I know the Quest cmdlets are out there and in Windows 2008 R2, you have the AD cmdlets; however, in the case you still have to do things manually, it’s good to know how to do things through PS – the long way. Here are some snippets I wrote for my current gig. This one gets the member of a user or group object. Handy if you want to quickly see what a user is a member of.
1: function get-memberof {Param($name)2: $filter = "(samaccountname=$name)"
3: 4: # Use global catalog to query active directory
5: $dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()6: $objDomain = [ADSI]"GC://$($dom.Name)"
7: 8: $objSearcher = New-Object System.DirectoryServices.DirectorySearcher($objDomain) 9: $objSearcher.PageSize = 1000 10: $objSearcher.Filter = $filter 11: $results = $objSearcher.FindOne() 12: 13: if($results -ne $null)
14: {15: foreach($i in $results)
16: { 17: $entry = $i.GetDirectoryEntry() 18: $groups = $entry.memberof 19: 20: foreach($group in $groups)
21: { 22: Write-Host $group 23: } 24: } 25: }26: else
27: {28: $object = "object not found."
29: }30: return $object
31: }Another useful snippet is the ability to update or clear user attributes. Here is use ADSI directly which I can then set which flag I want to use to depending on the operation. Below are the flags.
1: [int] $ADS_PROPERTY_CLEAR = 1 2: [int] $ADS_PROPERTY_UPDATE = 2 3: [int] $ADS_PROPERTY_APPEND = 3 4: [int] $ADS_PROPERTY_DELETE = 2 1: function update-user {Param($adspath,$title,$description) 2: 3: $user = [ADSI]"$adspath"
4: $user.Put("title",$title)
5: $user.Put("description",$description)
6: $user.SetInfo() 7: Write-Host "Updating object successfully."
8: 9: }I’ve never been one to be dependent on third-party plug-ins….yes, I know Quest has cool cmdlets for this. But doing it yourself is still way cooler. Search users using System.DirectoryServices.
1: function find-user{Param($user) 2: 3: $filter = "(&(objectclass=user)(samaccountname=$user))"
4: 5: # Specify seach domain or directly query a global catalog
6: #$dn = 'LDAP://dc=dogfood,dc=identityjunkie,dc=com' 7: #$objDomain = New-Object system.DirectoryServices.DirectoryEntry($dn) 8: 9: # Use global catalog to query active directory
10: $dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()11: $objDomain = [ADSI]"GC://$($dom.Name)"
12: 13: $objSearcher = New-Object System.DirectoryServices.DirectorySearcher($objDomain) 14: $objSearcher.PageSize = 1000 15: $objSearcher.Filter = $filter 16: $results = $objSearcher.FindOne() 17: 18: if($results -ne $null)
19: {20: foreach($i in $results)
21: { 22: $entry = $i.GetDirectoryEntry() 23: 24: $hash = @{ 25: ObjectCategory = $entry.objectcategory 26: ObjectClass = $entry.objectclass 27: DN = $entry.distinguishedname.ToString() 28: FirstName = $entry.givenname.ToString() 29: LastName = $entry.sn.ToString() 30: Initials = $entry.initials.ToString() 31: Username = $entry.samaccountname.ToString() 32: DisplayName = $entry.displayname.ToString() 33: Upn = $entry.userprincipalname.ToString() 34: Email = $entry.mail.ToString() 35: Title = $entry.title.ToString() 36: Department = $entry.department.ToString() 37: Description = $entry.description.ToString() 38: EmployeeID = $entry.employeeid.ToString() 39: UserAccountControl = $entry.useraccountcontrol.ToString() 40: } 41: } 42: }43: else
44: { 45: $hash = @{ 46: ErrLog = " $user does not exist in directory.`n"
47: } 48: } 49: $user = New-Object PSObject -Property $hash 50: return $user
51: }Note, on line 24 I’m using a hash table to build out my psObject which makes life easier in powershell 2.0.
No comments:
Post a Comment