Use the PowerShell AD Provider to Modify User Attributes

Use the PowerShell AD Provider to Modify User Attributes

  • Comments 7
  • Likes

Summary: Microsoft Scripting Guy, Ed Wilson, talks about using the Windows PowerShell Active Directory module provider to modify user attributes in AD DS.

Hey, Scripting Guy! Question Hey, Scripting Guy! Just searching for users, or filtering for them, is not entirely all that useful. For me, I need to be able to make changes based on that search or filter. Is this easily done, or is it a real pain to do?

—DR

Hey, Scripting Guy! Answer Hello DR,

Microsoft Scripting Guy, Ed Wilson, is here. Yesterday, I received word that my latest appearance on Blain Barton’s TechNet Radio Podcast is now live. In fact, Devon Musgrave at Microsoft Press wrote a cool blog about it. Blain and I talked about how certification literally changed our lives. The appearance was fun to do, and the discussion should be fun to listen to in addition to informational.
Check it out: Author news: Ed Wilson on how certification changed his life.

Note   This is the fourth blog in a series about using the Active Directory module.

Find users that need modification

Suppose there are several users in an OU that have a specific attribute that needs to be changed. This may because of merging departments or in the case of a corporate buyout. In the following image, the office location of the user needs to be changed.

Image of menu

This particular task begins with finding the user, and it can be a bit frustrating. After attempting to find a user object with an office in Raleigh that resides in the Charlotte OU, I was about to give up. Then I decided to look up the user in ADSI Edit. Here is what I found out.

Image of results

The property that appears as Office in ADUC is called PhysicalDeliveryOfficeName. Without a quick peek at ADSI Edit, I would never have discovered that one! So now, all is groovy.

Note   I am using a PS Drive called Charlotte that is homed on the Charlotte OU. I explained how to create it in Playing with the AD: Drive for Fun and Profit.

Keep in mind that I do not use spaces with this filtering technique. Although it does not generate an error, the following command does not find any users either.

PS charlotte:\> Get-Item -Filter "physicaldeliveryofficename = Raleigh" -Path *

PS charlotte:\>

So I need to remove the spaces. The following command finds the two users I need to modify. The cool thing about using Get-Item here is that if more than one item matches the filter, it returns all matching objects. Here is the command I use.

PS charlotte:\> Get-Item -Filter "physicaldeliveryofficename=Raleigh" -Path *

 

Name                 ObjectClass          DistinguishedName

----                 -----------          -----------------

Regular User         user                 CN=Regular User,ou=charlotte,dc=iammred...

Sample User          user                 CN=Sample User,ou=charlotte,dc=iammred,...

 

PS charlotte:\>

Modify the user object with Set-ItemProperty

Now that I know what filter I need to use and I have verified that I can find the users that need updating, it is time to perform the actual modification. The cool thing here is that I use the Set-ItemProperty cmdlet to make the modifications. By using Set-ItemProperty, it becomes really easy to modify the users whose office changed from Raleigh to Charlotte. In fact, the command is so easy to use that it contains its own Filter parameter.

Therefore, all I need to do is to copy the filter I used with the Get-Item cmdlet and paste it into the Filter parameter. Because I am potentially going to make a bunch of changes, I decided to use the WhatIf parameter first to tell me exactly what the command will do. The following command illustrates using WhatIf and the Filter parameters with the Set-ItemProperty cmdlet to model a potential change to user objects in AD DS. The output generated by the WhatIf parameter lets me know the two users who will receive the modification.

PS charlotte:\> Set-ItemProperty -Filter "physicaldeliveryofficename=Raleigh" -Path *

 -Name physicaldeliveryofficename -Value Charlotte -WhatIf

What if: Performing operation "Set" on Target "CN=Regular User,ou=charlotte,dc=iammred,dc=net".

What if: Performing operation "Set" on Target "CN=Sample User,ou=charlotte,dc=iammred,dc=net".

PS charlotte:\>

Now that I see the two users who will receive the changed office locations are the same two users I found by using the Get-Item cmdlet, I can be reasonably certain that the command will perform what I want it to do. Therefore, I use the up arrow to retrieve my previous command, and this time I erase the –WhatIf portion of the command. (I always use WhatIf at the end of a cmdlet call so that it is easy to delete when it comes time to run the actual command.) As shown here, nothing returns from running the command.

PS charlotte:\> Set-ItemProperty -Filter "physicaldeliveryofficename=Raleigh" -Path *

 -Name physicaldeliveryofficename -Value Charlotte

PS charlotte:\>

I use the up arrow a couple of times and retrieve my previous Get-Item command to see if any users still have offices in Raleigh. As shown here, the command finds no users—they have all been changed.

PS charlotte:\> Get-Item -Filter "physicaldeliveryofficename=Raleigh" -Path *

PS charlotte:\>

OK. One more check…seeing is believing. Let me verify that the office is changed on one of the users I found earlier. Yep, the user office location is in fact changed from Raleigh, as shown here.

Image of menu

DR, that is all there is to using modifying user objects with the Windows PowerShell Active Directory provider. Active Directory Week will continue tomorrow when I will talk about further use of Windows PowerShell techniques with the Active Directory module provider.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy 

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Whenever I'm unsure of the name of the property I'm looking for, I can find it as long as I know the value of the property for one object in the collection. Since I know my office is "Bergen", I can list relevant properties this way:

    $me = get-aduser "thomas.brevig" -Properties *

    $value = "*bergen*"

    $me | select ($me | gm | ? {$me.($_.name) -like $value} | select -ExpandProperty name)

    physicalDeliveryOfficeName will show up in the results.

  • @Thomas Brevig That is an excellent tip. Thank you for sharing.

  • What am I missing?  I get this error:

    Select-Object : Cannot convert System.Management.Automation.PSObject to one of the following types {System.String, System.Management.Automation.ScriptBlock}.

    At line:1 char:13

    + $me | select <<<<  ($me | gm | ? {$me.($_.name) -like $value} | select -ExpandProperty name)

       + CategoryInfo          : InvalidArgument: (:) [Select-Object], NotSupportedException

       + FullyQualifiedErrorId : DictionaryKeyUnknownType,Microsoft.PowerShell.Commands.SelectObjectCommand

  • get-content c:\users.txt | get-aduser | Set-ADUser -Manager "Biswajit"

  • could you please help me to add custom attribute in object class?

  • I modified i.biswajith's suggestion. Thanks to i.biswajith your script helped me, hopefully I can pay it forward. I used a script to create the test.csv file. Content consited of SamAccountNames (one per line).
    Get-Content c:\test.csv | Set-ADUser -ADD @{extensionattribute4='YES'}

  • thanks