Use PowerShell and Active Directory Cmdlets to Update Users in Active Directory

Use PowerShell and Active Directory Cmdlets to Update Users in Active Directory

  • Comments 10
  • Likes

Summary: Learn how to use Windows PowerShell and the Active Directory cmdlets to update user objects in Active Directory.

 

Hey, Scripting Guy! QuestionHey, Scripting Guy! Watching you write a custom function to search Active Directory is about as much fun as watching paint dry. One reason we upgraded to Windows Server 2008 R2 was to gain access to the Active Directory cmdlets. I am not really good at using them, but I think I should be able to use them to find users that are missing a value for a particular attribute, and then supply a default value for it. Is this possible?

-- MW

 

Hey, Scripting Guy! Answer Hello MW,

Microsoft Scripting Guy Ed Wilson here. Watching paint dry could be fun if I had a bag of ANZAC biscuits and a pot of Darjeeling tea. I would also want my Zune HD so that I could play some nice jazz. If I had a nice recliner chair, I could get into some paint-drying time. Still, I do not think it would be as much fun as writing Windows PowerShell scripts. The complete SetADPropertyADCmdlets.ps1 script is shown here.

SetADPropertyADCmdlets.ps1

Import-Module ActiveDirectory 
 
$users = $i = $null 
 
$users = Get-ADUser -SearchBase "ou=testou,dc=nwtraders,dc=com" -filter * ` 
 
-property description 
 
ForEach($user in $users) 
 
{ 
  
if([string]::isNullOrEmpty($user.description)) 
   
{ 
      "modifying $($user.name)" 
     
Set-ADUser -Identity $user.distinguishedName -Description "added via script" 
     
$i++ 
   
} 
 
} 
"modified $i users"

Before we dive into the script, l like to take a look at my target. I seldom write a script that works with Active Directory without having ADSI Edit and Active Directory Users and Computers open. In fact, I have a custom MMC that contains both of those snap-ins as well as several other tools. The contents of the testou in the Nwtraders.com domain is shown in the following image.

Image of contents of testou in Nwtraders.com domain

As you can see in the previous image, the testou organizational unit contains both users and computers. In addition, one of the user objects contains a value for the description property; the other objects do not have a value for the description property. I only wish to add a description property value for the users that do not currently have a description; I do not wish to overwrite any existing values. In addition, the description I am going to add is not appropriate for computer objects. Sounds complicated, but it is a very common scenario. The script will need the ability to perform the following actions.

·         Search a specific organizational unit for user objects.

·         Find user objects that are missing a value for a specific attribute.

·         Write a default value for user objects that are missing a value for the specific attribute.

The first thing to do when using the Microsoft Active Directory cmdlets is to use the Import-Module cmdlet to import the ActiveDirectory module.

For information about how to obtain and use the Microsoft Active Directory cmdlets, see What’s up with Active Directory Domain Services Cmdlets?

After the ActiveDirectory module has been imported, I set the $users and the $i variables to $null. This portion of the SetADPropertyADCmdlets.ps1 script is shown here:

Import-Module ActiveDirectory

$users = $i = $null

I now use the Get-ADUser cmdlet to retrieve users from the testou in my nwtraders.com domain. The filter property is required, so I give it the wildcard character * to tell it I want everything returned. In addition, I specify that I want the description property returned in the search results. For performance reasons, the Get-ADUser cmdlet returns only a subset of the available properties from Active Directory Domain Services (AD DS). The search results are stored in the $users variable. The command is a little long, so I use line continuation backtick character (`) to move the –property description portion of the command to the second line. This is a requirement for publishing the script to the blog. In my original script, the command fit nicely on a single line; it is therefore a single logical line command. The command is shown here:

$users = Get-ADUser -SearchBase "ou=testou,dc=nwtraders,dc=com" -filter * `

  
-property description

A collection is returned via the Get-ADUser cmdlet. Therefore, I use the ForEach statement to walk through the collection. Unfortunately, I cannot pipe the results of the Get-ADUser cmdlet directly to Set-ADUser. When inside the collection, I use the static isNullOrEmpty method from the system.string .NET Framework class. I have it check the description property on the user object. If the property is empty or null, I then display a string that states I am modifying the user object. This portion of the script is shown here:

ForEach($user in $users)

 
{

  
if([string]::isNullOrEmpty($user.description)) 

   
{ 

      "modifying $($user.name)"

To modify the user object, use the Set-ADUser cmdlet. The identity parameter is used to specify which b object to modify; this parameter will accept a distinguished name, the object GUID, the security identifier (SID), the SAM account name, or the name of the object. Here, I chose the distinguishedname property from the user object. The description parameter holds the value to add to the description attribute on the object. This command is shown here:

Set-ADUser -Identity $user.distinguishedName -Description "added via script"

The last two things to do are to increment the $i counter variable and display a summary string. This portion of the script is shown here:

$i++

   
}

 
}

"modified $i users"

When the script runs in the Windows PowerShell ISE, the output appears that is shown in the following image.

Image of output that appears in Windows PowerShell ISE

Active Directory Users and Computers is used to verify that the changes were completed. Keep in mind that you might need to hit refresh (F5) a few times before the changes appear. In addition, depending on your network topology, it might actually take a minute or two. On my system, the changes shown in the following image took a few seconds of pressing refresh before they appeared.

Image of changes that appear after refreshing

MW, that is all there is to using the Microsoft Active Directory cmdlets to find objects with missing values and then assign default values to those objects. Active Directory Week draws to an end. Join us tomorrow when we will have a guest blogger talk about the Windows PowerShell Scripting Community. You should not miss this excellent article.  

We invite you to follow us on Twitter and Facebook. If you have any questions, send email to us at scripter@microsoft.com, or post them on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

 

Ed Wilson and Craig Liebendorfer, Scripting Guys

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • That's OK, but how can I find and update domain user accounts in different domains within single Active Directory forest?

  • @Serge Nikalaichyk

    You can do this by connecting to specific domain controllers via the -server parameter in the get-aduser and set-aduser cmdlets.

  • Yes, I know how to do it. I wanted to perform Global Catalog search for a user and update it in a pipe using Active Directory module. Updating thousands of user accounts located in different domains within one forest is easier using Exchnange 2010 cmdlets.

    For example:

    This command will succeed (Exchange snap-in):

    Get-User -Filter "Name -eq 'Serge Nikalaichyk'" -IgnoreDefaultScope | Set-User -City Minsk

    While this command will fail (AD module):

    Get-ADUser -Filter {Name -eq "Serge Nikalaichyk"} -SearchBase "" -Server "dc01.mycompany.com:3268" | Set-ADUser -City Minsk

  • One other way to modify the Description attribute is to modify the attribute on the $user object and then use the -Instance parameter with Set-ADUser.

    Example:

    If ($user.Description -eq $null) {

     $user.Description = "added via script"

     Set-ADUser -Instance $user

    }

  • Here's a simple one for you.  How do I set a user's description to equal his title?  I'm really new to this and it's driving me nuts!

  • I found it.  The day wasn't COMPLETELY wasted...  To update the description field for anyone with a Title:

    Get-ADUser -filter * -searchbase "OU=test, OU=Users, dc=abc, dc=com" -Properties Description, Title | Where-Object {$_.Title -ne $null} | ForEach-Object {Set-ADObject -Identity $_.DistinguishedName -Replace @{Description=$($_.Title)}}

    Whew!  I'll be able to sleep tonight.

  • hey

    i just recruited as net admin in my company

    the previous guy was writing job titles in description fields and i want to move them in their correct field.

    we have more than 2500 users in AD and you can count the amount of time i have to do this manually

    is there a way to automate this procedure ?

    thanks

  • @Fattah: I can understand that doing it manually is a pain, you could maybe try this portal for more information around your question: http://www.corporate-directory.net/ They have some utilities that you could use and also some articles that maybe of interest to you. HTH, Thanks!

  • Hi, the script is simple and useful. Explanation is very clear. Thanks for sharing.

  • thanks