WebSearch Site

Is your server running slowly?  Check with SolarWinds ipMonitor

Get a free evaluation copy of ipMonitor

---

Ezine 169 - Preparing PowerShell to Script Active Directory

Ezine 169 - Preparing PowerShell to Script Active Directory

The purpose of this week's ezine is to prepare PowerShell for interrogating and modifying users in Active Directory.  (Example 2b now corrected)

Topics for Preparing PowerShell to Script Active Directory

• This Week's Secret
• This Week's Mission
• Objective 1 - QAD Preparation Checklist
• Objective 2 - To Get Information About Active Directory Users
• Objective 3 - To Set a Value for a User's LDAP Field Called 'Description' 
• Updates for QAD User 

This Week's Secret

Recently I painted a few rooms in my house; the hardest part was the preparation, washing the walls, filling the holes and putting on the undercoat.  It is the same when scripting Active Directory with PowerShell, preparation is the key.  You need to download PowerShell, install the QAD snap-ins and set the execution policy.  Once you have completed this one-off preparation, the QAD cmdlets make scripting Active Directory so much easier than using VBScript.

This Week's Mission

My ultimate goal is to reset passwords for a bunch of users using PowerShell with the QAD snap-in.  However, as the saying goes, 'There is many slip between cup and lip'.  What I mean is if my readers aren't prepared, or misunderstand an instruction then I can see them creating a PowerShell script that changes the password for ALL their users.  This would result in serious embarrassment on a production network, especially if the network administrator cannot remember the new password!

I hope that you now understand why my mission will be a two stage process.  These are my objectives for this week, firstly to install the QAD snap-ins.  Secondly, to create 'safe' scripts which merely get information about the users, or set values only in the insignificant 'Description' field.

Next week's mission will be to change passwords.

Objective 1 - QAD Preparation Checklist

Readers will be at different stage in their PowerShell career, I want provide a checklist for the complete beginner, those with experience could skip the first step(s).

a) Download, then install both PowerShell and .Net Framework (from Microsoft's site)
Note: XP, Vista, and Windows Server 200x each requires a different version of PowerShell.

b) Download the QAD (Quest Active Directory) cmdlets.

c) Before you can run any cmdlets, adjust the script execution policy, type this at the PowerShell command-line:
set-ExecutionPolicy remotesigned 

d) 'Wire-up' the QAD cmdlets with the command:
add-PSSnapin quest.activeroles.admanagement

e) Now your QAD cmdlets are available, and ready for action.

Extra Instructions to Run PowerShell code:

If you have not used PowerShell before, here are step-by-step instructions to execute commands.

Method 1 (Quick)

• Launch PowerShell
• Copy the code into memory
  (For instance, from Example 1 below)
• Right-click on the PowerShell symbol
• Edit --> Paste
• Press enter to execute the code
• See screenshot to the right

Method 2 (Best)

• Prepare to run cmdlets with this PowerShell command:
  set-ExecutionPolicy RemoteSigned
• Copy the code below into a text file.
• Save the file with a .ps1 extension, for example: MyOu.ps1
• In PowerShell, navigate to where you saved MyOu.ps1
• Issue this command:
  .\network 
  (dot backslash filename)

Objective 2 - To Get Information About Active Directory Users

This week's featured command is Get-QADUser.  Let us assume that you have achieved objective 1, now this all you need to do before running my script:

a) Connect to Active Directory, best would be to logon at a domain controller in a test network.  (Virtual PC?)

b) Find the variable $OU in my script; then amend its value to reflect your domain and your Organizational Unit.  You many need a little extra work in creating an OU and a handful of users.

Example 1 - List Users in a Named OU

Note 1:   -SearchRoot is the key parameter which connects to Active Directory.

Note 2:   You did change the value of $OU - didn't you?  Also Remember that these QAD cmdlets don't exist in the initial PowerShell install, they are only available after you successfully run: add-PSSnapin quest.activeroles.admanagement.  If your script does not work refer back to Objective 1.

Example 2a - How to Discover the Names of a User Properties

These QAD cmdlets are designed to fit seamlessly into PowerShell, for example we can apply our trusty interrogation techniques such as, get-help get-QADUser.

Note 1:  I suggest you try my parallel learning technique and match the user properties revealed by QADUser, with the property sheet that you see in Active Directory Users and Computers.

Example 2b - How to List a User's Property (Corrected version)

As with many of my scripts, there are two learning threads in this example, a real-life objective (Listing user properties) and also learning PowerShell techniques (Piping and word-wrap).

Note 1:  The unusual backtick symbol (`) means, wrap the command to the next line.

Note 2:  The pipe symbol (|) is PowerShell's signature tune; it means push the output of the first clause (get-QADUser) into this next command (format-Table).

Challenges: If I were you I would take a timeout to add values to your user's property sheet, e.g. LastName, Description, also manager and location.

The second part of my challenge is to put into practice what we learned with get-help QADUser, namely to add different fields from my example 2b, for example, Company or Office.

Objective 3 - To Set a Value for a User's LDAP Field Called 'Description'

My objectives here are two fold, firstly, to practice scripting Active Directory in a relatively harmless fashion.  Changing a user's property called 'Description' is less intrusive than changing their password.

Secondly, if we add a known description to just a few test users then we have a handle to filter Active Directory.  Just to emphasise that the benefit of having a description is that we have an extra control to prevent a rogue script changing everybody's password.  Next week I want to create a script which says, 'If Description = xyz, then change the password'.

Note 1:  Never miss a chance to learn a PowerShell verb, mostly you employ, 'get', but observe that here we also employ the more useful 'set'.

Note 2:  See how I reinforce the idea of piping (|) the output of 'set' becomes the input of FT, which stands for format-Table.

Note 3:  Clear-Host is both optional and cosmetic, it merely clears the screen.

Challenge:  You could try changing two, or more properties with the same set command, for example, set-QADUser -Description "Supremo" -Company "Our Company"

If you are looking for handy network utilities, try some of the free downloads at Tools4Ever

Summary of Preparing PowerShell to Script Active Directory

Before you can manipulate Active Directory objects such as users, you must prepare the ground by downloading and installing the QAD snap-ins.  Once you have completed this one-off task scripting Active Directory with PowerShell becomes incredibly easy.

See more PowerShell QAD Scripts

• PowerShell Home   • Quest QAD   • QADUser   • QAD Password   • QADGroup   • QADComputer

 • Export-CSV   • Import CSV

Please write in if you see errors of any kind.  Please report any factual mistakes, grammatical errors or broken links, I will be happy to not only to correct the fault, but also to give you credit.

 *