From 9cfe3c8b48e32f9041b73b5118c27e18ce3e2a0b Mon Sep 17 00:00:00 2001
From: jessikitty <jess.rogerson.29@outlook.com>
Date: Wed, 20 May 2026 11:24:38 +1000
Subject: [PATCH] Add OU moves for active/inactive staff, included in dry run
 output

---
 Update-StaffAD.ps1 | 41 +++++++++++++++++++++++++++++++++--------
 1 file changed, 33 insertions(+), 8 deletions(-)

diff --git a/Update-StaffAD.ps1 b/Update-StaffAD.ps1
index 4c160e5..67f3bc5 100644
--- a/Update-StaffAD.ps1
+++ b/Update-StaffAD.ps1
@@ -3,6 +3,7 @@
 # Matches users by sAMAccountName (PAYROLL_REC_NO column).
 # If duplicate entries exist, ACTV takes priority over INAC/LEFT.
 # Creates new AD accounts for ACTV users not found in AD.
+# Moves users to active/inactive OUs based on status.
 # Applies changes automatically and appends results to a log file.
 #
 # Usage:
@@ -16,7 +17,9 @@ param(
 # --- Configuration ---
 $CsvPath         = "C:\Scripts\Staff_Extract.csv"
 $LogFile         = "C:\Scripts\Logs\StaffAD_Changes.log"
-$NewUserOU       = "OU=Staff,DC=school,DC=vic,DC=edu,DC=au"     # Update this
+$NewUserOU       = "OU=Teachers,OU=Staff,OU=Users,OU=5362-NiddrieAutistic,DC=curric,DC=niddrieautistic,DC=wan"
+$ActiveOU        = "OU=Teachers,OU=Staff,OU=Users,OU=5362-NiddrieAutistic,DC=curric,DC=niddrieautistic,DC=wan"
+$InactiveOU      = "OU=InactiveStaff,OU=5362-NiddrieAutistic,DC=curric,DC=niddrieautistic,DC=wan"
 $DefaultPassword = ConvertTo-SecureString "P@ssword123!" -AsPlainText -Force  # Update this
 
 # --- Setup ---
@@ -73,6 +76,7 @@ $disables     = 0
 $noChanges    = 0
 $notFound     = 0
 $created      = 0
+$moved        = 0
 $notFoundList = @()
 
 foreach ($entry in $Deduped.Values) {
@@ -92,7 +96,7 @@ foreach ($entry in $Deduped.Values) {
     # Find user in AD by sAMAccountName
     try {
         $adUser = Get-ADUser -Identity $samAccount `
-                             -Properties EmailAddress, Enabled, DisplayName `
+                             -Properties EmailAddress, Enabled, DisplayName, DistinguishedName `
                              -ErrorAction Stop
     } catch {
         # Not found in AD - create if ACTV, otherwise log and skip
@@ -125,7 +129,6 @@ foreach ($entry in $Deduped.Values) {
 
                 Write-Log "  Account : CREATED in $NewUserOU  [CREATED]" "Green"
                 Write-Log "  Email   : $email  [SET]" "Green"
-                $created++
             } catch {
                 Write-Log "  Account : FAILED to create - $_" "Red"
             }
@@ -137,7 +140,12 @@ foreach ($entry in $Deduped.Values) {
     $willDisable     = ($status -in $DisableStatuses) -and $adUser.Enabled
     $willUpdateEmail = ($adUser.EmailAddress -ne $email)
 
-    if (-not $willDisable -and -not $willUpdateEmail) {
+    # Determine OU move
+    $currentOU   = ($adUser.DistinguishedName -replace '^CN=[^,]+,', '')
+    $targetOU    = if ($status -in $DisableStatuses) { $InactiveOU } else { $ActiveOU }
+    $willMove    = ($currentOU -ne $targetOU)
+
+    if (-not $willDisable -and -not $willUpdateEmail -and -not $willMove) {
         $noChanges++
         continue
     }
@@ -159,7 +167,7 @@ foreach ($entry in $Deduped.Values) {
                 Write-Log "  Email   : FAILED to update - $_" "Red"
             }
         }
-        $emailUpdates++
+        if ($DryRun) { $emailUpdates++ }
     }
 
     # Disable account
@@ -175,7 +183,23 @@ foreach ($entry in $Deduped.Values) {
                 Write-Log "  Account : FAILED to disable - $_" "Red"
             }
         }
-        $disables++
+        if ($DryRun) { $disables++ }
+    }
+
+    # Move user to correct OU
+    if ($willMove) {
+        if ($DryRun) {
+            Write-Log "  OU Move : WOULD MOVE to $targetOU" "Magenta"
+        } else {
+            try {
+                Move-ADObject -Identity $adUser.DistinguishedName -TargetPath $targetOU
+                Write-Log "  OU Move : MOVED to $targetOU  [MOVED]" "Green"
+                $moved++
+            } catch {
+                Write-Log "  OU Move : FAILED to move - $_" "Red"
+            }
+        }
+        if ($DryRun) { $moved++ }
     }
 }
 
@@ -183,13 +207,14 @@ foreach ($entry in $Deduped.Values) {
 Write-Log ""
 Write-Log "  --- Summary $(if ($DryRun) { '(DRY RUN)' }) ---"
 
-if ($emailUpdates -eq 0 -and $disables -eq 0 -and $created -eq 0) {
+if ($emailUpdates -eq 0 -and $disables -eq 0 -and $created -eq 0 -and $moved -eq 0) {
     Write-Log "  No changes $(if ($DryRun) { 'would be' } else { 'were' }) made on this run." "Cyan"
 }
 
-Write-Log "  Accounts $(if ($DryRun) { 'to create' } else { 'created' })    : $created"
+Write-Log "  Accounts $(if ($DryRun) { 'to create  ' } else { 'created    ' }): $created"
 Write-Log "  Email updates       : $emailUpdates"
 Write-Log "  Accounts disabled   : $disables"
+Write-Log "  OU moves            : $moved"
 Write-Log "  No changes needed   : $noChanges"
 Write-Log "  Not found in AD     : $notFound"
 if ($notFoundList.Count -gt 0) {