Active Directory Object (Move, Query)

With Move Active Directory Object, you can move target Active Directory Object(s):

  • of a specific Active Directory Object type or types.
  • in a specific Active Directory folder (optionally including subfolders).
  • with a name that matches a specific wildcard pattern.

With Query Active Directory Object, you can obtain overviews of all Active Directory Objects, filtered by Organizational Unit, by (logon) name and/or by property value. By default, the Query results show the folder, name, account name and type of each Active Directory Object, but the Object Properties included in the Query results is fully configurable.


  • If you are going to run the Task on a Domain controller, you can leave the Domain controller field on the Settings tab empty and select Local Agent (domain controller) instead.

When you configure a Task to move Active Directory Objects that match a set of criteria, there is a risk that more Active Directory Objects are targeted than expected. By selecting the option Fail this Task if the number of items affected exceeds [x], you can create a safety net that prevents undesired results.

  • When you browse for a specific OU, this information is automatically pasted in the relevant field and takes the following format: OU=IT,OU=Amsterdam,OU=Netherlands,DC=d-energy,DC=local. However, if you set a parameter in this field, the data will have to be provided at the moment of input - in the correct format. To provide an example of the format, copy a sample path and paste it as the default value for the relevant parameter. With the Input setting Show previous value, the example will be shown whenever input is required for the parameter.
  • In Tasks to set Active Directory properties for Active Directory objects, the variable %username% will be resolved as the name of the user under which the Ivanti Automation Agent runs. If you want to refer to the actual user name of the target Active Directory object instead, for example when you are setting a user's home drive using the Task Manage Active Directory User, use the variable %accountname%. This will be resolved as the pre-Windows 2000 user name of the Active Directory User, Computer, Group or Object that is being managed. This option is not available for Organizational Units.
  • The execution speed of Active Directory Queries may depend on the number of additional Active Directory properties that are to be reported in the query. On the Computer Properties tab, you can select a maximum number of 90 Active Directory properties.
  • When browsing for an Organizational Unit, the list of Organizational Units that is shown depends on the Security context and the Domain controller. If the Domain controller field is empty, the list of Organizational Units depends on the Domain.
  • It is possible to abort long running Active Directory Query Tasks. It may take around 10 seconds for the abort to be detected by the Agent, after which the Job will fail with status Aborted. Long running Active Directory Tasks that update, move or delete Active Directory objects cannot be aborted - the Task will always run until it is completed.