Learn about Windows PowerShell
Hey, Scripting Guy! How can I clear the logon script path for all my users?-- TF
Hey, TF. You know, during in a momentary bout of insanity one of the Scripting Guys once agreed to play his son in an Xbox college football game. “It’s really easy to play,” noted the Scripting Son, who then proceeded to provide a brief tutorial on how to run, pass, kick, and tackle. A half hour or so later - and trailing 150,000 to nothing - the Scripting Guy sighed. “Man, your guys just seem so much faster than mine: I can never outrun them and never catch up to them.”
“Well, that’s because you never use the turbo button,” replied the Scripting Son. “Did I forget to tell you about the turbo button?”
Yes, son, you did. Forearmed with the new-found knowledge about the turbo button, the Scripting Guy and his son squared off once more, this time in a fair-and-square battle for family video game supremacy.
Note. No, it doesn’t matter what the score was. After all, this was about quality bonding time between a father and a son; it had nothing to do with winning or losing. Besides, there was a glare on the TV screen and the B button on the Scripting Guy’s controller didn’t seem to work right. And, really, it’s just a silly little video game: what difference does it make if you happen to get crushed 104-7? Not that 104-7 really counts as a crush, mind you. Edged 104-7? Nipped 104-7? Lucked out 104-7? Something like that.
As it turns out, clearing the logon script path is just as easy as playing college football on the Xbox … provided that you know about ADSI’s version of the turbo button. What does that mean? Well, let’s show you the script and then answer the question:
On Error Resume Next
Const ADS_SCOPE_SUBTREE = 2
Const ADS_PROPERTY_CLEAR = 1
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.CommandText = _
"SELECT AdsPath FROM 'LDAP://dc=fabrikam,dc=com' WHERE objectCategory='user'"
Set objRecordSet = objCommand.Execute
Do Until objRecordSet.EOF
Set objUser = GetObject(objRecordSet.Fields("AdsPath").Value)
objUser.PutEx ADS_PROPERTY_CLEAR, "scriptPath", 0
For the most part this is a standard script for searching Active Directory: we simply retrieve the AdsPath attribute for all the user accounts, then bind to each user account and clear the value for the scriptPath attribute. We don’t have room in this column to explain how all that works; if you aren’t familiar with scripts that search Active Directory, you might want to take a look at our two-part Tales from the Script series titled Dude, Where’s My Printer?
So where’s the turbo button in all this? Well the turbo button shows up here, the part where we actually clear the logon script path for a user:
objUser.PutEx ADS_PROPERTY_CLEAR, "scriptPath", 0
As you can see, this is somewhat odd-looking code. You might expect us to do something a little more straightforward, like set the value of the scriptPath attribute to nothing:
objUser.scriptPath = ""
Why don’t we do this? There’s a simple reason for that: it won’t work. Setting the value of scriptPath to an empty string will not actually clear the scriptPath; instead, it sets the value to an empty string. You might think, “Well, so what?”, but to Active Directory there’s definitely a difference. Suppose we conduct a search for all the users that have a logon script assigned to them. Believe it or not, any user whose scriptPath has been set to an empty string will show up as having a logon script assigned to them. That’s because Active Directory believes that this user does have a logon script assigned; it’s just that the scriptPath happens to equal an empty string.
We know, we know. But that’s just the way it is.
Because of this, we have to specifically clear the scriptPath attribute; we can’t just set the value to an empty string. To clear the attribute we define a constant named ADS_PROPERTY_CLEAR and set the value to 1. We then call the PutEx method followed by three parameters:
ADS_PROPERTY_CLEAR, indicating the type of operation we want to perform (clearing the value).
“scriptPath”, indicating the attribute we want to clear.
0, a placeholder for the new value being assigned. We aren’t really assigning a new value, but without adding the 0 we’ll get an error message because PutEx will not have the required number of parameters.
After all that we then call the SetInfo method to officially write the changes to the user account object in Active Directory. The logon script path will now be cleared.
In case you’re wondering, in relative terms our hero’s performance in Xbox football wasn’t all that bad; after all, you should have seen what happened when he tried to play Halo 2. Not a pretty sight at all.
$allusers += get-aduser -filter * -SearchBase "ou=divisions, dc=domain, dc=com" -Properties ScriptPath
foreach ($user in $allusers)
Set-ADUser $user -ScriptPath $null