Modifying user properties
In the previous section, we have seen how to create user accounts using Active Directory PowerShell module. The task of the system administrator will not end by just creating user objects in Active Directory; he/she will also be responsible for modifying and managing them. This section will help you understand the process involved in modifying user accounts using PowerShell.
Since modifying user accounts has a very big scope, we will discuss a few example cases where a bulk user modification is required. These examples will help you understand the modification process. You can leverage these examples to modify any other attributes in Active Directory:
- Updating the description of a user object
- Updating the telephone number of multiple users
- Enabling or disabling user accounts in bulk
- Moving user accounts to another OU
Before jumping on to modifying user properties, let's brush up on the basics basics. To update the description of a user account, you will typically follow these steps:
- Open the ADAC tool (or ADUC).
- Search for a username in Active Directory.
- Go to the properties of the object.
- Update the description and save your changes by clicking on OK.
What happens under the hood when you update the description of the object and save it? The system writes the value to a respective attribute of that user object. You can view all attributes and their values using the Attribute Editor tab in ADAC (or ADUC in Windows Server 2008 R2). To view this information from Windows Server 2003, you need to use the adsiedit.msc tool.
Here are the attribute details of user objects we created during bulk user creation in the previous section. You can see the values that are being read from the CSV file and used for creation.
So, in order to update any details of a user object, first we need to know its attribute name or display name.
Similar to the GUI approach, we can search for a user object and list its attributes using PowerShell. The Get-ADUser cmdlet can be used for this:
Get-ADUser -Filter {Name -eq "ChrisB" }
This will return the user object with the Name attribute having the value ChrisB. By default, it will return only a basic set of attributes. If you want to see all attributes of this user object, then specify the -Property parameter, as shown in the following command:
Get-ADUser -Filter {Name -eq "ChrisB" } -Property *
You can also query users matching their name Chris by adjusting the value of the -Filter parameter, as shown in the following command:
Get-ADUser -Filter {Name -like "Chris*" }
Similarly, we can query all objects inside a particular Organizational Unit by passing the OU distinguished name to the -SearchBase parameter, as shown in the following command:
Get-ADUser -Filter * -SearchBase "OU=LAB,dc=techibee,dc=ad"
Now that we know how to search for objects, let's move on to learn how to modify them.
Updating the description of a user object
In the previous section, you learned how to search and find a user object. Let's use that logic and get an instance of the ChrisB user object, as shown in the following command:
$UserObj = Get-ADUser -Filter {Name -eq "ChrisB" } -Properties *
The $UserObj variable stores the reference to the ChrisB user object. We can view the current description of the user object by using the following command, assuming the user account has a description set:
$UserObj.Description
To replace the current description with new value, first we need to understand what data type this attribute will accept. As we mentioned before, we can find this out using the GetType() method. You can invoke this method, as shown in the following command:
$userObj.Description.GetType()
The output of this command shows that it accepts data of string, as shown in the following screenshot:
To update the description to a new value, we need to use the Set-ADuser cmdlet and pass the $UserObj to the -Identity parameter and the string that you want to set in the description field to the -Description parameter. The following command will return to the PS prompt in the PowerShell window if it completes without any errors:
Set-ADUser -Identity $UserObj -Description "Added new description via PowerShell"
To verify if the new description is updated in the user description field, we can either check it through the GUI or run the PowerShell command that we used for querying the user object in the preceding command.
Putting everything together, the following code will update the description of a given Active Directory user:
$UserName = "ChrisB"
$NewDescription = "Delete this account after November"
$UserObj = Get-ADUser -Filter {Name -eq $UserName} -Properties *
Write-Host "Current description is : $($UserObj.Description)"
Set-ADUser -Identity $UserObj -Description $NewDescription
$UserObj = Get-ADUser -Filter {Name -eq $UserName} -Properties *
Write-Host "New description is : $($UserObj.Description)"
Tip
Downloading the example code
You can download the example code files for all Packt books you have purchased from your account at http://www.packtpub.com. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to have the files e-mailed directly to you.
You can update values of any other attribute using the procedure explained in this code. As a matter of practice, try updating the DisplayName of a user.
Remember? Practice makes perfect!!!
Updating the telephone numbers of multiple users
In the previous example, you learned how to update the value of description using PowerShell. Now, let's take a look at updating telephone numbers of multiple users. This operation is a little different from updating the description operation. Here, we have two complexities, which are as follows:
- We don't know which attribute will get updated when a number is added to the telephone number field in the GUI.
- Performing a telephone number update for multiple users by reading from a text file or CSV file.
Let's address these complexities one by one. First, we need to identify attributes that need to be updated. In this demonstration, we want to update the Office telephone number, Home number, and mobile number of the users. If these users already have these numbers set, then we can use the attribute editor to identify the attribute names that need to be updated. If not, set these telephone numbers for one user account and then use attribute editor to identify the attribute names. Alternatively, you can use the Get-ADUser cmdlet to retrieve all attributes. The PowerShell way is preferred here, as we want to learn more and more about it. Examine the output of the following command carefully and identify the attribute names that have the telephone numbers you see in the GUI:
Get-ADUser -Identity chrisB -Properties *
You will notice that the following command has the telephone numbers you see in the GUI:
Get-ADUser -Identity ChrisB -Properties * | select HomePhone, OfficePhone, mobile
The description of the preceding command is shown in the following:
OfficePhone: This attribute contains the phone number that you see under the Main field in telephone numbers in ADAC. In ADUC, you will see this number in the Telephone number field in the General tab.HomePhone: This is the phone number you will see in the Home Phone field.mobile: This attribute contains the phone number you will see in the Mobile field.
First, let's update the telephone details of one user, then we can extend the logic to update other users in bulk.
Let's store the numbers in variables first, as shown in the following commands:
$OfficeNumber = "+65 12345678" $HomeNumber = "+65 87654321" $MobileNumber = "+65 13578642"
The next step is to update the preceding values for a user account, as shown in the following command:
Set-ADUser -Identity ChrisB -OfficePhone $OfficeNumber -HomePhone $HomeNumber -MobilePhone $MobileNumber
This is straightforward because the Set-ADUser cmdlet has parameters that can set these phone numbers. If the attribute that you are trying to set is not available as a parameter to the cmdlet then you can use the -Add parameter to directly specify the attribute name and the value. Similarly, you can use other parameters such as -Replace and -Clear to work with attributes directly. The preceding example can be rewritten using the -Add parameter, as shown in the following commands:
Set-ADUser -Identity ChrisB -Clear telephonenumber, homephone, mobile Set-ADUser -Identity ChrisB -Add @{telephonenumber = $OfficeNumber; homephone = $HomeNumber ; mobile = $MobileNumber }
Here, we are setting the office phone number to the telephonenumber attribute, the home number to the homephone attribute, and the mobile number to the mobile attribute. Before setting them, we will clear existing values using the -Clear parameter.
Now, we can extend this logic to multiple users using a for loop in PowerShell. Before doing this, store the user names and numbers you want to set in a CSV file and import it into PowerShell. The following screenshot shows how the contents of the CSV look:
And the code to set the telephone numbers is as follows:
$Users = Import-CSV c:\temp\usersPhoneNumbers.csv
foreach($User in $Users) {
Set-ADUser -Identity $User.UserName -OfficePhone $User.OfficeNumber -HomePhone $User.HomeNumber -MobilePhone $User.MobileNumber
}
Enabling or disabling user accounts
Now, let's take a look at another scenario where we want to perform bulk user enable/disable operation. Fortunately, there are two cmdlets provided in Active Directory module to make this operation very easy and straightforward.
They are as follows:
Both these cmdlets require an object to be enabled/disabled. The object can be in one of the following formats:
- Distinguished Name (DN) format, for example, CN=ChrisB, OU=LAB, DC=techibee, and DC=ad
- ObjectGUID format, for example, 923199de-0dd9-4758-a954-5aa42409b10d
- Security Identifier (SID) format, for example S-1-5-21-822638036-2026389545-1116158610-1244
SAMAccountNameformat, for example, ChrisB
To get these values for a given user, use the Get-ADUser cmdlet (use Get-ADComputer in the case of computer accounts)
Now, it's just a matter of passing the input values to either the Enable-ADAccount or Disable-ADAccount cmdlets based on which operation you want to perform.
Here are some common usage scenarios. These scenarios cover disable operations; to perform enable operations in a similar way, just replace the Disable-ADAccount cmdlet with the Enable-ADAccount cmdlet.
The following command can be used to disable a single user account:
Disable-ADAccount -Identity ChrisB -Passthru
The -PassThru parameter is used to return the object after the completion of the operation. Also it is useful to know the disable status if you want to perform further actions on this object.
You can disable users in a particular OU. The following command will return all users objects under LAB OU and its sub OUs:
Get-ADUser -SearchBase "OU=LAB,DC=techibee,DC=AD" -Filter * | Disable-ADAccount
To limit the search scope to the current OU, use the -SearchScope parameter. It takes three values: Basic (or 0), OneLevel (or 1), a Subtree (or 2). Subtree is the default value when nothing is specified.
Read usernames from a text file and disable them, as shown in the following command:
Get-Content C:\temp\users.txt | % { Disable-ADAccount -Identity $_ }
Here, the Get-Content cmdlet reads the usernames from the text file and passes them one by one to the Disable-ADAccount cmdlet using a foreach loop (% is an alias for a foreach loop in PowerShell). When passing the user name to the Disable-ADAccount cmdlet, we use the $_ automatic variable, which contains the name that is passed from the pipeline. Read more about automatic variables at http://technet.microsoft.com/en-us/library/hh847768.aspx.
You can disable all users in a department, for example, Sales. The following command queries all users who have their department value set to sales and passes them to the Disable-ADAccount cmdlet to disable them:
Get-ADUser -Filter 'Department -eq "sales"' | Disable-ADAccount
Likewise, to perform an enable operation, just replace Disable-ADAccount with the Enable-ADAccount cmdlet in the preceding examples.
Moving user accounts to another OU
For example, let's consider a scenario where all users of one department are moved from one office building to another. So, you would like to move all these user accounts to a new OU for ease of identification and management.
The Move-ADObject cmdlet is available in Active Directory module to accomplish this operation. As you might have already noted, this particular cmdlet can move any object from one OU to another; not just user accounts.
This cmdlet has two mandatory parameters:
Here are some use case scenarios:
- Moving a user account from one OU to another:
Move-ADObject -Identity "CN=ChrisB,OU=LAB,DC=techibee,DC=ad" - TargetPath "OU=Singapore,OU=LAB,DC=Techibee,DC=ad"Here,
ChrisBis the name of the user that we are moving from the current location (specified in the DN) to the new -TargetPathparameter. - Moving all users from LAB OU to PROD OU
Get-ADUser -Filter * -SearchBase "OU=LAB,DC=techibee,DC=ad" | Move-ADObject -TargetPath "OU=Prod,DC=techibee,DC=ad"The preceding command will move all users (including users in sub OUs) from LAB OU to PROD OU. The
-Identityparameter is automatically populated from the output of theGet-ADUsercmdlet.
You can use the following command to move users from one OU to another based on their department name:
Get-ADUser -Filter 'department -eq "Sales"' | Move-ADObject -TargetPath "OU=Sales,OU=PROD,DC=techibee,DC=AD"