Ezine 169 – Preparing PowerShell to Script Active Directory
The purpose of this week’s ezine is to prepare PowerShell for interrogating and modifying users in Active Directory. (Example 2b now corrected)
Topics for Preparing PowerShell to Script Active Directory
- This Week’s Secret
- This Week’s Mission
- Objective 1 – QAD Preparation Checklist
- Objective 2 – To Get Information About Active Directory Users
- Objective 3 – To Set a Value for a User’s LDAP Field Called ‘Description’
- Updates for QAD User
♣
This Week’s Secret
Recently I painted a few rooms in my house; the hardest part was the preparation, washing the walls, filling the holes and putting on the undercoat. It is the same when scripting Active Directory with PowerShell, preparation is the key. You need to download PowerShell, install the QAD snap-ins and set the execution policy. Once you have completed this one-off preparation, the QAD cmdlets make scripting Active Directory so much easier than using VBScript.
This Week’s Mission
My ultimate goal is to reset passwords for a bunch of users using PowerShell with the QAD snap-in. However, as the saying goes, ‘There is many slip between cup and lip’. What I mean is if my readers aren’t prepared, or misunderstand an instruction then I can see them creating a PowerShell script that changes the password for ALL their users. This would result in serious embarrassment on a production network, especially if the network administrator cannot remember the new password!
I hope that you now understand why my mission will be a two stage process. These are my objectives for this week, firstly to install the QAD snap-ins. Secondly, to create ‘safe’ scripts which merely get information about the users, or set values only in the insignificant ‘Description’ field.
Next week’s mission will be to change passwords.
Objective 1 – QAD Preparation Checklist
Readers will be at different stage in their PowerShell career, I want provide a checklist for the complete beginner, those with experience could skip the first step(s).
a) Download, then install both PowerShell and .Net Framework (from Microsoft’s site)
Note: XP, Vista, and Windows Server 200x each requires a different version of PowerShell.
b) Download the QAD (Quest Active Directory) cmdlets.
c) Before you can run any cmdlets, adjust the script execution policy, type this at the PowerShell command-line:
set-ExecutionPolicy remotesigned
d) ‘Wire-up’ the QAD cmdlets with the command:
add-PSSnapin quest.activeroles.admanagement
e) Now your QAD cmdlets are available, and ready for action.
Extra Instructions to Run PowerShell code:
If you have not used PowerShell before, here are step-by-stepinstructions to execute commands.
Method 1 (Quick)
- Launch PowerShell
- Copy the code into memory
(For instance, from Example 1 below) - Right-click on the PowerShell symbol
- Edit –> Paste
- Press enter to execute the code
- See screenshot to the right
Method 2 (Best)
- Prepare to run cmdlets with this PowerShell command:
set-ExecutionPolicy RemoteSigned - Copy the code below into a text file.
- Save the file with a .ps1 extension, for example: MyOu.ps1
- In PowerShell, navigate to where you saved MyOu.ps1
- Issue this command:
.\network
(dot backslash filename)
Objective 2 – To Get Information About Active Directory Users
This week’s featured command is Get-QADUser. Let us assume that you have achieved objective 1, now this all you need to do before running my script:
a) Connect to Active Directory, best would be to logon at a domain controller in a test network. (Virtual PC?)
b) Find the variable $OU in my script; then amend its value to reflect your domain and your Organizational Unit. You many need a little extra work in creating an OU and a handful of users.
Example 1 – List Users in a Named OU
# PowerShell script to list Active Directory users in a named OU
# Author: Guy Thomas
# Version 1.4 July 2008 tested on PowerShell v 1.0
$OU = "YourDomName/YourOu"
get-QADUser -SearchRoot $OU
Note 1: -SearchRoot is the key parameter which connects to Active Directory.
Note 2: You did change the value of $OU – didn’t you? Also Remember that these QAD cmdlets don’t exist in the initial PowerShell install, they are only available after you successfully run: add-PSSnapin quest.activeroles.admanagement. If your script does not work refer back to Objective 1.
Example 2a – How to Discover the Names of a User Properties
These QAD cmdlets are designed to fit seamlessly into PowerShell, for example we can apply our trusty interrogation techniques such as, get-help get-QADUser.
# PowerShell script to list a User’s Properties
# Author: Guy Thomas
# Version 1.1 July 2008 tested on PowerShell v 1.0
get-Help get-QADUser
Note 1: I suggest you try my parallel learning technique and match the user properties revealed by QADUser, with the property sheet that you see in Active Directory Users and Computers.
Guy Recommends: The Free IP Address Tracker (IPAT) 
Calculating IP Address ranges is a black art, which many network managers solve by creating custom Excel spreadsheets. IPAT cracks this problem of allocating IP addresses in networks in two ways:
For Mr Organized there is a nifty subnet calculator, you enter the network address and the subnet mask, then IPAT works out the usable addresses and their ranges.
For Mr Lazy IPAT discovers and then displays the IP addresses of existing computers. Download the Free IP Address Tracker
Example 2b – How to List a User’s Property (Corrected version)
As with many of my scripts, there are two learning threads in this example, a real-life objective (Listing user properties) and also learning PowerShell techniques (Piping and word-wrap).
# PowerShell script to list users and their descriptions
# Author: Guy Thomas
# Version 1.1 July 2008 tested on PowerShell v 1.0
$OU = "YourDomName/YourOu"
get-QADUser -SearchRoot $OU `
| format-Table FirstName, LastName, description -auto
Note 1: The unusual backtick symbol (`) means, wrap the command to the next line.
Note 2: The pipe symbol (|) is PowerShell’s signature tune; it means push the output of the first clause (get-QADUser) into this next command (format-Table).
Challenges: If I were you I would take a timeout to add values to your user’s property sheet, e.g. LastName, Description, also manager and location.
The second part of my challenge is to put into practice what we learned with get-help QADUser, namely to add different fields from my example 2b, for example, Company or Office.
Guy Recommends: The Free IP Address Tracker (IPAT)
Calculating IP Address ranges is a black art, which many network managers solve by creating custom Excel spreadsheets. IPAT cracks this problem of allocating IP addresses in networks in two ways:
For Mr Organized there is a nifty subnet calculator, you enter the network address and the subnet mask, then IPAT works out the usable addresses and their ranges.
For Mr Lazy IPAT discovers and then displays the IP addresses of existing computers. Download the Free IP Address Tracker
Objective 3 – To Set a Value for a User’s LDAP Field Called ‘Description’
My objectives here are two fold, firstly, to practice scripting Active Directory in a relatively harmless fashion. Changing a user’s property called ‘Description’ is less intrusive than changing their password.
Secondly, if we add a known description to just a few test users then we have a handle to filter Active Directory. Just to emphasise that the benefit of having a description is that we have an extra control to prevent a rogue script changing everybody’s password. Next week I want to create a script which says, ‘If Description = xyz, then change the password’.
# PowerShell script to change a user’s description
# Author: Guy Thomas
# Version 1.1 July 2008 tested on PowerShell v 1.0
clear-host
$OU = "YourDomName/YourOu"
get-QADUser -SearchRoot $OU `
| set-QADUser -Description "Supremo" `
| FT FirstName, LastName, description, company, office -auto
Note 1: Never miss a chance to learn a PowerShell verb, mostly you employ, ‘get’, but observe that here we also employ the more useful ‘set’.
Note 2: See how I reinforce the idea of piping (|) the output of ‘set’ becomes the input of FT, which stands for format-Table.
Note 3: Clear-Host is both optional and cosmetic, it merely clears the screen.
Challenge: You could try changing two, or more properties with the same set command, for example, set-QADUser -Description "Supremo" -Company "Our Company"
Guy Recommends: Tools4ever’s UMRA
Tired of writing scripts? The User Management Resource Administrator solution by Tools4ever offers an alternative to time-consuming manual processes.
It features 100% auto provisioning, Helpdesk Delegation, Connectors to more than 130 systems/applications, Workflow Management, Self Service and many other benefits. Click on the link for more information onUMRA.
Summary of Preparing PowerShell to Script Active Directory
Before you can manipulate Active Directory objects such as users, you must prepare the ground by downloading and installing the QAD snap-ins. Once you have completed this one-off task scripting Active Directory with PowerShell becomes incredibly easy.
If you like this page then please share it with your friends
See more PowerShell QAD Scripts
• PowerShell Home • Quest QAD • QADUser • QADGroup • QADComputer
• Export-CSV • Import CSV • QAD Password • Add-PSSnapin • Free Import User CSVDE Tool
• Get-AdUser -filter • Windows PowerShell • Windows PowerShell .Net
Please email me if you have a better example script. Also please report any factual mistakes, grammatical errors or broken links, I will be happy to correct the fault.
