Yesterday we learned how to get Active Directory (AD) usernames out of a list of full names, something that can come in handy if HR sends a long list of users that need to have their manager changed to Bob. Today we will learn how to perform mass changes using this list of AD usernames we generated yesterday.
- Starting off we need to allow unsigned scripts to run on the system, since we will be creating an unsigned script (This might already be enabled). Launch PowerShell as administrator and run the following:
1Set-ExecutionPolicy RemoteSigned - Copy the following script and save it as <scriptname>.ps1. I found this script online somewhere and take no credit for writing it. Take note of line 42 which contains the word “Manager”. This is the AD property that we want to change. We also need to change line 5, which contains the name of the Domain Controller, as well as the Organizational Unit (OU) that we want to change.
12345678910111213141516171819202122232425262728293031323334353637383940414243444546## General Parameters## Adjust $container and $csvPath for what you are doing## You can change "CN" below to something different, for example CN=Computers to modify computer AD objectsparam($container = $("LDAP://labserver.testlab.com:389/CN=Users,DC=testlab,DC=com"),$csvPath = $("./ChangeUsers.csv"))## Load the CSV$UserDetails = @(Import-Csv $csvPath)if($users.Count -eq 0){return}## For debugging uncomment below and verify LDAP connection to domain## Write-host "Connected to:$Container"foreach($UD in $UserDetails) {## Find user from AD listed in CSV$UN = $UD.sAMAccountName## List attributes to be modified$Custom2 = $UD.Custom2## For debugging uncomment below and verify information being read from .csv## Write-host "User: $UN Attribute: $Custom2"## Search domain and find user read from .csv$searcher = new-object DirectoryServices.DirectorySearcher$searcher.SearchRoot = $container$searcher.filter = "(&(objectClass=User)(sAMAccountName=$UN))"$object = $searcher.FindOne()## Perform error checking on searchif ($object -eq $null){Write-host "Cannot find $UN in Active Directory"}else{$ChangeUser = $object.GetDirectoryEntry()## Write information to user's profile## After 'Put' we type the variable we want to change in AD. In this case employeeNumber$ChangeUser.Put("Manager", $Custom2)$ChangeUser.setinfo()Write-host "Processed user: $UN. Getting Next User......."}} - This blog post from Microsoft contains a great list of most AD properties and their names. I recommend printing it out as it can be handy if you do a lot of scripting work in Windows. To find custom properties that were added manually open up ADSI Edit. In the below example we see the user “Reset1” and right click > Properties to see all the attributes associated with the account. Anything custom should show up in the list as well. Make a note of the attribute you want to change, and replace the value “Manager” in line 42 in step 2 above.
- Create a spread sheet and save it as a Comma delimited file with the name: ChangeUsers.csv in the same folder as the .ps1 script file we created earlier. In cell A1 put “sAMAccountName”. In cell B1 put “Custom2”. Then paste the list of users in column A, and the desired value of the AD property you want to change in column B:
- Go back to PowerShell and execute the .ps1 file just created:
- It will then go through the list of users in the .csv file and change them one by one. If everything worked you should not have received any error messages. If you got errors check the following:
• Make sure you run PowerShell with admin rights
• Check that you can reach the Domain Controller
• The .ps1 script and the .csv file needs to be in the same directory (ex. C:\Scripts)
• The .csv file needs to be named ChangeUsers.csv - Test, test and test again before you decide to run this in production. Always run in a lab first!
