Binding to an Active Directory Object with PowerShell

I wanted to talk about a powershell script I wrote recently . I work as a systems administrator at a large company so scripting is a necessity of life . Fortunately we have a powerfull Shell to work with POWERSHELL . I really like it because it allows for some great flexibility to do different things . If you haven’t worked with Powershell yet you might want to take a look at it . It kind of reminds me of Perl .

So let me get right to it . First off you need a good editor if you want your scripts to look good . May I recommend PowerGui . Their editor is free and has tons of features . Did I mention its free ?

 So now the script that I wrote basically changes the primary group of a User in Active Directory . We had some users that didn’t have Domain Users as there primary group which was causing issues . So I put together a script that changes this attribute .

I will display the Script then walk you thru it :

  1. *********************************************************************
  2. * NAME:PrimaryGroup.ps1
  3. * Description:Change the primary Group for a user in Active Directory
  4. * Created by : Chris Federico
  5. * Date 12/06/07
  6. *********************************************************************

#Create a variable and add the contents of Userlist.txt to it
$UserList = Get-content ".\UserList.txt"
$LogFile = "Logfile.txt"

  1. Create our Log File for This Script

$CreateLogFile = New-Item -Path . -Name "$LogFile" -type "File" -force

  1. Step thru the array

foreach ($User in $UserList) {

  1. Bind to each User Account

$User = [adsi] "ldap://cn=$User, OU=Users, dc=Microsoft,dc=local"

#Display the Current User
Add-Content -path $LogFile -value ($user.name)

#create a variable that holds the value of the primaryGroupID
$primaryGroupID = $User.primaryGroupID

  1. Display the Currentprimary Group ID

Add-Content -path $LogFile -value ("Current PrimaryGroupID = $primaryGroupID")

if ($user.primaryGroupID -ne '513'){

  1. Change the Property

$User.primaryGroupID = '513'

  1. Commit the Changes to AD

$User.CommitChanges()

  1. Display After Change

Add-Content -Path $LogFile -Value (" Verification of change = $primaryGroupID")
Add-Content -Path $LogFile -Value ("")
}
else
{
Add-Content -Path $LogFile -Value ("The Primary Group is Domain Users already ")
Add-Content -Path $LogFile -Value ("")
}
}

If your new to programming this script may seem daunting but I tried to comment it as much as possible . You will notice that comments are shown with the # in front . The same way you would comment a host file . I’m sure you have hear that you can never comment to much when your scripting .

Before you begin get a list of users that you want to check or fix their primary Group . You can do this by exporting a list of users from “Users and Computers ” mmc . Once you have this list save it as UserList.txt (you can save it any name you like as long as you reference it correctly ) .

Start by creating and Array by getting the content of your User List


#Create a variable and add the contents of Userlist.txt to it
$UserList = Get-content ".\UserList.txt"

I also like to create a log file and that is just what I’m doing here:

  1. Create our Log File for This Script

$CreateLogFile = New-Item -Path . -Name "$LogFile" -type "File" -force

Next we are going to step thru the array of user names with a For each command like this : (This looks exactly like its done in Perl)


foreach ($User in $UserList) {

Inside the For Each loop you are going to Bind to each user .

  1. Bind to each User Account

$User = [adsi] "ldap://cn=$User, OU=Users, dc=Microsoft,dc=local"

What’s going on here is its reading ,for example,the first user in the list ($User) holds that name . It makes an LDAP connection and binds to it . When you bind to an object you get access to all the attributes of the user as we will see in a bit . You can also use the .net framework to bind to a user . I believe you would use some thing like System.DirectoryServices.Directoryentry (“LDAP://Your AD Path”). Now you can get errors if say there is no object found or you do not have rights .

Next I’m displaying the Current User

#Display the Current User
Add-Content -path $LogFile -value ($user.name)

Notice I’m using the name property . This is being written to that logfile we created . Everything that gets written gets appended to the text file .

Next I want to create a variable that will hold the value of the primary Group and display the users current Primary Group . The primary group property doesn’t display name but it displays a number . Nothing to fear though .


#create a variable that holds the value of the primaryGroupID
$primaryGroupID = $User.primaryGroupID

  1. Display the Currentprimary Group ID

Add-Content -path $LogFile -value ("Current PrimaryGroupID = $primaryGroupID")

Domain users group ID number is 513.So the next section checks to see if the current users primary group Id is equal to 513 . If it is then it prints out that they are already have their group set . If it doesn’t it sets the value . All of this gets appended to a text file .


if ($user.primaryGroupID -ne '513'){

  1. Change the Property

$User.primaryGroupID = '513'

  1. Commit the Changes to AD

$User.CommitChanges()

  1. Display After Change

Add-Content -Path $LogFile -Value (" Verification of change = $primaryGroupID")
Add-Content -Path $LogFile -Value ("")
}
else
{
Add-Content -Path $LogFile -Value ("The Primary Group is Domain Users already ")
Add-Content -Path $LogFile -Value ("")
}
}

The only problem that I came across was users that didn’t belong to the domain users group obviously that is a problem . I was able to do 100’s of users in about 10 to 15 minutes .I hope that you enjoy this blog . I hope that this helps someone trying to work with active directory . Overall powershell is here to stay and I can see that it is very powerful .

Advertisements