I wanted to talk about a powershell script I wrote recently . I work as a systems administrator at a large company so scripting is a necessity of life . Fortunately we have a powerfull Shell to work with POWERSHELL . I really like it because it allows for some great flexibility to do different things . If you haven’t worked with Powershell yet you might want to take a look at it . It kind of reminds me of Perl .
So let me get right to it . First off you need a good editor if you want your scripts to look good . May I recommend PowerGui . Their editor is free and has tons of features . Did I mention its free ?
So now the script that I wrote basically changes the primary group of a User in Active Directory . We had some users that didn’t have Domain Users as there primary group which was causing issues . So I put together a script that changes this attribute .
I will display the Script then walk you thru it :
# *********************************************************************
# * NAME:PrimaryGroup.ps1
# * Description:Change the primary Group for a user in Active Directory
# * Created by : Chris Federico
# * Date 12/06/07
# *********************************************************************
#Create a variable and add the contents of Userlist.txt to it
$UserList = Get-content ".\UserList.txt"
$LogFile = "Logfile.txt"
# Create our Log File for This Script
$CreateLogFile = New-Item -Path . -Name "$LogFile" -type "File" -force
# Step thru the array
foreach ($User in $UserList) {
# Bind to each User Account
$User = [adsi] "ldap://cn=$User, OU=Users, dc=Microsoft,dc=local"
#Display the Current User
Add-Content -path $LogFile -value ($user.name)
#create a variable that holds the value of the primaryGroupID
$primaryGroupID = $User.primaryGroupID
# Display the Currentprimary Group ID
Add-Content -path $LogFile -value ("Current PrimaryGroupID = $primaryGroupID")
if ($user.primaryGroupID -ne '513'){
# Change the Property
$User.primaryGroupID = '513'
# Commit the Changes to AD
$User.CommitChanges()
# Display After Change
Add-Content -Path $LogFile -Value (" Verification of change = $primaryGroupID")
Add-Content -Path $LogFile -Value ("")
}
else
{
Add-Content -Path $LogFile -Value ("The Primary Group is Domain Users already ")
Add-Content -Path $LogFile -Value ("")
}
}
If your new to programming this script may seem daunting but I tried to comment it as much as possible . You will notice that comments are shown with the # in front . The same way you would comment a host file . I’m sure you have hear that you can never comment to much when your scripting .
Before you begin get a list of users that you want to check or fix their primary Group . You can do this by exporting a list of users from “Users and Computers ” mmc . Once you have this list save it as UserList.txt (you can save it any name you like as long as you reference it correctly ) .
Start by creating and Array by getting the content of your User List
#Create a variable and add the contents of Userlist.txt to it
$UserList = Get-content ".\UserList.txt"
I also like to create a log file and that is just what I’m doing here:
# Create our Log File for This Script
$CreateLogFile = New-Item -Path . -Name "$LogFile" -type "File" -force
Next we are going to step thru the array of user names with a For each command like this : (This looks exactly like its done in Perl)
foreach ($User in $UserList) {
Inside the For Each loop you are going to Bind to each user .
# Bind to each User Account
$User = [adsi] "ldap://cn=$User, OU=Users, dc=Microsoft,dc=local"
What’s going on here is its reading ,for example,the first user in the list ($User) holds that name . It makes an LDAP connection and binds to it . When you bind to an object you get access to all the attributes of the user as we will see in a bit . You can also use the .net framework to bind to a user . I believe you would use some thing like System.DirectoryServices.Directoryentry (“LDAP://Your AD Path”). Now you can get errors if say there is no object found or you do not have rights .
Next I’m displaying the Current User
#Display the Current User
Add-Content -path $LogFile -value ($user.name)
Notice I’m using the name property . This is being written to that logfile we created . Everything that gets written gets appended to the text file .
Next I want to create a variable that will hold the value of the primary Group and display the users current Primary Group . The primary group property doesn’t display name but it displays a number . Nothing to fear though .
#create a variable that holds the value of the primaryGroupID
$primaryGroupID = $User.primaryGroupID
# Display the Currentprimary Group ID
Add-Content -path $LogFile -value ("Current PrimaryGroupID = $primaryGroupID")
Domain users group ID number is 513.So the next section checks to see if the current users primary group Id is equal to 513 . If it is then it prints out that they are already have their group set . If it doesn’t it sets the value . All of this gets appended to a text file .
if ($user.primaryGroupID -ne '513'){
# Change the Property
$User.primaryGroupID = '513'
# Commit the Changes to AD
$User.CommitChanges()
# Display After Change
Add-Content -Path $LogFile -Value (" Verification of change = $primaryGroupID")
Add-Content -Path $LogFile -Value ("")
}
else
{
Add-Content -Path $LogFile -Value ("The Primary Group is Domain Users already ")
Add-Content -Path $LogFile -Value ("")
}
}
The only problem that I came across was users that didn’t belong to the domain users group obviously that is a problem . I was able to do 100’s of users in about 10 to 15 minutes .I hope that you enjoy this blog . I hope that this helps someone trying to work with active directory . Overall powershell is here to stay and I can see that it is very powerful .
