Moving AD objects

Another new cmdlet in the 1.0.4 pack is Move-QADObject which allows you to move AD objects: users, groups, computers, OUs within the current domain.

The syntax is pretty easy:

Move-QADObject -Identity object-to-move -NewParentContainer target

Identity is the default parameter so you can skip the switch. You can supply almost anything as the parameter as long is it can identify the object in a unique fashion: samAccountName, DN, canonical name, domain\user, UPN, SID, GUID, etc.

The -NewParentContainer switch has a handy alias -to. The actual parameter is again pretty much anything unique enough. In my opinion DN or canonical name would make sense in most cases.

And the best of that all: the cmdlet accepts pipeline.

Here’s a bunch of examples of how this all works:

# Move a user
Move-QADObject dsotnikov -to qsft.local/employees/cto

# Move by location
Get-QADUser -City London | Move-QADObject -to qsft.local/employees/london

# Move all disabled account
Get-QADUser -Disabled | Move-QADObject -to qsft.local/disabled_accounts

# Use csv: first row is "object,target",
# then each column has comma-separated object and container identities

Import-CSV c:\tomove.csv | ForEach { Move-QADObject $_.object -to $_.target }

# Move groups, computers, etc.
Move-QADObject qsft\researchers -to qsft.local/groups

Get-QADComputer ny* | Move-QADObject -to qsft.local/ny/computers

# Move OU (with all objects and subcontainers)
Move-QADObject qsft.local/users/london -to qsft.local/employees/eu/uk

So next time you have to completely reconfigure your AD domain you know what to do, right? 😉

Dmitry

My Recent Tweets

I will be presenting at the Incidence Response Planning webinar / live Q&A this coming Thursday, August 4. See you… twitter.com/i/web/status/1… 1 month ago

@JazonTWong @apisecurityio And also the attacker had to test their membership hypothesis for a specific group. Ther… twitter.com/i/web/status/1… 1 year ago

@JazonTWong @apisecurityio They made it lower because the attacker needs to be connected to the victim. However, st… twitter.com/i/web/status/1… 1 year ago

@hakluke apisecurity.io by @apisecurityio 1 year ago

@TheMarkONeill The ToC part of the web page definitely needs some fixing ;) Great report, Mark! (As always) Thanks for sharing! 1 year ago

13 Responses to “Moving AD objects”

Feed for this Entry Trackback Address

1 Don February 18, 2008 at 6:47 pm

Does this need to be ran from a Domain Controller or can I run it from my XP box with the 2003 Admin Pack installed?

2 dmitrysotnikov February 18, 2008 at 7:52 pm

Any workstation which has PowerShell and AD cmdlets [http://www.quest.com/activeroles_server/arms.aspx] installed

3 Jeff May 15, 2008 at 5:31 pm

When I try to import a computer name and DN from a csv file and then use the move-qadobject as in your example above, I get the error: ‘$’ was not followed by a valid variable name character. Consider using ${} to delimit… Any idea what I am doing wrong?

4 dmitrysotnikov May 15, 2008 at 7:53 pm

Jeff,

It is very hard to tell what is going wrong without seeing the CSV and the command you are using.

Could you post both of them to the AD PowerShell discussion forum: http://www.powergui.org/forum.jspa?forumID=173

Dmitry

5 Jeff May 15, 2008 at 9:46 pm

Thanks, just figured it out though!

6 Mike June 12, 2008 at 2:12 pm

Has anyone had a problem with using Move-QADObject -to ‘domain.local/test-ou/sub ou with spaces’

when i try to run the full command
Get-QADUser -Disabled | Move-QADObject -to ‘domain.local/test-ou/sub ou with spaces’

it returns
Move-QADObject : Cannot resolve DN for the given identity: domain.local/test-ou/sub ou with spaces’

seems weird that it wouldn’t let me go that deep then again I could very well be doing this wrong.

7 dmitrysotnikov June 12, 2008 at 2:17 pm

Mike,

Cannot test it right now, but a few suggestions:

1. Complain to the AD cmdlets forum: http://powergui.org/forum.jspa?forumID=173 – the team is normally there and eager to help troubleshoot issues.

2. Try using a DN instead of the canonical name.

Dmitry

8 Mike June 12, 2008 at 2:57 pm

That worked better (the DN rather than the CN) thanks for the fast response!

9 zerocamber November 11, 2008 at 8:52 pm

how to i specify computer accounts only. i get ambigous argument when i run this script.

10 zerocamber November 11, 2008 at 9:59 pm

I found it would move user account that had the same names when I didn’t specify the container. I came up with this instead. I’m very new to PowerShell so I might have done something wrong.. here it is.

Import-CSV c:\temp\filename.csv | ForEach $_ { Get-QADComputer $_.’computers’ | Move-QADObject -to ‘canonical=domain/../…’}

I suggest running …’ -whatif} for your testing.

This might be over kill until I figure PS out

11 Dmitry Sotnikov November 12, 2008 at 10:11 am

zerocamber,

Yep, using Get-QADComputer is a good approach when you need to limit the scope to computers only.

In the future I would highly recommend posting such questions to the PowerShell AD forum at: http://powergui.org/forum.jspa?forumID=173 – there are a lot of smart guys hanging out there and eager to help.

Dmitry

12 Jordi May 20, 2010 at 7:43 am

There is also a “low-tech” solution using the dsmod command. E.g. to move mail contacts:

get-mailcontact | % { dsmove $_.DistinguishedName -newparent “OU=Contacts,OU=Admin,OU=Mail,DC=yourdomain” }

13 Jordi May 20, 2010 at 7:46 am

As you can see from the sample the right command is dsmove, not dsmod (which just modifies attributes). Sorry for the mistake…

M	T	W	T	F	S	S
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

Dmitry's Blog: Cloud, PowerShell and beyond