131Active Directory users

ing at Sunday) and each bit represents a one-hour time span. All zeros means the user isn’t allowed to log on, and if all values are set to 255 (default) the user can log on 24x7. In the case shown, the user is restricted to logon times of Monday to Friday 8 a.m. to 6 p.m. If you want to use this, I recommend setting up one user in ADUC and copying the resultant values. This is definitely the quickest way to get it right.

The Profile tab

1$

is for setting logon scripts and home drives as shown. The only dif- ficulty here is the attribute names, as I’ve annotated, especially the scriptpath

1%

which supplies the logon script to be run for the user. The local path

1^

refers to the drive to be mapped to a user’s home area and the connect attribute

1&

supplies the UNC path to the user’s home area. When you’re setting telephone numbers on the Telephones tab

1*

, remember that the numbers are input as strings rather than numbers.

The final tab I’ll deal with is the Organization tab

1(

. The attribute names match the ADUC fields as shown. Note that the Manger entry must be given the AD distin- guished name as its input. The Direct Reports field is automatically backfilled from the Manager settings on other users. You can’t set it directly.

DISCUSSION

I haven’t given a full alternative using the cmdlets in this section. We can use the Microsoft cmdlets like this:

Get-ADUser -Identity hsorby | Set-ADUser -Department Geology Get-ADUser -Identity hsorby -Properties Department

Get-ADUser -Identity hsorby -Properties *

The most efficient way to perform bulk changes is to use Get-ADuser to return the users in which we’re interested and then pipe them into Set-AdUser. This way we can easily test which users are affected. The change can be examined with Get-ADUser. When we use Get-ADUser, we normally only get a small subset of properties returned. We can generate more data by explicitly stating which properties we want returned.

With the Quest cmdlets, we’d use the Set-QADUser cmdlet and use either one of the predefined parameters or the -ObjectAttributes parameter as shown in listing 5.10a.

TECHNIQUE 7 Finding users

We’ve seen how to create and modify user accounts in Active Directory. One of the other tasks we need to perform frequently is searching for particular users. No, not under the desk, but in Active Directory. In this section, we’ll look at searching for an individual user, disabled accounts, and accounts that are locked out. You’ll see other searches that look at logon times and account expiration later in the chapter.

Searching Active Directory requires the use of LDAP filters. They’re explained in appendix D.

DELETED USER ACCOUNTS Searching for deleted user accounts will be covered in chapter 10

PROBLEM

We need to search Active Directory for specific users or accounts that are disabled or locked out.

SOLUTION

We can use the System.DirectoryServices.DirectorySearcher class to perform our search. In PowerShell v2, this can be shortened slightly by using [ADSISEARCHER]. Using System.DirectoryServices.DirectorySearcher makes searching faster and simpler compared to previous scripting options. We need to start by creating a vari- able with the name of the user to search for

B

(in listing 5.12). We can search on other attributes, as we’ll see later. We want to search the whole Active Directory, because we can’t remember where we put this user. We can use GetDomain() to deter- mine the current domain

C

. Using this method makes our script portable across domains. We then get a directory entry

D

for the domain.

$struser = "BOSCH Herbert" $dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() $root = $dom.GetDirectoryEntry() $search = [System.DirectoryServices.DirectorySearcher]$root $search.Filter = "(cn=$struser)" $result = $search.FindOne() if ($result -ne $null) {

$result.properties.distinguishedname }

else {Write-Host $struser " Does not exist"}

Creating a search as shown

E

will set the domain as the root of the search—we search the whole domain. We’re looking for a particular user, so we need to set an LDAP filter for that user

F

. The cn attribute holds the name of the user account in Active Direc- tory. It’s possible to search on most attributes.

PAGE SIZE AND TIMEOUT There’s a limit on the number of results that will be returned from an LDAP search. The default limit is 1,000. If your results will exceed this number, add the line $search.PageSize =1000 after the filter. This will cause the results to be returned in batches (pages) of 1,000. When using the cmdlets, use the PageSize and SizeLimit parameters to control the return of data.

There’s a timeout of 120 seconds on the server side, at which point the server will return only the results found up to that point. The default client- side timeout is infinite.

When we run this search, we only expect a single result, so we use FindOne()

G

. As we’ll see later, if we expect multiple results to be returned, we use FindAll(). Interest- ingly, FindOne() does a FindAll() and returns only the first result. If you’ve per-

Listing 5.12 Searching for a user account

Set user

B

C

D

Root entry

E

F

Set filter

G

Run search

H

133

In document Exploring PowerShell Automation (Page 138-140)