Updates from December, 2007 Toggle Comment Threads | Keyboard Shortcuts

  • Chris 2:04 pm on December 29, 2007 Permalink | Reply
    Tags: ,   

    Binding to an Active Directory Object with PowerShell 

    I wanted to talk about a powershell script I wrote recently . I work as a systems administrator at a large company so scripting is a necessity of life . Fortunately we have a powerfull Shell to work with POWERSHELL . I really like it because it allows for some great flexibility to do different things . If you haven’t worked with Powershell yet you might want to take a look at it . It kind of reminds me of Perl .

    So let me get right to it . First off you need a good editor if you want your scripts to look good . May I recommend PowerGui . Their editor is free and has tons of features . Did I mention its free ?

     So now the script that I wrote basically changes the primary group of a User in Active Directory . We had some users that didn’t have Domain Users as there primary group which was causing issues . So I put together a script that changes this attribute .

    I will display the Script then walk you thru it :

    1. *********************************************************************
    2. * NAME:PrimaryGroup.ps1
    3. * Description:Change the primary Group for a user in Active Directory
    4. * Created by : Chris Federico
    5. * Date 12/06/07
    6. *********************************************************************

    #Create a variable and add the contents of Userlist.txt to it
    $UserList = Get-content ".\UserList.txt"
    $LogFile = "Logfile.txt"

    1. Create our Log File for This Script

    $CreateLogFile = New-Item -Path . -Name "$LogFile" -type "File" -force

    1. Step thru the array

    foreach ($User in $UserList) {

    1. Bind to each User Account

    $User = [adsi] "ldap://cn=$User, OU=Users, dc=Microsoft,dc=local"

    #Display the Current User
    Add-Content -path $LogFile -value ($user.name)

    #create a variable that holds the value of the primaryGroupID
    $primaryGroupID = $User.primaryGroupID

    1. Display the Currentprimary Group ID

    Add-Content -path $LogFile -value ("Current PrimaryGroupID = $primaryGroupID")

    if ($user.primaryGroupID -ne '513'){

    1. Change the Property

    $User.primaryGroupID = '513'

    1. Commit the Changes to AD

    $User.CommitChanges()

    1. Display After Change

    Add-Content -Path $LogFile -Value (" Verification of change = $primaryGroupID")
    Add-Content -Path $LogFile -Value ("")
    }
    else
    {
    Add-Content -Path $LogFile -Value ("The Primary Group is Domain Users already ")
    Add-Content -Path $LogFile -Value ("")
    }
    }

    If your new to programming this script may seem daunting but I tried to comment it as much as possible . You will notice that comments are shown with the # in front . The same way you would comment a host file . I’m sure you have hear that you can never comment to much when your scripting .

    Before you begin get a list of users that you want to check or fix their primary Group . You can do this by exporting a list of users from “Users and Computers ” mmc . Once you have this list save it as UserList.txt (you can save it any name you like as long as you reference it correctly ) .

    Start by creating and Array by getting the content of your User List


    #Create a variable and add the contents of Userlist.txt to it
    $UserList = Get-content ".\UserList.txt"

    I also like to create a log file and that is just what I’m doing here:

    1. Create our Log File for This Script

    $CreateLogFile = New-Item -Path . -Name "$LogFile" -type "File" -force

    Next we are going to step thru the array of user names with a For each command like this : (This looks exactly like its done in Perl)


    foreach ($User in $UserList) {

    Inside the For Each loop you are going to Bind to each user .

    1. Bind to each User Account

    $User = [adsi] "ldap://cn=$User, OU=Users, dc=Microsoft,dc=local"

    What’s going on here is its reading ,for example,the first user in the list ($User) holds that name . It makes an LDAP connection and binds to it . When you bind to an object you get access to all the attributes of the user as we will see in a bit . You can also use the .net framework to bind to a user . I believe you would use some thing like System.DirectoryServices.Directoryentry (“LDAP://Your AD Path”). Now you can get errors if say there is no object found or you do not have rights .

    Next I’m displaying the Current User

    #Display the Current User
    Add-Content -path $LogFile -value ($user.name)

    Notice I’m using the name property . This is being written to that logfile we created . Everything that gets written gets appended to the text file .

    Next I want to create a variable that will hold the value of the primary Group and display the users current Primary Group . The primary group property doesn’t display name but it displays a number . Nothing to fear though .


    #create a variable that holds the value of the primaryGroupID
    $primaryGroupID = $User.primaryGroupID

    1. Display the Currentprimary Group ID

    Add-Content -path $LogFile -value ("Current PrimaryGroupID = $primaryGroupID")

    Domain users group ID number is 513.So the next section checks to see if the current users primary group Id is equal to 513 . If it is then it prints out that they are already have their group set . If it doesn’t it sets the value . All of this gets appended to a text file .


    if ($user.primaryGroupID -ne '513'){

    1. Change the Property

    $User.primaryGroupID = '513'

    1. Commit the Changes to AD

    $User.CommitChanges()

    1. Display After Change

    Add-Content -Path $LogFile -Value (" Verification of change = $primaryGroupID")
    Add-Content -Path $LogFile -Value ("")
    }
    else
    {
    Add-Content -Path $LogFile -Value ("The Primary Group is Domain Users already ")
    Add-Content -Path $LogFile -Value ("")
    }
    }

    The only problem that I came across was users that didn’t belong to the domain users group obviously that is a problem . I was able to do 100’s of users in about 10 to 15 minutes .I hope that you enjoy this blog . I hope that this helps someone trying to work with active directory . Overall powershell is here to stay and I can see that it is very powerful .

     
    • Chris Federico 2:09 pm on December 29, 2007 Permalink

      I’m just noticing how awful the code is looking while I pasted it in between the tags . I can attach the script if anyone wants to see it .

    • sandrar 8:43 am on September 10, 2009 Permalink

      Hi! I was surfing and found your blog post… nice! I love your blog. 🙂 Cheers! Sandra. R.

    • Chris 11:30 am on September 10, 2009 Permalink

      @Sandra

      Thank you 🙂

  • Chris 1:53 am on December 29, 2007 Permalink | Reply  

    First Post Just to Say Hello ! 

    Trying this out to use as my primary site . I was using Microsoft spaces live website for blogging but got a bit tired of it . Myspace seems to busy for me and it has lost its luster . I want to basically share programming tips and hobbies that I have in general. Its really late and I have to get up in a couple hours but I just wanted to put something down . I will add more later .

     
c
Compose new post
j
Next post/Next comment
k
Previous post/Previous comment
r
Reply
e
Edit
o
Show/Hide comments
t
Go to top
l
Go to login
h
Show/Hide help
shift + esc
Cancel