AD Migration with powershell and fun for all.

AD migration and Powershell more fun than…

Category Archives: powershell

In the Beginning

We did not decide to change our Active Directory (AD) structure,  as much as we were placed in a position where we would be stupid not to change the structure. Our HR/Payroll system wanted to go paperless and to do so each employee would have to have an AD logon. Our logons were based on first initial + lastname + number 1-10. There was no way we could map from the HR/payroll system to our AD and back. So we opted to change everyone to use their employee number, a number that our HR system creates.

Since HR needed the new logons to be done and everyone converted in about 30 days. We opted to create a new logon based on employee number for everyone. Then we could move OU by OU deleting the new employee number logon and changing the users old logon to match. We found this kept us from having to create new profiles. We used a third party webpage software to allow the end user to reset thier own password, since the HR software would not work if we set the account to change password on first login. (note accounts which went unchanged were disabled, we really had to push to get that one)

The following is the powershell script we used to create all the HR accounts needed.


$userimport = Import-Csv h:\csv.csv
$OUroot = 'xxxx.com/OU/'

foreach ( $i in $userimport)
{
$testuserexist = (get-qaduser -samaccountname $i.samaccountname)
if ($testuserexist)
{ "Found " + $i.samaccountname

Add-Content h:\exist.txt ("The Account Already exists : " + $i.samaccountname + "," + $i.lastname)
}
Else
{"Not Found"

$testouexist = (get-qadobject -Name $i.department -type organizationalUnit)
if ($testouexist)
{
}
ELSE
{
Try {
"No OU"
New-QADObject -ParentContainer xxxx.com/OU' -Type 'organizationalUnit' -name $i.department
"The directory does not exist"
}

Catch {
[system.exception]
#Add-Content h:\error.log ("The OU is wrong : " + $i.department)
$fullerror = ( $displayname + "," + $i.title + "," + $i.phonenumber + "," + $i.samaccountname)
add-content h:\error.log $error
add-content h:\error.log $fullerror
$error.clear()
}
Finally {

}
}

$OUlocation = ($OUroot + $i.department)
$password = ($i.samaccountname + $i.password)
$displayname = ("ESS-" + (Get-Culture).TextInfo.ToTitleCase($i.lastname) + ", " + (Get-Culture).TextInfo.ToTitleCase($i.firstname))
Try {
0 + $i.samaccountname | Out-Null
New-qaduser -name $displayname -SamAccountName $i.samaccountname -ParentContainer $OUlocation -userpass $password
get-qaduser -SamAccountName $i.samaccountname | set-qaduser -company $i.Company `
-department $i.department -displayname $displayname `
-lastname $i.lastname -samaccountname $i.samaccountname `
-UserPrincipalName ($i.samaccountname + "@Selfregional.org")
}
Catch {
[system.exception]
#Add-Content h:\error.log ("The user is wrong : " + $i.samaccountname + "," + $i.department + $displayname)
$fullerror = ( $displayname + "," + $i.title + "," + $i.phonenumber + "," + $i.samaccountname)
add-content h:\error.log $error
add-content h:\error.log $fullerror
}
Finally {

$error.clear()

}

Try {
enable-qaduser -identity $i.samaccountname
"User Name : " + $i.samaccountname
Add-Content h:\notexist.txt ("The Account has been Created : " + $i.samaccountname + "," + $i.lastname + "," + $password)
}
Catch {
[system.exception]
#Add-Content h:\error.log ("The user is wrong : " + $i.samaccountname + "," + $i.department + $displayname)
$fullerror = ( $displayname + "," + $i.title + "," + $i.phonenumber + "," + $i.samaccountname)
add-content h:\error.log $error
add-content h:\error.log $fullerror
}
Finally {

$error.clear()

}

}
}

The life and times of a Active Directory Logon Migration

This blog is going to be about an active directory migration project changing about 2000 user from a named based logon to a employee number based logon. Here are all the changes

  • Change user name to employee number
  • Create new ad structure based on department structure
  • Automate logon creation based on output from HR system
  • Automate ad structure based on output from HR system
  • Automate logon terminations based on output from HR system
  • complete logon information with accurate phone, department, office, address, name, and
  • Migrate users to new 2008 R2 based home folder system using DFS, VSS, and DFS replication
  • Clean home folders of all exe’s and PST files
  • Move all non-employee logons out of the employee OU
  • Automate the creation and disabling of non-employee accounts
  • Disable and eventually delete all non-active logons
  • Automate cleanup of home drives, and email accounts when an account is deleted.

The environment is a 2003 domain and our two tools will be Hyena, windows active directory tools, and Powershell.

Oh all this has to happen with little to no downtime, and without confusing our end users.