Introduction
MigrationStudio licensing is based on the number of users that will be tracked throughout the migration. Users are most commonly created by importing accounts from Microsoft Active Directory (AD), although other sources - inventory databases, HR, and external lists - are also supported.
To ensure the correct quantity of licensing is applied, all users that are in-scope of the project should be counted within AD. This solution article details how to quickly access this information using PowerShell.
The article comprises of the following:
Solution Overview
The Active Directory module for Windows PowerShell is required to follow the instructions in this solution article. The module is available by default on domain controllers (DCs), however, additional configuration will be required on Windows member servers and Windows clients.
Installing the Active Directory module for Windows PowerShell
Windows 8, Windows 8.1, Windows 10
To install the Active Directory module for Windows PowerShell on a Windows client, download the correct version of the Remote Server Administration Tools (RSAT) package for the target operating system (OS):
Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019
The Active Directory module for Windows PowerShell is installed on Windows Server by enabling the AD DS and AD LDS Tools feature. The example below is based on Windows Server 2019 although the concepts are similar for other versions.
- Start Server Manager
- Click Manage (1) and choose Add Roles and Features (2) from the menu
(more after image)
- Click Next until the Features (1) page appears
- Scroll down towards the bottom of the list and expand Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools
- Enable Active Directory module for Windows PowerShell (2)
- Click Next to progress to the Confirmation page
- Click Install to start the installation
Sample OU Configuration
Organisations typically have several OUs that contain users accounts. In this example, the accounts are located in the following Organisational Units (OU).
| OU | No. Users |
|---|---|
| OU=User Group 1, OU=Corp Users, DC=ST4, DC=Local | 7 |
| OU=User Group 2, OU=Corp Users, DC=ST4, DC=Local | 7 |
| OU=User Group 3, OU=Corp Users, DC=ST4, DC=Local | 6 |
| OU=Other Accounts, OU=Corp Users, DC=ST4, DC=Local | 10 |
Twenty standard user accounts are distributed between User Group 1-3 with ten service and administrator accounts in Other Accounts, as illustrated in the screenshot below. In total, 30 user accounts are in scope.
Return All Active Users of an OU
The first example uses the Get-AdUsers PowerShell cmdlet to recurse the OU specified by -SearchBase and returns the number of active AD accounts. MigrationStudio by default does not import disable AD accounts so the -Filter parameter is used to include only enabled accounts.
(Get-AdUsers ` -Filter "Enabled -eq 'True'" ` -SearchBase "OU=ParentOU,DC=myDomain,DC=myForest").Count
The backtick ` symbol is used to create a line break for improved readability.
Using the example in Sample OU Configuration above, the command returns 30 active user accounts:
Excluding Accounts by Name
Many organisations may have generic, service, or admin accounts nested within the OU specified by -SearchBase that should not be imported into MigrationStudio. These accounts can be excluded from the count by using common naming conventions, such as SVC for service accounts or ADM for administration accounts.
To exclude service accounts that start with SVC_, the -Filter parameter is extended using the -Or join operator to only include accounts that do not have an AD Name like *svc_*. The new filter reads: -Filter "Enabled -eq 'True' -Or Name -NotLike '*svc_*'".
For example:
(Get-AdUsers -Filter "Enabled -eq 'True' -Or Name -NotLike '*svc_*'" -SearchBase "OU=ParentOU,DC=myDomain,DC=myForest").Count
When run against the example OUs, this removes the five service accounts from the overall total.
Multiple expressions can be added to the -Filter parameter to exclude more than one account type. For example, to remove service accounts that contain SVC_ and admin accounts that include ADM_, the filter would read: -Filter "Enabled -eq 'True' -And Name -NotLike '*svc_*' -And Name -NotLike '*adm_*'"
(Get-AdUsers -Filter "Enabled -eq 'True' -And Name -NotLike '*svc_*' -And Name -NotLike '*adm_*'" -SearchBase "OU=ParentOU,DC=myDomain,DC=myForest").Count
Running this command against the examples in Sample OU Configuration would remove a total of 10 accounts from the overall total (5 service accounts, 5 admin accounts):
Excluding Accounts by the Last Logon
In the previous examples, accounts are excluded from the count if they are disabled or if the name follows a set pattern (svc_ and adm_). It might also be useful to exclude active accounts that haven't been used for a particular period of time. This can be achieved by piping the results to Where-Object and evaluating the (AD attribute) LastLogonDate.
The example below counts the number of active user accounts in OU=ParentOU,DC=myDomain,DC=myForest that were used in the previous 90 days:
(Get-AdUser `
-Filter "Enabled -eq 'True'" `
-SearchBase "OU=ParentOU,DC=myDomain,DC=myForest" `
-Properties LastLogonDate |
Where-Object {$_.LastLogonDate -gt (Get-Date).AddDays(-90)}).CountThe number of days is determined by (Get-Date).AddDays(-90)}) and refers to the previous 90 days from the current date.
As with previous examples, this can also be used in conjunction with additional filters to extend the exclusions:
(Get-AdUser `
-Filter "Enabled -eq 'True' -And Name -NotLike '*svc_*' -And Name -NotLike '*adm_*'" `
-SearchBase "OU=ParentOU,DC=myDomain,DC=myForest" `
-Properties LastLogonDate |
Where-Object {$_.LastLogonDate -gt (Get-Date).AddDays(-90)}).CountFurther Support
If you require further support, please visit MigrationStudio's Service Desk at https://support.migrationstudio.com/ to search the knowledge base or create a new support ticket.