Google
 

Friday, January 30, 2009

Working with Active Directory using PowerShell

Working with Active Directory is one of the important administrative tasks. VBSctipt was the most used language for administartors to automate repetitive tasks.
Now, windows PowerShell is the future, so it's important to know how to use it to work with Active Directory.
I'll provide a simple example that should clarify some concepts. In this scenario, it's required to set the email attribute of all users under a certain OU (Organaizational Unit) in the format: sAMAccountname@domainname.com and output the results to a text file.
PowerShell 1.0 does not have specific built in Cmdlets to handle active directory objects. But it has a basic support for [ADSI]. This will not limit us as we still can use the .net class library easly in PowerShell.
Here is how the code works:


  • First we decclare a variable that holds the output file path:
    $filePath = "c:\MyFile.txt"

  • Then, create the root directory entry which represents the OU that we need to modify users under it. Note the LDAP: it tells: get the OU named "MyOU" from the domain "win2008.demo"
    $rootOU=[ADSI]"LDAP://ou=MyOU,dc=win2008,dc=demo"

  • We need to get all users under this OU, so we create a .net directory searcher instance using New-Object Cmdlet
    $searcher= New-Object System.DirectoryServices.DirectorySearcher

  • Setting the root of the search to the OU and the filter to find users only. and start to find all objects that match the filter:
    $searcher.searchroot=$rootOU
    $searcher.Filter = "objectclass=user"
    $res=$searcher.FindAll()

  • Initializing the output file by writing the string "Emails"
    "Emails:" Out-File -FilePath $filePath

  • Iterating on the results:
    foreach($u in $res)

  • Getting the user object and setting the mail attribute, and committing:
    $user = $u.GetDirectoryEntry()
    $name=$user.sAMAccountname
    $user.mail="$name@win2008.demo"
    $user.SetInfo()

  • Appending the mail to the output file (note the append parameter):
    $user.mail Out-File -FilePath $filePath -append

You can save these commands to a .ps1 file and execute from PowerShell, for example:
c:\filename.ps1
note that you need to execute Set-ExecutionPolicy RemoteSigned first.

And here is the complete code listing, note that no error checking or handling is included for simplicity.


#Set-ExecutionPolicy RemoteSigned

$filePath = "c:\MyFile.txt"

$rootOU=[ADSI]"LDAP://ou=MyOU,dc=win2008,dc=demo"

$searcher= New-Object System.DirectoryServices.DirectorySearcher

$searcher.searchroot=$rootOU
$searcher.Filter = "objectclass=user"

$res=$searcher.FindAll()

"Emails:" Out-File -FilePath $filePath
foreach($u in $res)
{
$user = $u.GetDirectoryEntry()

$name=$user.sAMAccountname
$user.mail="$name@win2008.demo"
$user.SetInfo()

$user.mail Out-File -FilePath $filePath -append

$user.psbase.Dispose()


}
$rootOU.psbase.Dispose()
$res.Dispose()
$searcher.Dispose()

Thursday, January 1, 2009

Articles I read in 2008

It's a new year, and it's time to share a list of most articles I read the last year. Hopefully you find it interesting and useful.

2007 list can be fond here