How can you set an arbitrary AD attribute with PowerShell?
Of course Get-QADUser and Set-QADUser have a set of default most common attributes the cmdlets retrieve and operate. Thus, for example moving me to marketing could be as simple as:
Set-QADUser "Dmitry Sotnikov" -Department Marketing
However, sometimes (extended schema or necessity to operate a not-so-common sets of attributes) makes you want to go beyond the most common parameters.
In a few recent posts I’ve blogged about:
- Getting a full list of user attributes from AD schema,
- Retrieving and manipulating arbitrary AD attributes,
- Optimizing retrieval by memory and performance.
Now let’s (hopefully) finish the series by talking about how you can set any attribute in AD.
In most cases, when you need to set any of the attributes beyond the default scope, you can do that using the -ObjectAtributes parameter.
For example:
Set-QADUser jsmith -ObjectAttributes @{l=’New York’;description='Reallocated Jan 1'}
changes city and description attributes for user jsmith.
Or
Set-QADUser ‘mycompany.com/usersOU/User1′ -objectAttributes @{otherTelephone=@(’555-34-67′,’555-34-68′)}
sets multivalued otherTelephone attribute to values 555-34-67 and 555-34-68.
Or
[Collections.DictionaryEntry] $de = new-object Collections.DictionaryEntry -argumentList ‘Append, @(’555-34-
67′,’555-34-68′)’
Set-QADUser User1 -objectAttributes @{otherTelephone=$de}
Appends multivalued otherTelephone attribute with values 555-34-67 and 555-34-68.
In some cases you might also need to make sure you supply data in right format because -ObjectAttributes does not convert values of attributes before passing them to AD. For INTEGER8 attributes like accountExpires this
means you must pass only values of types accepted by Microsoft LDAP ADSI:
IADsLargeInteger, string or int.
This means that you would need to do the conversion manually with something like this:
$dateOfExpiration = (get-date -year 2007 -month 10 -day
15).ToFileTime().ToString()
set-qaduser user1 -ObjectAttributes @{accountExpires =
$dateOfExpiration}
Hope this helps (and hope that in most cases the default set of attributes will be more than enough so you won’t need all these advanced tricks).
Dmitry
Tags: AD cmdlets, cmdlets, oneliner, one-liner, AD, Active Directory, Examples
Subscribe by email
I am attempting to add a new attribute to “proxyAddresses”, which is a mult-valued AD attribute. I am able to write the data, but it replaces the existing addresses. Reading this post, it says that I should be using Collections.DictionaryEntry. I can not get this to work.
My overall goal is to read the sAMAccountName from a CSV file. For each user, I want it to ADD or APPEND a new proxyAddresses x500 address. Below is the current state of my script. If I remove the line for the Collections.DictionaryEntry and replace the value for $de to point to my spreadsheet, the script works. However, it REPLACES the existing data and only writes the new address.
—– My PowerShell Script —–
Connect-QADService -service ‘domain.company.net’ -Credential ( Get-Credential )
$list = import-csv “c:\test.csv”
foreach ($name in $list)
{
[Collections.DictionaryEntry] $de = new-object Collections.DictionaryEntry -argumentList ‘Append, @(’”X500:/O=My Company, Inc./OU=Corporate/cn=Recipients/cn=testmigrate8attempt3″‘)’
Get-QADUser -SamAccountName $name.sAMAccountName | Set-QADUser -ObjectAttributes @{proxyAddresses=$de}
}
Disconnect-QADService
—– My PowerShell Script —–
I receive the following message:
DefaultNamingContext Type
——————– —-
DC=domain,DC=company,DC=net ActiveDirectory
A parameter cannot be found that matches parameter name ‘X500:/O=My Company, Inc./OU=Corporate/cn=Recipients/cn=testmigrate8attempt3′.
At line 6, position 0
{
Do you have a suggestion on how I can change my script? Is there a cmdlet that will let me import the existing multivalued data and then append a new entry to it?
Thank you,
Dustin
Dustin,
I don’t currently have access to my lab to troubleshoot the script. Could you post the question to the AD PowerShell forum at: http://powergui.org/forum.jspa?forumID=173
The folks there are very helpful.
Dmitry
Hi Dmitry,
Thanks for pointing me to the correct forum. I was able to do some more research and it appears to be working now. I’m posting my latest script just for your reference. I hope it helps others looking to perform a similar task.
#This script reads from a CSV file. It uses the sAMAccountName column in the CSV to find the user. Then it reads the proxyAddresses attribute and appends the proxyAddresses data from the CSV. This is needed because proxyAddresses is a multivalued attribute.
Connect-QADService -service ‘domain.company.net’ -Credential ( Get-Credential )
$list = import-csv “c:\test.csv”
foreach ($name in $list)
{
$UserInfo = Get-QADUser -SamAccountName $name.sAMAccountName
#The following line should only be used for multivalued attributes. It reads from the existing attributes and adds additional data from the CSV file.
Get-QADUser -SamAccountName $name.sAMAccountName | Set-QADUser -ObjectAttributes @{proxyAddresses=$UserInfo.proxyAddresses +=$name.proxyAddresses}
Write-Host $UserInfo.ProxyAddresses
}
Disconnect-QADService
Thank you,
Dustin Hollenback
Senior Consultant
Ensynch
Hi,
I want to do this script :
Search atttribu user departement to AD and :
if objUser.Get(”departement”) = “%variable%” then
add group “%variable%”
group=”cn=%variable%”
ouGroups=”ou=NoIAM,ou=%variable%,”
ouMoveUser=”ou=%variable%”
Have you an idea ?.
Thank.
Ben, this code of yours is definitely not PowerShell. Come join our side and we’ll be here to help.
PowerGUI.org has a pretty good AD Management forum (but again for PowerShell only)
Could be a newbee question but it’s more than two days that i looking around for a solution.I want to append a value to a multi-valued AD attribute such as userworkstations and as the help example I use:
PS C:\> [Collections.DictionaryEntry] $de = new-object Collections.DictionaryEntry -argumentList Append, @(’srvr-ica6′)
PS C:\> set-QADUser ‘CN=TestUser2,CN=Users,DC=test,DC=pippo,DC=com’ -objectAttributes @{userworkstations=$de}
but immediatly i recieve this error message:
Set-QADUser : L’attributo o valore specificato per il servizio directory esiste già. (Eccezione da HRESULT: 0×8007200D)
At line:1 char:12
+ set-QADUser <<<< ‘CN=TestUser2,CN=Users,DC=test,DC=pippo,DC=com’ -objectAttributes @{userworkstations=$de}
Any suggestion?
Riccardo, I think you already found the solution with other folks at the forum: http://powergui.org/thread.jspa?threadID=7844&tstart=0
I couldn’t get the code above to work either until I added the “includeallproperties” to both “GET-QADUSER” statements (see below).
This script will currently die if it encounters a duplicate X500 address and will not continue on to the next user. I am a 2 hour newbie into powershell and I think fixing this issue would be pretty helpful.
$list = import-csv “c:\test.csv”
foreach ($name in $list)
{
$UserInfo = Get-QADUser -SamAccountName $name.sAMAccountName -IncludeAllProperties
#The following line should only be used for multivalued attributes. It reads from the existing attributes and adds additional data from the CSV file.
Get-QADUser -SamAccountName $name.sAMAccountName -IncludeAllProperties | Set-QADUser -ObjectAttributes @{proxyAddresses=$UserInfo.proxyAddresses +=$name.proxyAddresses}
Write-Host $UserInfo.proxyAddresses
}
Really? This is weird… Could you post that to the AD PowerShell forum at: http://powergui.org/forum.jspa?forumID=173 so the engineers confirm/troubleshoot the behavior?
Dmitry
Upon looking at your code once again, I can see why you needed all properties in the first call – proxyAddresses attribute is not retrieved by default (still a more efficient way is to do: -IncludedProperties proxyAddresses). For the second one – I don’t think you need it. Even more, you actually do not need the second get at all. You can use the samAccountName as the identity parameter right in the set.
$list = import-csv “c:\test.csv”
foreach ($name in $list)
{
$UserInfo = Get-QADUser -SamAccountName $name.sAMAccountName -IncludedProperties proxyAddresses
#The following line should only be used for multivalued attributes. It reads from the existing attributes and adds additional data from the CSV file.
Set-QADUser $name.sAMAccountName -ObjectAttributes @{proxyAddresses=$UserInfo.proxyAddresses +=$name.proxyAddresses}
Write-Host $UserInfo.proxyAddresses
}
Sorry, i’ve forgot to post the solution here.
Your last comment was really helpfull!
Thanks Dmitry!
Nice…I just ran my script today and it took about 2.5 hours for 4000 records. I am guessing that your tightened up code would reduce this time.
Thanks
Complete Newbie here….
I want to search our users for those with a Particular Company attribute, and then change them to have a different company attribute… Any help would be great!!…..
Ian,
Is the attribute among the ones exposed Get-QADUser and Set-QADUser parameters?
If yes, then it is trivial, e.g.:
Get-QADUser -City “Chicago” | Set-QADUser “Mumbai”
If not, then use the ObjectAttributes parameter:
Get-QADUser -ObjectAttributes @{l=’Chicago’} | Set-QADUser -ObjectAttributes @{l=’Mumbai’}
Please ask any questions at our PowerShell support forums: http://powergui.org/forumindex.jspa?categoryID=55 – the guys over there are normally much faster to respond than I am.
Dmitry
Hi,
how can clear the attribute “msrassavedframedipaddress”? When I try to use:
Get-QADUser USERNAME| Set-QADUser -ObjectAttributes @{msrassavedframedipaddress=$null}
I do get an access denied error. The user performing the command is a domain administrator.
Thomas