Active Directory administrators often need to track when computer accounts move between organizational units (OUs). This seemingly simple task can become surprisingly complex in large environments with multiple domain controllers and extensive event logs. Here's the story of how I developed a solution to this challenge.
The Problem: Finding Needles in Digital Haystacks
When computers move between OUs in an Active Directory environment, the changes are recorded in security event logs across domain controllers. However, these events are scattered among millions of other security events, making them difficult to locate. Traditional approaches like manually checking each domain controller or using basic event viewer filters quickly prove inadequate.
The specific challenge was to identify all instances where computer accounts had been moved from one organizational unit to another within the Active Directory structure over a 7-day period.
Initial Approach: The PowerShell Path
Our first approach leveraged PowerShell's Get-WinEvent cmdlet, which seemed like the natural choice. The plan was to:
- Query all domain controllers for specific event IDs (5139 for direct moves and 5136 for attribute changes)
- Filter the results for computer-related events
- Export the findings to a CSV file
However, we quickly ran into several challenges:
- Performance issues: Remote queries against large security logs caused significant delays
- Timeouts: Queries would time out when processing large volumes of events
- Error handling: Noisy error messages about no events found cluttered the output
- Reliability: The approach worked inconsistently across different domain controllers
Refining the Solution: Learning from Failures
Each limitation taught us something valuable:
- From timeouts, we learned about batching: Rather than trying to query 7 days of events at once, we needed to break the queries into smaller time chunks.
- From reliability issues, we learned about resilience: We needed to properly handle scenarios like unresponsive domain controllers or access denied errors.
- From performance problems, we learned about filtering strategy: It's more efficient to download a batch of events by ID first, then filter locally for specific content rather than trying to filter remotely.
- From error handling challenges, we learned about clean output: Suppressing expected error conditions (like "no events found") made the output much more readable.
The Breakthrough: Two-Stage Filtering
The key insight came when we realized we needed a two-stage approach:
- First, query each domain controller for a manageable batch of the specific event IDs (5139 and 5136)
- Then locally filter those events for computer-related content
This approach solved several problems at once:
- It reduced the load on domain controllers
- It minimized network traffic
- It allowed for more complex filtering patterns
- It provided better control over error handling
Building a Robust Solution
The final solution incorporated several important design principles:
- Progress reporting: Clear feedback on which domain controller was being queried and how far along the process was
- Error resilience: Gracefully handle unresponsive domain controllers or access issues
- Proper CSV generation: Ensuring special characters and commas were correctly escaped
- Actionable summary: Providing insights on which computers moved most frequently and which administrators performed the moves
The Outcome: Actionable Insights
The final tool provided valuable insights that were previously difficult to obtain:
- Which computers were moved most frequently between OUs
- Which administrators were performing these moves
- When and where these changes occurred
- Patterns of organizational restructuring
This information helped improve governance, troubleshoot issues more quickly, and maintain better control over the Active Directory environment.
Lessons Learned
This journey taught us several valuable lessons about working with large-scale Active Directory environments:
- Event logs are valuable but challenging: Security logs contain crucial information but require careful handling
- Network efficiency matters: Remote queries need to be optimized to prevent overloading domain controllers
- User experience is important: Clear progress reporting and clean output make tools more usable
- Resiliency is critical: Enterprise tools must handle real-world conditions like timeouts and failures
Script : All-OUMove.ps1
The script is not available on this blog because it’s quite lengthy so if you would like it, please email me at scripts@a6n.co.uk