Today I’ve been asked to find all disabled user accounts in a OU named “Branch Offices”.
Next, we wanted to move those accounts to an OU named “Disabled Users”.
It seems this is fairly simple by using the Search-ADAccount and Move-ADObject cmdlets:
Search-ADAccount –AccountDisabled –UsersOnly –SearchBase “OU=Branch Offices, DC=Company,DC=LAN” | Move-ADObject –TargetPath “OU=Disabled Users, DC=Company,DC=LAN”
But… what if the user objects are in a OU protected against accidental deletion? You’ll get an error:
Image may be NSFW.
Clik here to view.
So you could either use the GUI to remove this setting, move the users and then re-apply the setting… or you can script it:
# To remove the protection Get-ADOrganizationalUnit –Filter “Name –eq ‘Branch Offices’” -Properties ProtectedFromAccidentalDeletion | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $False # To move the users Search-ADAccount –AccountDisabled –UsersOnly –SearchBase “OU=Branch Offices, DC=Company,DC=LAN” | Move-ADObject –TargetPath “OU=Disabled Users, DC=Company,DC=LAN” # To re-apply the protection Get-ADOrganizationalUnit –Filter “Name –eq ‘Branch Offices’” -Properties ProtectedFromAccidentalDeletion | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $True
