PowerShell and QADUser

PowerShell and QADUser

A company called Quest provides an extra snap-In for PowerShell.  The idea is for these Active Directory cmdlets to work alongside the native PowerShell commands.  As a result we can examine users’ properties, and with care, change values and even reset their passwords.

Topics for PowerShell’s QADUser

• Example 1:  Getting to know QADUser
• Example 2:  List Users in a Named OU
• Example 3: Change the Value for the User’s Property with Set-QADUser
• Example 4: QAD Script to Change Passwords
• Example 5: Changing the Passwords with UserMustChangePassword

 ♣

Example 1: Getting to Know QADUser

Note 1:  There is a rich seam of verbs that you can apply to QADUser.  You can examine the user with ‘get’, then configure them with ‘set’, ‘enable’ or ‘unlock’.  To facilitate a bulk import of users from a spreadsheet there is also, ‘new-QADUser’.

Objective:  To Get Information About Active Directory Users

Let us assume that you have fulfilled the above pre-requisites, now there are just two things to do before my scripts will work:

a) Connect to Active Directory, best would be to logon at a domain controller in a test network.  Remote connection works well, and you could try Virtual PC for your test network.

b) Find the variable $OU in my script(s); then amend its value to reflect your domain and your Organizational Unit.  You many need a little extra work with Active Directory Users and Computers in creating an OU and a handful of users.

Example 2: List Users in a Named OU

The key command here is Get-QADUser.

Note 1: -SearchRoot is the parameter which connects to Active Directory.

Note 2:   You did change the value of $OU – didn’t you?  Also Remember that these QAD cmdlets don’t exist in the initial PowerShell install, they are only available after you successfully run: add-PSSnapin quest.activeroles.admanagement.  If your script does not work refer back to the pre-requisites.

Note 3:  DN, SID, GUID, UPN or Domain\UserName

Guy Recommends:  SolarWinds’ Free Bulk Import Tool

Import users from a spreadsheet.  Just provide a list of the users with their fields in the top row, and save as .csv file.  Then launch this FREE utility and match your fields with AD’s attributes, click and import the users.

Optionally, you can provide the name of the OU where the new accounts will be born. Download your FREE bulk import tool.

Example 2a: How to Discover the Names of a User’s Properties

These QAD cmdlets are designed to fit seamlessly into PowerShell, for example we can apply our trusty interrogation techniques such as, Get-Help Get-QADUser.

Note 1:  I suggest you try my parallel learning technique, and match the user properties revealed by QADUser, with the property sheet that you see in Active Directory Users and Computers.

Note 2:  PowerShell’s help tells us that you can connect to an individual user if you know their: Domain\UserName, DN (Distinguished name) or UPN (victim@yourdom.com).

Example 2b: How to List a User’s Property with Get-QADUser

As with many of my scripts, there are two learning threads in this example, a real-life objective (Listing user properties) and also learning PowerShell techniques (Piping and word-wrap).

Important Preparation:  Change the value of $OU.  "YourDomName/YourOu" is unlikely to work on your domain, so adjust this value.  Any doubts of the name, consult your Active Directory Users and Computers.

Note 1:  The unusual backtick symbol (`) means, wrap the command to the next line.

Note 2:  The pipe symbol (|) is PowerShell’s signature tune; it means push the output of the first clause (Get-QADUser) into this next command (Format-Table).

Challenges: If I were you I would take a timeout to add values to your user’s property sheet, e.g. LastName, or DisplayName.

The second part of my challenge is to put into practice what we learned with Get-Help QADUser, namely to add different fields from my example 2b, for example, Company or Office.  Here is further advice on researching these LDAP properties.

Guy Recommends:  A Free Trial of the Network Performance Monitor (NPM) v11.5

SolarWinds’ Network Performance Monitor will help you discover what’s happening on your network.  This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.

What I like best is the way NPM suggests solutions to network problems.  Its also has the ability to monitor the health of individual VMware virtual machines.  If you are interested in troubleshooting, and creating network maps, then I recommend that you try NPM now.

Download a free trial of Solarwinds’ Network Performance Monitor

Example 3: Change the Value for the User’s Property with Set-QADUser

My objectives here are twofold, firstly, to practice scripting Active Directory in a relatively harmless fashion.  For instance, changing a user’s property called ‘DisplayName’ is less intrusive than changing their password.

Secondly, if we add a text string to displayName then we have a ‘handle’ to filter Active Directory.  Just to emphasise that the benefit of having a known value for displayName is that we have an extra control to prevent a rogue script changing everybody’s password. 

Important Preparation:  As with example 2, you need to edit the this line:
$OU = "YourDomName/YourOu"

Note 1: Never miss a chance to learn a PowerShell verb; mostly we employ, ‘get’, but observe that here we also employ the more active ‘set‘.

Note 2:  See how I reinforce the idea of piping (|); for example, the output of ‘set’ becomes the input of FT, which stands for Format-Table.

Timeout: Investigate -SearchScope

Before we are ready to experiment with the -SearchScope parameter, I invite you to create a child OU underneath "YourDomName/YourOu".  Next, create few new test accounts in the child OU. 

Amend this line of example 3: Get-QADUser -SearchRoot $OU -SearchScope ‘OneLevel’ `

Next try ‘SubTree’: Get-QADUser -SearchRoot $OU -SearchScope ‘SubTree’ `

Example 4: QAD Script to Change Passwords

Here is a script which sets the password for users.  The variable $OU specifies the precise location of the user accounts targeted in your domain.

Be aware:  This script has two safety catches.  Firstly, it changes only users with a particular value for DisplayName; secondly I use the -whatIf parameter to test the output.  If the script does as you wish, then remove the last line.

Note 1:   Set-QADUser has different properties from Get-QADUser, for example, ‘set’ has a property called -userPassword.

Note 2:  As mentioned previously, this script has ‘where-Object’ clause which acts an extra check that you are changing the users with a particular displayName.  Once you understand how this script works, you could remove the ‘where-Object’ clause.

Guy Recommends: SolarWinds Engineer’s Toolset v10

This Engineer’s Toolset v10 provides a comprehensive console of 50 utilities for troubleshooting computer problems.  Guy says it helps me monitor what’s occurring on the network, and each tool teaches me more about how the underlying system operates.

There are so many good gadgets; it’s like having free rein of a sweetshop.  Thankfully the utilities are displayed logically: monitoring, network discovery, diagnostic, and Cisco tools.  Try the SolarWinds Engineer’s Toolset now!

Download your fully functional trial copy of the Engineer’s Toolset v10

Example 5:  Changing the Passwords with UserMustChangePassword

Beware:  This script has NO safety catch.  If you prefer, you could begin by appending the -whatIf parameter to the last line, as in the the script above.

Preliminary step, investigate the parameters with the command:
Get-Help Set-QADUser. 

Result of above research:   UserMustChangePassword sounds interesting.  Incidentally, this PowerShell parameters seem much friendlier than the equivalent pwdLastSet and userAccountControl of VBScript.

Note 2: Setting ‘userMustChangePassword 1’ looks easy, and seems logical enough.  However, I only hit upon this value of numeric one after failing with = "Yes", True, and "1".  You need just plain 1 with no speech marks, and no equals sign.

Note 3:   Observe just how I just appended the -userMustChangePassword parameter.  Did I use a comma?  No.  A semi-colon?  No.  Just straightforward userMustChangePassword 1.

Warning:  If you are not sure of what’s happening here, I strongly recommend that you append -whatIf. 

For those who know what they are doing it is possible to create a script which changes all Active Directory accounts.  The secret is to persuade the script to start at the domainRoot/.  The way you achieve this dangerous task is to shorten the line:
$OU = "YourDomName/YourOu", to
$OU = "YourDomName/".  

The result would be a script which could ‘get’, or ‘set’ all the accounts.

See QAD Computer tasks »

Summary of PowerShell QADUser

There is a whole family of QADUser commands each preceded with a different verb.  The two cmdlets that I feature on this page are ‘get’ and ‘set’.   As for learning progression, research how to extract existing properties, then try ‘setting’ innocuous properties such as DisplayName.  Once you have mastered the basics and stumbled upon the ‘WhatIf, then you can tackle real tasks such as changing users’ passwords.

See more PowerShell QAD Scripts

• PowerShell Home   • Quest QAD   • QADUser   • QADGroup   • QADComputer

• Export-CSV   • Import CSV   • QAD Password   • Add-PSSnapin   • Free Import User CSVDE Tool

• Get-AdUser -filter   • Windows PowerShell   • Windows PowerShell .Net

Please email me if you have a better example script. Also please report any factual mistakes, grammatical errors or broken links, I will be happy to correct the fault.