129Active Directory users

The names in the CSV files are those of English scientists, British prime ministers, and US presidents respectively, in case you were wondering. Unfortunately, things never remain the same in IT, so we have to tear ourselves away from PowerShell Space Invaders and modify some users. An admin’s work is never done.

TECHNIQUE 6 User modification

After creating a user account, it’s more than probable that we’ll need to make modifi- cations. People move departments; telephone numbers change; even names can change. We may want to increase security by restricting most users to being able to log on only during business hours.

Active Directory can hold a lot of information about your organization. If you keep the information up to date and accessible then you can leverage the investment in Active Directory and you don’t need a separate phone book system, for instance. PROBLEM

We have to make modifications to one or more user accounts in Active Directory. SOLUTION

Using ADSI, we retrieve a directory entry for the user account we need to modify and set the appropriate properties. This is one of the longest scripts we’ll see, but as we break it down, you’ll see that it’s not as bad as it looks. I’ve organized the script to match the tabs on the user properties in ADUC.

SCRIPT USAGE I don’t expect this script to be used in its entirety. In normal use, I’d expect a few attributes to be changed rather than a bulk change like this. It’s more efficient to present all the changes in one script. Then you can choose which attributes you need to modify.

In listing 5.11, we start by getting a directory entry for the user

B

. This is the part that will change in your organization. If you’re making the same change to lots of users, put them into a CSV file and use a foreach loop in a similar manner to listing 5.9.

$user = [ADSI]

"LDAP://CN=CHURCHILL Winston,OU=England,DC=Manticore,DC=org" $user.Initials = "S"

$user.Description = "British PM"

$user.physicalDeliveryOfficeName = "10 Downing Street" $user.TelephoneNumber = "01207101010"

$user.mail = "[email protected]" $user.wwwHomePage = "http://www.number10.com" $user.SetInfo()

$user.streetAddress = "10 Downing Street" $user.postOfficeBox = "P.O. 10" $user.l = "London"

$user.St = "England"

Listing 5.11 Modifying user attributes

Get user

B

Start of General tab

C

D

Office Email

E

Start of Address

F

PO Box

G

City

H

State/province

D

$user.postalCode = "L10 9WS" $user.c = "GB" $user.SetInfo() $comp = "comp1,comp2" [byte[]]$hours = @(0,0,0,0,255,3,0,255,3,0,255,3,0,255,3,0,255,3,0,0,0) $user.logonhours.value = $hours $user.userWorkstations = $comp $user.SetInfo() $user.profilepath = \\server1\usrprofiles\wsc $user.scriptPath = "mylogon.vbs" $user.homeDrive = "S:" $user.homeDirectory = "\\server2\home\wsc" $user.SetInfo() $user.homePhone = "01207101010" $user.Pager = "01207101011" $user.Mobile = "01207101012" $user.facsimileTelephoneNumber = "01207101014" $user.ipPhone = "01207101015" $user.Info = "This is made up data" $user.SetInfo()

$user.Title = "Prime Minister" $user.Department = "Government" "

$user.Company = "Britain""

$user.Manager = "CN=WELLESLEY Arthur,OU=England,DC=Manticore,DC=org" " $user.SetInfo()

The first tab that we need to deal with is the General tab

C

. This holds the name information, which can be modified as shown. Usually the attributes we use in ADSI match those shown in ADUC. I’ve annotated those that are different such as office

D

and email address

E

. I’ve used SetInfo() after each tab’s worth of changes to ensure that they’re written back. If you cut and paste the script, it’s less likely the SetInfo() will be forgotten.

Moving on to the Address tab

F

, we find simple data such as the PO Box

G

as well as number of catches. The City field on ADUC we have to treat as l (for location)

H

, and state\province becomes st

I

. Setting the country requires the use of the two- character ISO code in the c attribute

J

. In this case, GB is the ISO code for the United Kingdom, even though Great Britain is only part of the UK!

TIP If you can’t remember the ISO code for a particular country or aren’t sure what to use, use ADUC to set the country by name on one user and ADSIEdit to check what code has been entered. With Windows Server 2008 ADUC, use the Attribute tab to view the data.

On the Account tab

1@

, we can also set the workstations a user can log on to

1#

as well as the hours of the day he can log on. We need to create an array of workstation names

1)

and use this to set the attribute. The logon hours attribute is more complicated, in that we have to create an array of bytes as shown

1!

. Three bytes represent a day (start-

Country

J

Array of computer names

1)

Start of Account tab

1@

1#

Log on to...

1!

Allowed logon hours Start of Profile tab

1$

Logon script

1%

1^

Local path

1&

Connect Telephones tab

1*

1(

Organization tab

131

In document Exploring PowerShell Automation (Page 136-138)