Active Directory Automation Scripts

The problem

When you manage Active Directory for an organization with over 100 physical locations, things get tedious fast. Every club had its own OU, its own set of security groups, and anywhere from 3 to 8 workstations that all needed to land in the right place. New workstations would show up in the default Computers container and just sit there until someone manually moved them.

The naming convention helped. Every workstation hostname started with its three-digit club number. A front desk workstation at club 623 would be named something like 623-FD1. A kiosk would be 623-KIOSK. That pattern was the key to automating the whole thing.

How it works

The script pulls every computer object from the Clubs OU (and optionally the default Computers container for unsorted workstations). It uses a regex to extract the club number from the hostname, then looks up the target OU from a CSV mapping file. Once it knows where a workstation belongs, it moves it to the correct OU and adds it to the right security groups.

$regex = [regex]::new("\d+")
foreach ($computer in $computers) {
    $SelectedComputer = ($computer.Name)
    if ($SelectedComputer -match "([0-9]{3})") {
        $computermatch = $regex.Match($SelectedComputer)
        $ComputerClubID = [int]$computermatch.Value
        # Build security group names from club ID
        $FRD = $ComputerClubID + '-FRD'
        $FD  = $ComputerClubID + '-FD'
        $MF  = $ComputerClubID + '-KIOSK'
    }
}

The security groups follow a predictable naming pattern too. Each club has groups for front desk (FD), front desk reception (FRD), kiosk, and back office (BO) workstations. The script builds those group names dynamically from the club number, so it doesn't need a separate lookup table for group assignments.

The default Computers problem

There's a second version of the script specifically for workstations that land in the default Computers container. When a new workstation joins the domain, it drops into that container by default. If someone forgets to pre-stage the computer object, it just sits there with no GPOs applied. The default-computers variant catches those stragglers, matches them by hostname, and moves them where they need to go.

Bulk OU migrations

Alongside the workstation scripts, I built a pair of simple movers: one for users and one for computers. Both read from a CSV with the object's distinguished name and the target OU, then loop through and move each one. We used these during a major OU restructure where we reorganized the entire directory tree. Doing that by hand for hundreds of objects across 100+ clubs was not happening.

Cleaning up disabled accounts

The last piece is a cleanup script that finds all disabled user accounts and strips their group memberships. When someone leaves the company, their account gets disabled, but the group memberships often stick around. This script runs periodically and removes those stale memberships so our security groups stay accurate.

None of these scripts are complicated on their own. But at scale, they saved hours of manual work every week and kept the directory consistent across every location.