/build/static/layout/Breadcrumb_cap_w.png

Active Directory Automation move by IP/Operation System

I am looking to move systems based on IP and Operating system to correct a very disorganised OU structure for 5000+ machines.

I am currently looking at a way of combining two powershell scripts listed below to be able to perform a move of Linux Ubuntu, Windows 7, Windows 10, and Mac OS.

One being the following used to parse the IP addresses to the correct ou it was written for only windows 7.

.PowerShell
################################################################################ 
# PowerShell routine to move Windows 7 Computers into OU structure based on IP # 
################################################################################ 
 
# Requires Active Directory 2008 R2 and the PowerShell ActiveDirectory module 
 
##################### 
# Environment Setup # 
##################### 
 
#Add the Active Directory PowerShell module 
Import-Module ActiveDirectory 
 
#Set the threshold for an "old" computer which will be moved to the Disabled OU 
$old = (Get-Date).AddDays(-60) # Modify the -60 to match your threshold  
 
#Set the threshold for an "very old" computer which will be deleted 
$veryold = (Get-Date).AddDays(-90) # Modify the -90 to match your threshold  
 
 
############################## 
# Set the Location IP ranges # 
############################## 
 
$Site1IPRange = "\b(?:(?:192)\.)" + "\b(?:(?:168)\.)" + "\b(?:(?:1)\.)" + "\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))" # 192.168.1.0/24 
$Site2IPRange = "\b(?:(?:192)\.)" + "\b(?:(?:168)\.)" + "\b(?:(?:2)\.)" + "\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))" # 192.168.2.0/24 
$Site3IPRange = "\b(?:(?:192)\.)" + "\b(?:(?:168)\.)" + "\b(?:(?:3)\.)" + "\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))" # 192.168.3.0/24 
 
######################## 
# Set the Location OUs # 
######################## 
 
# Disabled OU 
$DisabledDN = "OU=Disabled,DC=yourdomain,DC=com" 
 
# OU Locations 
$Site1DN = "OU=Site1,DC=yourdomain,DC=com" 
$Site2DN = "OU=Site2,DC=yourdomain,DC=com" 
$Site3DN = "OU=Site3,DC=yourdomain,DC=com" 
 
############### 
# The process # 
############### 
 
# Query Active Directory for Computers running Windows 7 (Any version) and move the objects to the correct OU based on IP 
Get-ADComputer -Filter { OperatingSystem -like "Windows 7*" } -Properties PasswordLastSet | ForEach-Object { 
 
    # Ignore Error Messages and continue on 
    trap [System.Net.Sockets.SocketException] { continue; } 
 
    # Set variables for Name and current OU 
    $ComputerName = $_.Name 
    $ComputerDN = $_.distinguishedName 
    $ComputerPasswordLastSet = $_.PasswordLastSet 
    $ComputerContainer = $ComputerDN.Replace( "CN=$ComputerName," , "") 
 
    # If the computer is more than 90 days off the network, remove the computer object 
    if ($ComputerPasswordLastSet -le $veryold) {  
        Remove-ADObject -Identity $ComputerDN 
    } 
 
    # Check to see if it is an "old" computer account and move it to the Disabled\Computers OU 
    if ($ComputerPasswordLastSet -le $old) {  
        $DestinationDN = $DisabledDN 
        Move-ADObject -Identity $ComputerDN -TargetPath $DestinationDN 
    } 
 
    # Query DNS for IP  
    # First we clear the previous IP. If the lookup fails it will retain the previous IP and incorrectly identify the subnet 
    $IP = $NULL 
    $IP = [System.Net.Dns]::GetHostAddresses("$ComputerName") 
 
    # Use the $IPLocation to determine the computer's destination network location 
    # 
    # 
    if ($IP -match $Site1IPRange) { 
        $DestinationDN = $Site1DN 
    } 
    ElseIf ($IP -match $Site2IPRange) { 
        $DestinationDN = $Site2DN 
    } 
    ElseIf ($IP -match $Site3IPRange) { 
        $DestinationDN = $Site3DN 
    } 
    Else { 
        # If the subnet does not match we should not move the computer so we do Nothing 
        $DestinationDN = $ComputerContainer     
    } 
 
    # Move the Computer object to the appropriate OU 
    # If the IP is NULL we will trust it is an "old" or "very old" computer so we won't move it again 
    if ($IP -ne $NULL) { 
        Move-ADObject -Identity $ComputerDN -TargetPath $DestinationDN 
    } 
}
And the second being the operating system.

Windows Shell Script
###This command will move all Windows 7 computers to OU=Win7,OU=ComputerAccounts,DC=santhosh,DC=lab OU. 
 dsquery * CN=Computers,DC=santhosh,DC=lab -filter "(&(ObjectClass=computer)(objectCategory=Computer)(operatingSystemVersion=6.1))" | dsmove -newparent OU=Win7,OU=ComputerAccounts,DC=santhosh,DC=lab 
  
##This command will move all Windows XP computers to OU=Win7,OU=ComputerAccounts,DC=santhosh,DC=lab OU. 
  
dsquery * CN=Computers,DC=santhosh,DC=lab -filter "(&(ObjectClass=computer)(objectCategory=Computer)(operatingSystemVersion=5.1))" | dsmove -newparent OU=WinXP,OU=ComputerAccounts,DC=santhosh,DC=lab     
How can i join the two so it will parse the correct operating system into the correct OU structure based on IP?

1 Comment   [ + ] Show comment
  • Can I slim this down to ignore older systems and just select IP ranges and any that do not have an IP remain untouched? - larryclevengerjr 6 years ago

Answers (1)

Posted by: rrosal 6 years ago
White Belt
0
Hello,

I modified your code to look for all Windows systems, if the computer has a match with your site IP range it will move the system to the site OU. If no IP site match it will look at if the OS version is 6.1 (Win7) or 5.1 (XP) and move it to the version OU. I have all clean up your code a little. Review and see if that helps you out.

#CODE:
<#
.SYNOPSIS
    PowerShell routine to move Windows 7 Computers into OU structure based on IP
    Requires Active Directory 2008 R2 and the PowerShell ActiveDirectory module 
 
.DESCRIPTION

.LINK

.EXAMPLE 

.NOTES

#>
##################### 
# Environment Setup # 
##################### 
 
#Add the Active Directory PowerShell module 
Import-Module ActiveDirectory 
 
#Set the threshold for an "old" computer which will be moved to the Disabled OU 
$old = (Get-Date).AddDays(-60) # Modify the -60 to match your threshold  
 
#Set the threshold for an "very old" computer which will be deleted 
$veryold = (Get-Date).AddDays(-90) # Modify the -90 to match your threshold  
 
 
############################## 
# Set the Location IP ranges # 
##############################

$Site1IPRange = "\b(?:(?:192)\.)" + "\b(?:(?:168)\.)" + "\b(?:(?:1)\.)" + "\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))" # 192.168.1.0/24 
$Site2IPRange = "\b(?:(?:192)\.)" + "\b(?:(?:168)\.)" + "\b(?:(?:2)\.)" + "\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))" # 192.168.2.0/24 
$Site3IPRange = "\b(?:(?:192)\.)" + "\b(?:(?:168)\.)" + "\b(?:(?:3)\.)" + "\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))" # 192.168.3.0/24 
 
######################## 
# Set the Location OUs # 
######################## 
 
# Disabled OU 
$DisabledDN = "OU=Disabled,DC=yourdomain,DC=com" 
 
# OU Locations 
$Site1DN = "OU=Site1,DC=yourdomain,DC=com" 
$Site2DN = "OU=Site2,DC=yourdomain,DC=com" 
$Site3DN = "OU=Site3,DC=yourdomain,DC=com" 
$Win7OU = "OU=Win7,OU=ComputerAccounts,DC=santhosh,DC=lab"
$WinXPOU = "OU=WinXP,OU=ComputerAccounts,DC=santhosh,DC=lab"
 
############### 
# The process # 
############### 

# Query Active Directory for Computers running Windows (Any version) and move the objects to the correct OU based on IP 
Get-ADComputer -Filter { OperatingSystem -like "Windows*" } -Properties * | ForEach-Object { 
 
    # Ignore Error Messages and continue on 
    trap [System.Net.Sockets.SocketException] { continue; } 
 
    # Set variables for Name and current OU 
    $ComputerName = $_.Name 
    $ComputerDN = $_.distinguishedName 
    $ComputerPasswordLastSet = $_.PasswordLastSet 
    $ComputerContainer = $ComputerDN.Replace( "CN=$ComputerName," , "")
    $ComputerOperatingSystemVersion = $_.OperatingSystemVersion
 
    # If the computer is more than 90 days off the network, remove the computer object 
    if ($ComputerPasswordLastSet -le $veryold) {  
        Remove-ADObject -Identity $ComputerDN 
    } 
 
    # Check to see if it is an "old" computer account and move it to the Disabled\Computers OU 
    if ($ComputerPasswordLastSet -le $old) {  
        $DestinationDN = $DisabledDN 
        Move-ADObject -Identity $ComputerDN -TargetPath $DestinationDN 
    } 
 
    # Query DNS for IP  
    # First we clear the previous IP. If the lookup fails it will retain the previous IP and incorrectly identify the subnet 
    $IP = $NULL 
    $IP = [System.Net.Dns]::GetHostAddresses("$ComputerName") 
 
    # Use the $IPLocation to determine the computer's destination network location 
    # 
    # 

    Switch($IP){
        {($IP -match $Site1IPRange)}{
            $DestinationDN = $Site1DN
            $IPMatch = "True"
        }
        {($IP -match $Site2IPRange)}{
            $DestinationDN = $Site2DN
            $IPMatch = "True" 
        }
        {($IP -match $Site3IPRange)}{
            $DestinationDN = $Site3DN
            $IPMatch = "True" 
        }
        "Default"{
            $DestinationDN = $ComputerContainer
        }
    }

    # Use the $ComputerOperatingSystemVersion to determine the computer's destination by version
    # 
    # 
    If($IPMatch -ne "True"){
        Switch($ComputerOperatingSystemVersion){
            {($ComputerOperatingSystemVersion -match "6.1")}{
                $DestinationDN = $Win7OU
            }
            {($ComputerOperatingSystemVersion -match "5.1")}{
                $DestinationDN = $WinXPOU
            }
            "Default"{
                $DestinationDN = $ComputerContainer
            }
        }
    }
 
    # Move the Computer object to the appropriate OU 
    # If the IP is NULL we will trust it is an "old" or "very old" computer so we won't move it again 
    if ($IP -ne $NULL) { 
        Move-ADObject -Identity $ComputerDN -TargetPath $DestinationDN 
    }

    #Clear variables
    Clear-Variable IPMatch
}

Comments:
  • Thanks so much that gets me closer to what I need but still need a way to search for the o/s and IP then parse the folders I am building for instance the ou will look something like this.

    So I would need to say if win10 and ip building 1 goto Win10-Desktops\Corp Location 1\Buidling 1.

    All of our desktops and laptops follow the same nomenclature starting with D for desktop and L for laptop so I think that will help to push to the correct head ou.

    Domain.com
    -------Workstations
    ------------------Disabled-Workstations
    ------------------Win10-Desktops
    -----------------------Corp Location 1
    ----------------------------Building 1
    ----------------------------Building 2
    ----------------------------Building 3
    ------------------Win7-Desktops
    -----------------------Corp Location 1
    ----------------------------Building 1
    ----------------------------Building 2
    ----------------------------Building 3
    ------------------Mac-Desktops
    -----------------------Corp Location 1
    ----------------------------Building 1
    ----------------------------Building 2
    ----------------------------Building 3
    ------------------Linux-Desktops
    -----------------------Corp Location 1
    ----------------------------Building 1
    ----------------------------Building 2
    ----------------------------Building 3
    ------------------Win10-Laptops
    -----------------------Corp Location 1
    ----------------------------Building 1
    ----------------------------Building 2
    ----------------------------Building 3 - larryclevengerjr 6 years ago
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ