After some research and reading various websites about how to control Active Directory with Powershell, I finally found what I needed. A lot of articles about this topic immediately start using all kinds of cmdlets developed by several parties, especially the one by Quest. But I wanted to do this stuff without needing any extra libraries/cmdlets. The script shown in this article does a search in the Active Directory for a user object given the SAM account name. It then shows some of the attributes of that user. The third part of the script changes some of the attributes and writes the changes back to Active Directory. And finally it moves the object to a new Organisational Unit (OU). All this with native Powershell.
Summary of techniques applied in the Powershell script:
- search Active Directory objects
- show Active Directory object attributes
- update Active Directory object attributes
- move an Active Directory object to a specified Organisational Unit (OU)
- set the ‘user must change password at next logon’ flag
- set a password on a Active Directory user object
- set the terminal services profile path (Changing the Terminal Server profile path requires the powershell script to run on a server because the call requires some DLLs that are only installed on servers)
vclear the ‘disabled user account’ flag
Disclaimer: The powershell scripts shown in this article have only been tested on Windows Server 2008 and Windows Vista.
function searchUserSam($userID)
{
$root = [ADSI]”
$searcher = new-object System.DirectoryServices.DirectorySearcher($root)
$searcher.filter = "(&(objectClass=user)(sAMAccountName= $userID))"
$object = $searcher.findall()
if ($object.count -eq 0) {
return 0
} else {
return $object[0]
}
}
$Name = $args[0]
$objUser = searchUserSam $Name
([string]($objUser.Properties.adspath))
$userObject = [ADSI]([string]($objUser.Properties.adspath))
#show the current user values
"name:"+$userObject.name
"samaccountname:"+$userObject.samaccountname
"extensionattribute8:"+$userObject.extensionattribute8
"userPrincipalName:"+$userObject.userprincipalname
"cn:"+$userObject.cn
"useraccountcontrol:"+$userObject.useraccountcontrol
"profilePath:"+$userObject.profilepath
"scriptPath:"+$userObject.scriptpath
# This terminal server specific InvokeGet method only works on Server 2008, not on Vista!
"terminalservicesprofilepath:"+$userObject.PSBase.InvokeGet(‘terminalservicesprofilepath’)
# set userPrincipalName to X account and add the ‘@foo.bar’ extension
$userObject.userprincipalname = ($userID + "@foor.bar")
# clear the ‘disabled user account’ flag
$userObject.psbase.InvokeSet(‘accountdisabled’,$true)
# set the profile path
$userObject.profilepath = "\\"+$domainFQDN+"\data\"+$environment+"\Users\"+$UserID+"\Profiles\Desktop"
# set the terminal services profile path
$userObject.PSBase.InvokeSet(‘terminalservicesprofilepath’, "\\"+$domainFQDN+"\data\"+$environment+"\Users\"+$UserID+"\Profiles\%FarmName%")
# set the login script
$userObject.scriptPath = "Login.cmd"
# set a new password for the account
$userObject.psbase.Invoke("SetPassword", "Whatever1")
# set the ‘user must change password at next logon’ flag
$userObject.pwdLastSet = 0
# write all updates to the user object in Active Directory
$userObject.setinfo()
# Move the user object to the ‘Standard Users’ OU
$userObject.PSBase.MoveTo("LDAP://OU=Business Users,OU=Production,DC=foo,DC=bar")