Google
 

Friday, January 30, 2009

Working with Active Directory using PowerShell

Working with Active Directory is one of the important administrative tasks. VBSctipt was the most used language for administartors to automate repetitive tasks.
Now, windows PowerShell is the future, so it's important to know how to use it to work with Active Directory.
I'll provide a simple example that should clarify some concepts. In this scenario, it's required to set the email attribute of all users under a certain OU (Organaizational Unit) in the format: sAMAccountname@domainname.com and output the results to a text file.
PowerShell 1.0 does not have specific built in Cmdlets to handle active directory objects. But it has a basic support for [ADSI]. This will not limit us as we still can use the .net class library easly in PowerShell.
Here is how the code works:


  • First we decclare a variable that holds the output file path:
    $filePath = "c:\MyFile.txt"

  • Then, create the root directory entry which represents the OU that we need to modify users under it. Note the LDAP: it tells: get the OU named "MyOU" from the domain "win2008.demo"
    $rootOU=[ADSI]"LDAP://ou=MyOU,dc=win2008,dc=demo"

  • We need to get all users under this OU, so we create a .net directory searcher instance using New-Object Cmdlet
    $searcher= New-Object System.DirectoryServices.DirectorySearcher

  • Setting the root of the search to the OU and the filter to find users only. and start to find all objects that match the filter:
    $searcher.searchroot=$rootOU
    $searcher.Filter = "objectclass=user"
    $res=$searcher.FindAll()

  • Initializing the output file by writing the string "Emails"
    "Emails:" Out-File -FilePath $filePath

  • Iterating on the results:
    foreach($u in $res)

  • Getting the user object and setting the mail attribute, and committing:
    $user = $u.GetDirectoryEntry()
    $name=$user.sAMAccountname
    $user.mail="$name@win2008.demo"
    $user.SetInfo()

  • Appending the mail to the output file (note the append parameter):
    $user.mail Out-File -FilePath $filePath -append

You can save these commands to a .ps1 file and execute from PowerShell, for example:
c:\filename.ps1
note that you need to execute Set-ExecutionPolicy RemoteSigned first.

And here is the complete code listing, note that no error checking or handling is included for simplicity.


#Set-ExecutionPolicy RemoteSigned

$filePath = "c:\MyFile.txt"

$rootOU=[ADSI]"LDAP://ou=MyOU,dc=win2008,dc=demo"

$searcher= New-Object System.DirectoryServices.DirectorySearcher

$searcher.searchroot=$rootOU
$searcher.Filter = "objectclass=user"

$res=$searcher.FindAll()

"Emails:" Out-File -FilePath $filePath
foreach($u in $res)
{
$user = $u.GetDirectoryEntry()

$name=$user.sAMAccountname
$user.mail="$name@win2008.demo"
$user.SetInfo()

$user.mail Out-File -FilePath $filePath -append

$user.psbase.Dispose()


}
$rootOU.psbase.Dispose()
$res.Dispose()
$searcher.Dispose()

1 comment:

Anonymous said...

Hi Hesham,
I found you very interesting person. I have a little programming problem that I carried with me for weeks. I google it and their came your answer and was right. I would like to share a lot of things with you. If you have no problem with that, email me. My name is Allen (Adil). I am from Egyptian background, too, but I lived out of Egypt almost all of my life. I lived in the USA (CA and then TX) for 28 years. My email is allen_maki@yahoo.com.