Home > Computers > Making AD Changes using PowerShell

Making AD Changes using PowerShell

Note – This post deals with making bulk changes to Active Directory. If you’re not careful you could really screw things up. Always test in a lab before making such changes in production.

I recently had a situation where I had to change the numeric value of the Department attribute in Active Directory then move it to extensionAttribute1 attribute. Below are the steps I went through to accomplish this.

Note – Some of these might seem weird but they were things I had to do that were specific to the environment.

You will need to install the Quest ActiveRoles Management Shell for Active Directory. (http://www.quest.com/powershell/activeroles-server.aspx)

All the values in the Department field were between 10000 and 10999. I needed to add 1000 to each one to make the values between 11000 and 11999. Before I did anything I wanted to export the current values. I opened ActiveRoles Management Shell for Active Directory & ran the following command.

Get-QADUser -SizeLimit 0 -IncludedProperties extensionAttribute1 -LdapFilter '(|(department=*)(extensionAttribute1=*))' | select name,samAccountName,dn,department,extensionAttribute1 | Export-Csv C:\Temp\export.csv

I did a little spot checking in the CSV file just to make sure all the data looked good. Then I ran the following script to add 1000 to each value. (You’ll need to save this to a .ps1 file & run it.)

Get-QADUser -SizeLimit 0 -LdapFilter '(department=10*)' | Foreach-Object{
if($ea1 = $_.department -as [int])
{
Set-QADuser -Identity $_ -ObjectAttributes @{department=($ea1+1000)}
}
}

To make sure there were no more numbers in the 10000s I ran the following command which returned no results as expected.

Get-QADUser -SizeLimit 0 -LdapFilter '(department=10*)' | select name,department,extensionAttribute1

Next I needed to copy the values from the Department attribute to extensionAttribute1. I ran the following script.

Get-QADUser -SizeLimit 0 -IncludedProperties extensionAttribute1 -LdapFilter '(department=11*)' | Foreach-Object{
if($ea1 = $_.department -as [int])
{
Set-QADuser -Identity $_ -ObjectAttributes @{extensionAttribute1=$ea1}
}
}

Finally I removed the values from the department attribute by running the following script.

Get-QADUser -SizeLimit 0 -LdapFilter '(department=11*)' | Foreach-Object{
if($ea1 = $_.department -as [int])
{
Set-QADuser -Identity $_ -ObjectAttributes @{department=''}
}
}
Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: