Another new cmdlet in the 1.0.4 pack is Move-QADObject which allows you to move AD objects: users, groups, computers, OUs within the current domain.
The syntax is pretty easy:
Move-QADObject -Identity object-to-move -NewParentContainer target
Identity is the default parameter so you can skip the switch. You can supply almost anything as the parameter as long is it can identify the object in a unique fashion: samAccountName, DN, canonical name, domain\user, UPN, SID, GUID, etc.
The -NewParentContainer switch has a handy alias -to. The actual parameter is again pretty much anything unique enough. In my opinion DN or canonical name would make sense in most cases.
And the best of that all: the cmdlet accepts pipeline.
Here’s a bunch of examples of how this all works:
# Move a user
Move-QADObject dsotnikov -to qsft.local/employees/cto
# Move by location
Get-QADUser -City London | Move-QADObject -to qsft.local/employees/london
# Move all disabled account
Get-QADUser -Disabled | Move-QADObject -to qsft.local/disabled_accounts
# Use csv: first row is "object,target",
# then each column has comma-separated object and container identities
Import-CSV c:\tomove.csv | ForEach { Move-QADObject $_.object -to $_.target }
# Move groups, computers, etc.
Move-QADObject qsft\researchers -to qsft.local/groups
Get-QADComputer ny* | Move-QADObject -to qsft.local/ny/computers
# Move OU (with all objects and subcontainers)
Move-QADObject qsft.local/users/london -to qsft.local/employees/eu/uk
So next time you have to completely reconfigure your AD domain you know what to do, right? 😉
Dmitry
Tags: oneliner, AD cmdlets, cmdlets, one-liner, PowerShell, AD, Active Directory, Examples
Subscribe by email
Does this need to be ran from a Domain Controller or can I run it from my XP box with the 2003 Admin Pack installed?
Any workstation which has PowerShell and AD cmdlets [http://www.quest.com/activeroles_server/arms.aspx] installed
When I try to import a computer name and DN from a csv file and then use the move-qadobject as in your example above, I get the error: ‘$’ was not followed by a valid variable name character. Consider using ${} to delimit… Any idea what I am doing wrong?
Jeff,
It is very hard to tell what is going wrong without seeing the CSV and the command you are using.
Could you post both of them to the AD PowerShell discussion forum: http://www.powergui.org/forum.jspa?forumID=173
Dmitry
Thanks, just figured it out though!
Has anyone had a problem with using Move-QADObject -to ‘domain.local/test-ou/sub ou with spaces’
when i try to run the full command
Get-QADUser -Disabled | Move-QADObject -to ‘domain.local/test-ou/sub ou with spaces’
it returns
Move-QADObject : Cannot resolve DN for the given identity: domain.local/test-ou/sub ou with spaces’
seems weird that it wouldn’t let me go that deep then again I could very well be doing this wrong.
Mike,
Cannot test it right now, but a few suggestions:
1. Complain to the AD cmdlets forum: http://powergui.org/forum.jspa?forumID=173 – the team is normally there and eager to help troubleshoot issues.
2. Try using a DN instead of the canonical name.
Dmitry
That worked better (the DN rather than the CN) thanks for the fast response!
how to i specify computer accounts only. i get ambigous argument when i run this script.
I found it would move user account that had the same names when I didn’t specify the container. I came up with this instead. I’m very new to PowerShell so I might have done something wrong.. here it is.
Import-CSV c:\temp\filename.csv | ForEach $_ { Get-QADComputer $_.’computers’ | Move-QADObject -to ‘canonical=domain/../…’}
I suggest running …’ -whatif} for your testing.
This might be over kill until I figure PS out
zerocamber,
Yep, using Get-QADComputer is a good approach when you need to limit the scope to computers only.
In the future I would highly recommend posting such questions to the PowerShell AD forum at: http://powergui.org/forum.jspa?forumID=173 – there are a lot of smart guys hanging out there and eager to help.
Dmitry
There is also a “low-tech” solution using the dsmod command. E.g. to move mail contacts:
get-mailcontact | % { dsmove $_.DistinguishedName -newparent “OU=Contacts,OU=Admin,OU=Mail,DC=yourdomain” }
As you can see from the sample the right command is dsmove, not dsmod (which just modifies attributes). Sorry for the mistake…