Set ANY AD attribute with PowerShell

How can you set an arbitrary AD attribute with PowerShell?

Of course Get-QADUser and Set-QADUser have a set of default most common attributes the cmdlets retrieve and operate. Thus, for example moving me to marketing could be as simple as:

Set-QADUser "Dmitry Sotnikov" -Department Marketing

However, sometimes (extended schema or necessity to operate a not-so-common sets of attributes) makes you want to go beyond the most common parameters.

In a few recent posts I’ve blogged about:

Now let’s (hopefully) finish the series by talking about how you can set any attribute in AD.

In most cases, when you need to set any of the attributes beyond the default scope, you can do that using the -ObjectAtributes parameter.

For example:

Set-QADUser jsmith -ObjectAttributes @{l=’New York’;description='Reallocated Jan 1'}

changes city and description attributes for user jsmith.

Or

Set-QADUser ‘mycompany.com/usersOU/User1′ -objectAttributes @{otherTelephone=@(’555-34-67′,’555-34-68′)}

sets multivalued otherTelephone attribute to values 555-34-67 and 555-34-68.

Or

[Collections.DictionaryEntry] $de = new-object Collections.DictionaryEntry -argumentList ‘Append, @(’555-34-
67′,’555-34-68′)’

Set-QADUser User1 -objectAttributes @{otherTelephone=$de}

Appends multivalued otherTelephone attribute with values 555-34-67 and 555-34-68.

In some cases you might also need to make sure you supply data in right format because -ObjectAttributes does not convert values of attributes before passing them to AD. For INTEGER8 attributes like accountExpires this
means you must pass only values of types accepted by Microsoft LDAP ADSI:
IADsLargeInteger, string or int.

This means that you would need to do the conversion manually with something like this:

$dateOfExpiration = (get-date -year 2007 -month 10 -day
15).ToFileTime().ToString()

set-qaduser user1 -ObjectAttributes @{accountExpires =
$dateOfExpiration}

Hope this helps (and hope that in most cases the default set of attributes will be more than enough so you won’t need all these advanced tricks).

Dmitry

Tags: , , , , , ,

27 Responses to “Set ANY AD attribute with PowerShell”


  1. 1 Dustin Hollenback June 8, 2008 at 12:43 am

    I am attempting to add a new attribute to “proxyAddresses”, which is a mult-valued AD attribute. I am able to write the data, but it replaces the existing addresses. Reading this post, it says that I should be using Collections.DictionaryEntry. I can not get this to work.

    My overall goal is to read the sAMAccountName from a CSV file. For each user, I want it to ADD or APPEND a new proxyAddresses x500 address. Below is the current state of my script. If I remove the line for the Collections.DictionaryEntry and replace the value for $de to point to my spreadsheet, the script works. However, it REPLACES the existing data and only writes the new address.

    —– My PowerShell Script —–
    Connect-QADService -service ‘domain.company.net’ -Credential ( Get-Credential )

    $list = import-csv “c:\test.csv”
    foreach ($name in $list)
    {
    [Collections.DictionaryEntry] $de = new-object Collections.DictionaryEntry -argumentList ‘Append, @(‘”X500:/O=My Company, Inc./OU=Corporate/cn=Recipients/cn=testmigrate8attempt3″‘)’
    Get-QADUser -SamAccountName $name.sAMAccountName | Set-QADUser -ObjectAttributes @{proxyAddresses=$de}
    }
    Disconnect-QADService
    —– My PowerShell Script —–

    I receive the following message:

    DefaultNamingContext Type
    ——————– —-
    DC=domain,DC=company,DC=net ActiveDirectory
    A parameter cannot be found that matches parameter name ‘X500:/O=My Company, Inc./OU=Corporate/cn=Recipients/cn=testmigrate8attempt3’.
    At line 6, position 0
    {

    Do you have a suggestion on how I can change my script? Is there a cmdlet that will let me import the existing multivalued data and then append a new entry to it?

    Thank you,

    Dustin

  2. 2 dmitrysotnikov June 8, 2008 at 6:59 am

    Dustin,

    I don’t currently have access to my lab to troubleshoot the script. Could you post the question to the AD PowerShell forum at: http://powergui.org/forum.jspa?forumID=173

    The folks there are very helpful.

    Dmitry

  3. 5 Dustin Hollenback June 8, 2008 at 4:35 pm

    Hi Dmitry,

    Thanks for pointing me to the correct forum. I was able to do some more research and it appears to be working now. I’m posting my latest script just for your reference. I hope it helps others looking to perform a similar task.

    #This script reads from a CSV file. It uses the sAMAccountName column in the CSV to find the user. Then it reads the proxyAddresses attribute and appends the proxyAddresses data from the CSV. This is needed because proxyAddresses is a multivalued attribute.
    Connect-QADService -service ‘domain.company.net’ -Credential ( Get-Credential )

    $list = import-csv “c:\test.csv”
    foreach ($name in $list)
    {
    $UserInfo = Get-QADUser -SamAccountName $name.sAMAccountName
    #The following line should only be used for multivalued attributes. It reads from the existing attributes and adds additional data from the CSV file.
    Get-QADUser -SamAccountName $name.sAMAccountName | Set-QADUser -ObjectAttributes @{proxyAddresses=$UserInfo.proxyAddresses +=$name.proxyAddresses}
    Write-Host $UserInfo.ProxyAddresses
    }
    Disconnect-QADService

    Thank you,

    Dustin Hollenback
    Senior Consultant
    Ensynch

  4. 6 ben June 25, 2008 at 7:56 am

    Hi,

    I want to do this script :

    Search atttribu user departement to AD and :

    if objUser.Get(“departement”) = “%variable%” then
    add group “%variable%”
    group=”cn=%variable%”
    ouGroups=”ou=NoIAM,ou=%variable%,”
    ouMoveUser=”ou=%variable%”

    Have you an idea ?.

    Thank.

  5. 7 dmitrysotnikov June 25, 2008 at 6:11 pm

    Ben, this code of yours is definitely not PowerShell. Come join our side and we’ll be here to help.😉

    PowerGUI.org has a pretty good AD Management forum (but again for PowerShell only)

  6. 8 Riccardo November 26, 2008 at 8:57 am

    Could be a newbee question but it’s more than two days that i looking around for a solution.I want to append a value to a multi-valued AD attribute such as userworkstations and as the help example I use:

    PS C:\> [Collections.DictionaryEntry] $de = new-object Collections.DictionaryEntry -argumentList Append, @(‘srvr-ica6’)
    PS C:\> set-QADUser ‘CN=TestUser2,CN=Users,DC=test,DC=pippo,DC=com’ -objectAttributes @{userworkstations=$de}

    but immediatly i recieve this error message:

    Set-QADUser : L’attributo o valore specificato per il servizio directory esiste già. (Eccezione da HRESULT: 0x8007200D)
    At line:1 char:12
    + set-QADUser <<<< ‘CN=TestUser2,CN=Users,DC=test,DC=pippo,DC=com’ -objectAttributes @{userworkstations=$de}

    Any suggestion?

  7. 9 Dmitry Sotnikov November 27, 2008 at 11:03 am

    Riccardo, I think you already found the solution with other folks at the forum: http://powergui.org/thread.jspa?threadID=7844&tstart=0

  8. 10 Trevor MacDonald November 30, 2008 at 1:24 am

    I couldn’t get the code above to work either until I added the “includeallproperties” to both “GET-QADUSER” statements (see below).

    This script will currently die if it encounters a duplicate X500 address and will not continue on to the next user. I am a 2 hour newbie into powershell and I think fixing this issue would be pretty helpful.

    $list = import-csv “c:\test.csv”
    foreach ($name in $list)
    {
    $UserInfo = Get-QADUser -SamAccountName $name.sAMAccountName -IncludeAllProperties

    #The following line should only be used for multivalued attributes. It reads from the existing attributes and adds additional data from the CSV file.

    Get-QADUser -SamAccountName $name.sAMAccountName -IncludeAllProperties | Set-QADUser -ObjectAttributes @{proxyAddresses=$UserInfo.proxyAddresses +=$name.proxyAddresses}
    Write-Host $UserInfo.proxyAddresses
    }

  9. 11 Dmitry Sotnikov December 1, 2008 at 11:19 am

    Really? This is weird… Could you post that to the AD PowerShell forum at: http://powergui.org/forum.jspa?forumID=173 so the engineers confirm/troubleshoot the behavior?

    Dmitry

  10. 12 Dmitry Sotnikov December 1, 2008 at 11:29 am

    Upon looking at your code once again, I can see why you needed all properties in the first call – proxyAddresses attribute is not retrieved by default (still a more efficient way is to do: -IncludedProperties proxyAddresses). For the second one – I don’t think you need it. Even more, you actually do not need the second get at all. You can use the samAccountName as the identity parameter right in the set.

    $list = import-csv “c:\test.csv”
    foreach ($name in $list)
    {
    $UserInfo = Get-QADUser -SamAccountName $name.sAMAccountName -IncludedProperties proxyAddresses

    #The following line should only be used for multivalued attributes. It reads from the existing attributes and adds additional data from the CSV file.

    Set-QADUser $name.sAMAccountName -ObjectAttributes @{proxyAddresses=$UserInfo.proxyAddresses +=$name.proxyAddresses}
    Write-Host $UserInfo.proxyAddresses
    }

  11. 13 Riccardo December 1, 2008 at 5:16 pm

    Sorry, i’ve forgot to post the solution here.
    Your last comment was really helpfull!
    Thanks Dmitry!

  12. 14 Trevor MacDonald December 4, 2008 at 5:42 am

    Nice…I just ran my script today and it took about 2.5 hours for 4000 records. I am guessing that your tightened up code would reduce this time.

    Thanks

  13. 15 ian March 25, 2009 at 1:45 pm

    Complete Newbie here….

    I want to search our users for those with a Particular Company attribute, and then change them to have a different company attribute… Any help would be great!!…..

  14. 16 Dmitry Sotnikov March 25, 2009 at 1:58 pm

    Ian,

    Is the attribute among the ones exposed Get-QADUser and Set-QADUser parameters?

    If yes, then it is trivial, e.g.:

    Get-QADUser -City “Chicago” | Set-QADUser “Mumbai”

    If not, then use the ObjectAttributes parameter:

    Get-QADUser -ObjectAttributes @{l=’Chicago’} | Set-QADUser -ObjectAttributes @{l=’Mumbai’}

    Please ask any questions at our PowerShell support forums: http://powergui.org/forumindex.jspa?categoryID=55 – the guys over there are normally much faster to respond than I am.🙂

    Dmitry

  15. 17 Thomas June 30, 2009 at 11:28 am

    Hi,
    how can clear the attribute “msrassavedframedipaddress”? When I try to use:

    Get-QADUser USERNAME| Set-QADUser -ObjectAttributes @{msrassavedframedipaddress=$null}

    I do get an access denied error. The user performing the command is a domain administrator.

    Thomas

  16. 18 Dima78 February 17, 2010 at 12:19 am

    Hi,

    What is the easiest way with Powershell to add/append a period “.” to current Middle Initials in AD that don’t have it. Forexample:

    I <<<wrong
    I. <<<correct

    Thank You,

    Dima

  17. 20 Tony O'Grady February 2, 2011 at 5:10 pm

    Thanks. This was really useful for me today.

  18. 21 Herbert Knavs May 18, 2011 at 8:39 am

    Hi

    I would like to change CN attribute of an user object.
    When I change for example firstname, I would like also update the “displayName” used in ADUC to reflect this change.
    I believe that changing CN would do that.
    In VBS I could use move object with a new full name and use the samu OU to acomplish this, but move in PS seems to take only OU for destination (or I did something wrong).

    Does anyone have a sollution?

    Thanl you in advance

    • 22 Dmitry Sotnikov May 18, 2011 at 1:33 pm

      Herbert,

      Rename-QADObject [http://wiki.powergui.org/index.php/Rename-QADObject] to change object CN / DN.

      To change Display Name, simply use Set-QADUser -DisplayName [http://wiki.powergui.org/index.php/Set-QADUser]

      If you still have questions, post these to our PowerShell and AD forum here: http://powergui.org/forum.jspa?forumID=173

      Dmitry

  19. 23 John March 22, 2014 at 9:51 am

    I have a situation where I need to read SAMAccountName from a file and populate extension attribute 15 for each user. The SAMAccountName value would go into extension attribute 15. What is the best way to do that? Thank you in advance.

    • 24 Dmitry Sotnikov March 23, 2014 at 10:37 am

      John, I guess this will be along the lines of:

      Get-Content “c:\samaccountnames.txt” | ForEach-Object { Set-QADUser $_ -ObjectAttributes @{extensionattribute1=$_}}

      I do not have a lab handy to test this. If this does not work, try asking in the forums at powergui.org


  1. 1 The PowerShell resource | 化茧成蝶 Trackback on December 16, 2009 at 6:46 am
  2. 2 Get Any AD User or Computer Object Property in PowerShell, Quickly! « Lange's Tech Musings Trackback on January 28, 2010 at 3:24 pm
  3. 3 Favorite Blog for Powershell stuff | Live@EDU Pearls Trackback on April 22, 2011 at 3:11 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




My Recent Tweets

Legal

The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

© 2007-2014 Dmitry Sotnikov

July 2007
M T W T F S S
« Jun   Aug »
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

%d bloggers like this: