerocamber November 11, 2008 at 8:52 pm

how to i specify computer accounts only. i get ambigous argument when i run this script.

10 zerocamber November 11, 2008 at 9:59 pm

I found it would move user account that had the same names when I didn’t specify the container. I came up with this instead. I’m very new to PowerShell so I might have done something wrong.. here it is.

Import-CSV c:\temp\filename.csv | ForEach $_ { Get-QADComputer $_.’computers’ | Move-QADObject -to ‘canonical=domain/../…’}

I suggest running …’ -whatif} for your testing.

This might be over kill until I figure PS out

11 Dmitry Sotnikov November 12, 2008 at 10:11 am

zerocamber,

Yep, using Get-QADComputer is a good approach when you need to limit the scope to computers only.

In the future I would highly recommend posting such questions to the PowerShell AD forum at: http://powergui.org/forum.jspa?forumID=173 – there are a lot of smart guys hanging out there and eager to help.

Dmitry

12 Jordi May 20, 2010 at 7:43 am

There is also a “low-tech” solution using the dsmod command. E.g. to move mail contacts:

get-mailcontact | % { dsmove $_.DistinguishedName -newparent “OU=Contacts,OU=Admin,OU=Mail,DC=yourdomain” }

13 Jordi May 20, 2010 at 7:46 am

As you can see from the sample the right command is dsmove, not dsmod (which just modifies attributes). Sorry for the mistake…

M	T	W	T	F	S	S
« Jul				Sep »
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

Dmitry's Blog: Cloud, PowerShell and beyond