Wednesday, November 12, 2014

Powershell: Test Domain Controller Certificates

When replacing Domain Controller certificates for Active Directory with a valid 3rd party certificate I use this script to quickly test my domain and all my domain controllers directly to make sure they are serving out the certificate.

### -----------------------------------------------------------------
### Written by Matt Brown
###
### Description: This Grabs a list of all the Domain Controllers and tries to connect to them via SSL over Port 636
###
### -----------------------------------------------------------------

$DCList = @(
"dc1.domain.com",
"dc2.domain.com",
"dc3.domain.com",
"dc4.domain.com",
"domain.com"
)

$DCList | foreach {
 $DC = $_
 $LDAPS = [ADSI]"LDAP://$($DC):636"
 try {
  $Connection = [adsi]($LDAPS)
 } Catch {
 }
 if ($Connection.Path) {
  Write-Host "Active Directory server correctly configured for SSL, test connection to $($LDAPS.Path) completed." -foregroundcolor Green
 } else {
  Write-Host "Active Directory server not configured for SSL, test connection to LDAP://$($DC):636 did not work." -ForegroundColor Yellow
 }
}

Monday, November 10, 2014

PowerShell: Add Computer to Domain directly to OU

Here's a PowerShell script to add computers to the Domain to a specific OU (Organizational Unit) and allows you to select the OU Location. I did not use the AD modules as they are not pre-installed on most desktops, even though it would of been much easier to write with them.
### -----------------------------------------------------------------
### Written by Matt Brown
### - http://universitytechnology.blogspot.com/
### PowerShell script to search OU Structure and add computer to domain
###
### -----------------------------------------------------------------

Param(
 $user = $(Get-Credential -Credential "domain\user"), # Prompts user for credentials
 $filter = "(objectClass=organizationalUnit)",  # Do not change
 $ouLocatoin = "LDAP://OU=Departments,DC=domain,DC=com", # Starting Organizational Unit
 $mydomain = "domain.com",    # FQDN of Domain
 $whatif = "-WhatIf"      # change to "" to actually run
)

#--------------------------------------------------------------------
Function GetSecurePass ($SecurePassword) {
  $Ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($SecurePassword)
  $password = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($Ptr)
  [System.Runtime.InteropServices.Marshal]::ZeroFreeCoTaskMemUnicode($Ptr)
  $password
}   
#--------------------------------------------------------------------
Function AddTabs($mystring,[int]$numtabs=5) {
 for([int]$len = (([string]$mystring).length / 8.9); $len -lt $numtabs; $len++) { $mystring += "`t" }
 return $mystring
}
#--------------------------------------------------------------------
Function SelectOU($dn,$up) {

 Clear-Host
 Write-Host "### -----------------------------------------------------------------" -ForegroundColor Green
 Write-Host "### Select OU and Add Computer to Domain                             " -ForegroundColor Green
 Write-Host "### Written by Matt Brown                                            " -ForegroundColor Green
 Write-Host "###  - http://universitytechnology.blogspot.com/                     " -ForegroundColor Green
 Write-Host "### PowerShell v.2 (Windows 7 / Server 2008 R2)                      " -ForegroundColor Green
 Write-Host "### -----------------------------------------------------------------" -ForegroundColor Green
 Write-Host "`nThe Number in the Select column adds the computer to the OU, where the List column will list Sub-OU's of the OU." -ForegroundColor Green
 Write-Host $dn
 Write-Host $up
 Write-Host "`n"
 Write-Host ("List Of " + (([string]$dn).split("/"))[2]) -ForegroundColor Yellow
 Write-Host " Select  List`tOU"
 Write-Host " ----------------------------------------------------"
 Write-Host "   0`t  L0   <- Up a Level"
 #$ou = Get-ADOrganizationalUnit -SearchBase $dn -SearchScope OneLevel -Filter 'Name -like "*"'
 
 $auth = [System.DirectoryServices.AuthenticationTypes]::FastBind
 $de = New-Object System.DirectoryServices.DirectoryEntry($dn,$user.UserName,(GetSecurePass $user.Password),$auth)
 $ds = New-Object system.DirectoryServices.DirectorySearcher($de,$filter)
 $ds.SearchScope = "OneLevel"
 $ou=($ds.Findall()) | Sort-Object -Property Name
 $sel = $null
 $selectList = @("0","L0","C")
 
 for($x=1; $ou.count -ge $x; $x++) {
  # output line, decide if it needs to be in yellow or white
  $selectList += $x
  $selectList += ("L"+$x)
  $outname = (AddTabs ($ou[$x-1].Properties['name']))
  $lineout = ("   " + $x + "`t  " + ("L"+$x) + "`t" + $outname)
  if($x % 2 -eq 0) {
   Write-Host $lineout -BackgroundColor White -ForegroundColor Black
  } else { 
   Write-Host $lineout -BackgroundColor Gray -ForegroundColor Black
  }
 }
 Write-Host "   C`t  C    -- Cancel & Exit"
 Write-Host "`n"
 while($selectList -notcontains $sel) {
  $sel = Read-Host "   Select OU or List Sub-OUs"
 }
 
 ## Figure out what the user selected
 if ( $sel[0] -eq "L") {
  ## Users Selected List Mode
  $y = ($sel.split("Ll")[1])
  if([int]$y -eq 0) { 
   $newup = ("LDAP://" + ($up -replace (($up -split ",")[0] + ",")))
   SelectOU $up $newup
  } else { 
   SelectOU $ou[$y-1].Properties['adspath'] $dn 
  }
 } elseif ($sel -eq "c") {
  ## User Selected Cancel
  return $false
 } else {
  ## User Selected the OU
  if([int]$sel -eq 0) {
   return ([string]$dn).split("//")[2] 
  } elseif([int]$sel -le [int]$ou.count)  { 
   return $ou[$sel-1].Properties['distinguishedname']
  } else { 
   SelectOU $dn $up 
  }
  
 }
} 
#--------------------------------------------------------------------

#--------------------------------------------------------------------
## Main
#--------------------------------------------------------------------

## Select / View OU
while($ou = (SelectOU $ouLocatoin $ouLocatoin)) {
 ## Add to Domain
 Write-Host ("  Will add computer (" + $env:computername + ") to:") -ForegroundColor Yellow
 Write-Host ("    " + $ou + "`n") -ForegroundColor Green
 $continue = Read-Host "  Continue (y | n)"
 if($continue -eq "y") {
  ## Now Add the Computer to the Domain
  add-computer -domainname $mydomain -OUPath $ou -Credential $user $whatif
  break
 } 
}

Friday, November 7, 2014

Powershell: Test VMWare Host Networks

Here's a handy script I use to verify networks on my VMWare Clusters. This script takes a test VM and changes the Network and IP Address from a list, then does a simple ping from the VM on each host to let you know your networks are working correctly before moving Production Machines to it. The need for this spawned from a missing "allowed vLan id" not being configured across the ether channel ports on one of the hosts.

### -----------------------------------------------------------------
### Written by Matt Brown
###
### Description: Test VMWare Host Networks
###
### Requires:
###   VMWare Snapin
###   Test VM with a Local Admin Account, may need to turn UAC Off
###   CSV File with Network Info
###
### Sample CSV File:
###     Name,VLanId,ip,netmask,gateway
###     VM-Subnet01,21,192.168.3.5,255.255.255.0,192.168.3.1
###     VM-Subnet02,22,192.168.4.5,255.255.255.0,192.168.3.5
### -----------------------------------------------------------------

## Load VMWare Snapin
if(-not (Get-PSSnapin | where { $_.Name -match 'VMware.VimAutomation.Core' })) {
 Add-PSsnapin VMware.VimAutomation.Core
}

## Vars to Configure
$vCenterServer = "VC.domain.com"
$clusterToTest = "ProductionCluster"
$TestMachine = "TestVM"
$vmnicname = "Local Area Connection"
$NetworkListFile = "VMNetworkTestList.csv"


function TestNetwork($currenthost,$newhost,$vm,$gateway,$guestCred) {
 
 if($currenthost -notmatch $newhost) {
  Write-Host ("Moving $TestMachine to " + $_.Name) -ForegroundColor Cyan
  $VM | Move-VM -Destination $_.Name | Out-Null
 }
 $script = ("ping " + $gateway)
 Write-Host $script -ForegroundColor Yellow
 $pingtest = Invoke-VMScript -VM $vm -ScriptText $script -scriptType bat -Credential $guestCred
 if($pingtest.ScriptOutput -match "(0% loss)") { Write-Host "Test Success" -ForegroundColor Green } else { $pingtest.ScriptOutput }
 #$continue = Read-Host "Hit Enter to Test on Next Host."
 return $newhost
}

## Connect to vCenter and grab information
Connect-VIServer -Server $vCenterServer -credential (Get-Credential -Message ("vCenter Account"))
$hosts = Get-VMHost -Location $clusterToTest | select Name
$VM = get-vm -name $TestMachine
$currenthost = $vm.VMHost.Name

$guestCred = Get-Credential -UserName ($TestMachine + "\") -Message "Local Admin Account"

$NetworksToTest = Import-Csv $NetworkListFile
$NetworksToTest | foreach {
 $NetworkName = $_.Name
 $IP = $_.ip
 $gateway = $_.gateway
 $netmask = $_.netmask
 
 Write-Host "Changing Network on $TestMachine to $NetworkName" -ForegroundColor Cyan
 Get-NetworkAdapter -VM $vm | Set-NetworkAdapter -NetworkName $NetworkName -Confirm:$false | Out-Null
 #$continue = Read-Host "Hit Enter to Set the IP Address."
 
 Write-Host "Changing IP Address on $TestMachine to $IP" -ForegroundColor Cyan
 $VM | Get-VMGuestNetworkInterface -GuestCredential $guestCred | Where-Object { $_.Name -eq $vmnicname } | Set-VMGuestNetworkInterface -GuestCredential $guestCred -Ip $IP -Netmask $netmask -Gateway $gateway | Out-Null
 #$continue = Read-Host "Hit Enter to Run Ping Tests."
 
 $x = @()
 $hosts | where { $_ -notmatch $currenthost } | foreach { $x += $_.Name }
 $currenthost = TestNetwork $currenthost $currenthost $vm $gateway $guestCred
 $hosts | foreach {
  $currenthost = TestNetwork $currenthost $_ $vm $gateway $guestCred
 }
}

Wednesday, November 5, 2014

Powershell: Get AD Users from Group with Email Address

Here's a handy script I use to Generate a list of all "Users" with email addresses within a group. It's a recursive function so it will dig through nested groups to make sure all users are picked up. It does not do checking for duplicates as I normally just open the output in Excel and run the Remove Duplicates command.

### -----------------------------------------------------------------
### Written by Matt Brown
###
### Description: Get Username / Email from All Users in AD Group
###
### Requires: ActiveDirectory Module
### -----------------------------------------------------------------

Import-Module ActiveDirectory
$group = "Employees"
$outfile = ("c:\" + $group + "_output.csv")

function RecurseMyGroup($group,$outfile) {

 Write-Host ("Checking Group " + $group)
 (Get-ADGroup $group -properties members).members | foreach {
  $object = Get-ADObject $_ -Properties mail,samaccountname
  if($object.objectClass -eq "Group") {
   RecurseMyGroup $object.DistinguishedName $outfile
  } else {
   ($object.samaccountname + "," + $object.mail) | Out-File -FilePath $outfile -Append
  }
 }
 
}

RecurseMyGroup $group $outfile

Monday, November 3, 2014

Powershell: VMWare Snapshot Report

Here's a handy script I use to send me a report on all VM's in my VMWare Environment with active snapshots. This script finds all VM's with Snapshots, creates an HTML report and emails the info to the provided list. I schedule this to run via the Task Manager automatically every week.

### -----------------------------------------------------------------
### Written by Matt Brown
###
### Description: Powershell script grabs a list of snapshots from the
###     VMWare Enviornment and emails them out as a report.
###
### Requires: VMWare Powershell Extenstions
### -----------------------------------------------------------------

$thedate = Get-Date -f yyyy-MM-dd_HH-mm
$scriptname = "VMWareSnapshots.ps1"
$scriptlocation = "C:\Scripts\VMWare\"
$filename = $scriptlocation + "Transcripts\" + $thedate + "_Snapshots.rtf"
start-transcript -path $filename
$htmlOutFile = "C:\Scripts\VMWare\Reports\snapshot_list.htm"


$vCenterServer = "VC.domain.com"
$vCenterLocation = "ProductionCluster"

### Load VMWare Snapin
Add-PSSnapin -Name VMware.VimAutomation.Core

### -----------------------------------------------------------------
### Start Functions
### -----------------------------------------------------------------
function SendEmail($body,$subject=("Script ERROR: " + $scriptname + " on " + ($env:COMPUTERNAME)),$to=@("admin@domain.com"),$attFile=$false) {

    $message = New-Object System.Net.Mail.MailMessage
 if($attFile) {
  $attachement = New-Object System.Net.Mail.Attachment($attFile)
  $message.Attachments.Add($attachement)
  $message.Headers.Add("message-id", "<3BD50098E401463AA228377848493927-1>") # Adding a Bell Icon for Outlook users
 }
    $message.From = "admin@domain.com"
 $to | foreach {
     $message.To.Add($_) # default is admin in function
 }
    $message.Subject = $subject

 $bodyh = "----------------------------------------------------------------------------------------------------`n"
 $bodyh += "Server: " + ($env:COMPUTERNAME) + "`n"
 $bodyh += "User: " + ($env:USERDOMAIN) + "\" + ($env:USERNAME) + "`n"
 $bodyh += "Location: " + $scriptlocation + $scriptname + "`n"
 $bodyh += "----------------------------------------------------------------------------------------------------`n`n"

 $message.Body = $bodyh + $body

    $smtp = New-Object System.net.Mail.SmtpClient
    $smtp.Host = "smtpserver.domain.com"   
    $smtp.UseDefaultCredentials = $true
    $smtp.Send($message)
}

### -----------------------------------------------------------------

Connect-VIServer $vCenterServer

# HTML/CSS style for the output file
$head = ""

$title = ($vCenterLocation + " VMWare Snapshots as of ” + (get-date -Format "MM-dd-yyyy"))

$data = @()
Get-VM -Location $vCenterLocation | foreach {
 $snapshots = Get-SnapShot -VM $_
 if ($snapshots.Name.Length -ige 1 -or $snapshots.length){
  ForEach ($snapshot in $snapshots){
   $myObj = "" | Select-Object VM, Snapshot, Created, Description
   $myObj.VM = $_.name
   $myObj.Snapshot = $snapshot.name
   $myObj.Created = $snapshot.created
   $myObj.Description = $snapshot.description
   $data += $myObj
  }
 }
}
# Write the output to an HTML file
$data | Sort-Object VM | ConvertTo-HTML -Head $head -Body ("

"+$title+"

") | Out-File $htmlOutFile SendEmail ("See Attached VMWare Snapshot Report") $title (@("joe@domain.com","fred@domain.com")) $htmlOutFile DisConnect-VIServer -Confirm:$false stop-transcript

Tuesday, November 16, 2010

Powershell: Update Timezone Region for Outlook.com Live@Edu Accounts

Here's a quick script to update the Timezone and Language of all your Outlook Live Accounts using remote powershell.

### -----------------------------------------------------------------
### Written by Matt Brown - 11/16/2010
###
### Powershell script requires a csv text file in the following Format:
###  > email
###  > address1@domain.com
###     > user2@domain.com
### -----------------------------------------------------------------

## Setup Vars
$ImportFile = "C:\live-email-list.csv"
$Language = "en-US"
$Timezone = "Pacific Standard Time"
$DateFormat = "M/d/yyyy"
$TimeFormat = "h:mm tt"

## get the email accounts to change
$EmailAccounts = import-csv $ImportFile
Write-Host " Accounts Found in CSV File" $EmailsToCheck.Length

if($EmailsToCheck.Length -gt 0) {
  ## Setup Outlook Session Session and modify accounts
  $LiveCred = Get-Credential
  $loop = 5
  while($loop -gt 0) {
    # this loops handles reconnect if connection to Live fails on first try.
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
    if($Session) { 
      $loop = 0
      Import-PSSession $Session
      $EmailAccounts | foreach {
        $Check = Get-MailboxRegionalConfiguration $_.email
        if($Check -ne $Timezone) {
          Write-Host $_.email
          Set-MailboxRegionalConfiguration $_.email -TimeZone $Timezone -Language $Language -DateFormat $DateFormat -TimeFormat $TimeFormat
        }
      }
    } else {
      Write-Host "Session not created... trying again"
      $loop -= 1
    }
  }
}
Remove-PSSession $Session.Id

Monday, May 31, 2010

Auto Logout after 1 hour of usage

I recently needed a script to automatically log the user out after 1 hour of computer usage. I came up with a pretty low tech solution. Set a scheduled task to activate on user login that runs a DOS bat script. The bat script sleeps for 57 minutes and then kicks off a reboot with notice. Note: It requires sleep.exe from the Windows Resource Kit tools.

@ECHO OFF
REM ##########################################################################
REM ### by Matt Brown
REM ###
REM ### This Script should be set to Run at Logon via a scheduled task
REM ### - it should be run as an admnistrator and the users that you
REM ### - want to force a logoff should be standard user accounts. 
REM ###
REM ### - Note: Requires sleep.exe from Windows Resource Kit in system32 dir
REM ##########################################################################

REM ### Sleep script for 57 Minutes (in seconds)
SLEEP 3300

REM ### Set the notice to display to the user when shutdown is initiated
SET NOTICE="Your one hour of time has expired. You will be automatically logged off in 3 Minutes"

REM ### Start a shutdown, complete in 180 seconds and give notice to users
SHUTDOWN /r /t 180 /c %NOTICE% /f

Sunday, February 28, 2010

Remove Terminated User from GAL - Powershell

Quick Powershell script to remove disabled users from the Exchange 2007 Global Address List (GAL) without deleting the account / mailbox. This uses the Quest Active Roles powershell extensions for Active Directory.
### -----------------------------------------------------------------
### Written by Matt Brown
###
### Name: Remove Terminated Employees from GAL
###
### Version: v1.0, 02/2010
###
### Info: This script Finds Disabled Users and removes them from the GAL
###
### Requires: 1. Quest Powershell extensions for AD
###
### Note: If you are using Resource Mailboxes that are disabled you
###   will want to directly specify your staff OU.
### -----------------------------------------------------------------
$mydomain = 'domain.company.com/Staff'
get-qaduser -SearchRoot $mydomain -SizeLimit 3000 -Enabled:$false | set-qaduser -objectAttributes @{showinaddressbook=@()}

Friday, February 26, 2010

Exchange 2007 Alias update - Powershell

With a recent migration from an old email system I needed to bring over aliases from the old system that would be grandfathered for those users but not new users. This Powershell script checked the accounts to see if the alias was present and if not added it to the account as an accepted Email Address.

### -----------------------------------------------------------------
### Written by Matt Brown - 01/07/2010
###
### Powershell script to update Exchange Aliases
### from ones found old email system
###
### Requires Exchange Powershell extenstions
###
### Input file should contain csv row for alias and username
### Example: username,alias
### jdoe,jon.doe
### -----------------------------------------------------------------

$thedate = Get-Date -f yyyy-MM-dd_HH-mm
$filename = $thedate + "_output.rtf"
start-transcript -path $filename

# ---------------------------
# Add Quest AD Snapin
# ---------------------------
if(-not (Get-PSSnapin | where { $_.Name -match 'quest.activeroles.admanagement' })) {
add-PSSnapin quest.activeroles.admanagement
}
if(-not (Get-PSSnapin | where { $_.Name -match 'Microsoft.Exchange.Management.PowerShell.Admin' })) {
add-PSSnapin Microsoft.Exchange.Management.PowerShell.Admin
}

## Grab all the aliases in the file and group in an array by username
$MailAliases = @{}
Import-Csv "test.txt" | foreach {
$MailAliases[$_.Username] += @($_.Alias)
}

## set the domains we want to see for each alias
$Domains = @()
$Domains += "@domain.com"
$Domains += "@sub.domain.com"

## loop through the users and look for each alias
## with each domain in the current list if missing add
## it to the accepted addresses and update the user account
$x = $MailAliases.count
$length = $x
$MailAliases.keys | foreach {
# Get the user account
$User = Get-Mailuser -identity $_
$updateuser = $false
# Check each mail alias in the list
$MailAliases[$_] | foreach {
$ua = $_
$Domains | foreach {
$check = $ua + $_
$needsadd = $true
$User.EmailAddresses | foreach {
if($_.SMTPAddress -eq $check) {
# address found in list, will not be added
$needsadd = $false
}
}
if($needsadd -eq $true) {
# address wasn't found, add to accepted addresses
$User.EmailAddresses += $check
$updateuser = $true
}
}
}
if($updateuser -eq $true) {
# Now Update the User Account with new aliases
#Write-Host $User.Name
$User | Set-Mailuser
}
}
#cleanup
Stop-Transcript

Monday, November 2, 2009

Live @ Edu hotmail active mailboxes

I run a live@edu hotmail system at our school and I needed a way to find out which mailboxes were not longer active (I.E. student hasn't logged in for 365 days). So I put together this little python script to make an SMTP connection on each address load the status into a mysql database.


#######################################
## Written by Matt Brown
## - check hotmail mailbox status active / inactive
## - for live @ edu hotmail accounts
########################################

import smtplib
import fsdb
import time

##-------------------------------------------
def ConnectMySQL(name,debug=0):
fsdb.register_connection(name, 'mydb_ip', 'mydb', 'mydbuser', 'mydbpass')
fsdb.set_debug(debug)
return fsdb
#----------------------------------------------------
def CloseMySQL(name):
fsdb.unregister_connection(name)
#----------------------------------------------------
def RunMySQLQuery(fsdb,query):
return fsdb.query(query,None)
#----------------------------------------------------

count = 0
try:
name ="email"
fsdb = ConnectMySQL(name)
email_accounts = RunMySQLQuery(fsdb,"select id,email from addresses_table WHERE active_mailbox='0'")

s = smtplib.SMTP('pamx1.hotmail.com','25','localhost')
s.ehlo('verify')
s.mail('admin@mydomain.com')

for user in email_accounts:
mbstatus = s.rcpt(user[1])
if mbstatus[0] == 550:
print user, "inactive"
RunMySQLQuery(fsdb,"update addresses_table set active_mailbox=0,mailbox_check=NOW() WHERE id="+str(user[0]))
elif mbstatus[0] == 250:
print user, "active"
RunMySQLQuery(fsdb,"update addresses_table set mailbox_check=NOW() WHERE id="+str(user[0]))
count = count + 1
else:
print mbstatus[0], mbstatus

# hotmail only allows 10 recipiants
if count == 9:
count = 0
time.sleep(2) # pause so we don't get black listed
s.rset
s = smtplib.SMTP('pamx1.hotmail.com','25','localhost')
s.ehlo('verify')
s.mail('admin@mydomain.com')

CloseMySQL(name)

except Exception,e:
CloseMySQL(name)
print e

mysql random password

I needed a quick way to create a random password for a large number of users in mysql.


SELECT SUBSTRING( MD5( RAND() ) FROM 1 FOR 8 ) AS PASSWORD;

Monday, October 12, 2009

Powershell - Terminate Employee in Active Directory

Here's a quick little script to terminate an employee in Active Directory. I'm using the quest AD Powershell command-lets in this script. This uses powershell to disable the AD Account, Change the AD password to a random password, set the description of the account and remove all the group membership from the account.

Input text file looks like this:
empID
08791
08792


Powershell Script:

# ---------------------------
# Add Quest AD Snapin
# ---------------------------
if(-not (Get-PSSnapin | where { $_.Name -match 'quest.activeroles.admanagement' })) {
add-PSSnapin quest.activeroles.admanagement
}
# Load Assembly so we can easily generate a random password.[Reflection.Assembly]::LoadWithPartialName(”System.Web”)

$s = get-credential
connect-qadservice -credential $s -Service "mydomain.com"

Import-Csv "employeeIDList.txt" | foreach {
$user = get-QADObject -SearchRoot 'mydomain.com/People' -Type User -ldapFilter "(employeeID=$_.empID)"
if($user) {
write-host "Disabling " $user.samAccountName
# generate random password
$ranpassword = [System.Web.Security.Membership]::GeneratePassword(10,2)
# Disable User Account
$user | Disable-QADUser
# Set User's Description to Terminated and set a random password
$user | set-QADUser -Description "Terminated" -UserPassword $ranpassword
# Remove User from all Groups (does not include domain users)
$user.memberof | Get-QADGroup | Remove-QADGroupMember -member $user
# Move user to Terminated OU
$user | Move-QADUser -NewParentContainer 'mydomain.com/Terminated'
} else {
write-host $_.empID "not found in Active Directory"
}
$user = $False
}