PowerShell for Windows Admins

Dec 9 2012   3:41AM GMT

Bulk modifications using Set-AdUser

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

 

The standard approach to the bulk modification of users is to create a CSV file with an identifier and the data you want to change. Here’s part of a CSV file that could be used to modify some AD attributes – Division, City and Office

SamAccountName,Division,Office,City
mgreen,Accounting,"Main Office","New York"
dgreen,Sales,"North East",Boston
jgreen,Marketing,"North West",Seattle
bkent,Manufacturing,"North",Chicago

I always like to first test what is set

$users = Import-Csv -Path C:\Scripts\adtest.csv            
            
foreach ($user in $users) {            
 Get-ADUser -Identity $user.SamAccountName -Properties * |            
 select SamAccountName, Division, Office, City             
}

A simple loop through each user and display the data. I’ve used –Properties * to ensure that I get the data I want. I could have put the attribute names in to restrict the returned data – might be a good idea if you are working with lots if user accounts at once

SamAccountName      Division            Office              City              
————–      ——–            ——              —-              
mgreen                                                                        
dgreen                                                                        
jgreen                                  Test                                  
bkent               AD Admin            ADML House          Peterborough

With Set-ADUser you get two options – a named parameter or the Add, Replace, Clear, Remove parameters.  See the help file for more details. All of our attributes have named parameters  so we can use this code

# Import AD Module             
Import-Module ActiveDirectory            
            
# Import CSV into variable $userscsv            
#$userscsv = import-csv D:\areile\Desktop\adtest.csv            
$users = Import-Csv -Path C:\Scripts\adtest.csv            
# Loop through CSV and update users if the exist in CVS file            
            
foreach ($user in $users) {            
#Search in specified OU and Update existing attributes            
 Get-ADUser -Filter "SamAccountName -eq '$($user.samaccountname)'" -Properties * -SearchBase "cn=Users,DC=manticore,DC=org" |            
  Set-ADUser -City $($user.City) -Office $($user.Office) -Division $($user.Division)            
}

Import the CSV file and loop through the users. For each user get the user object and pipe to Set-ADUser. The new attribute values are set from the CSV file data

Alternatively if you know the LDAP name of the attribute OR there isn’t a parameter for that attribute use the –Replace parameter.

# Import AD Module             
Import-Module ActiveDirectory            
            
# Import CSV into variable $userscsv            
#$userscsv = import-csv D:\areile\Desktop\adtest.csv            
$users = Import-Csv -Path C:\Scripts\adtest.csv            
# Loop through CSV and update users if the exist in CVS file            
            
foreach ($user in $users) {            
#Search in specified OU and Update existing attributes            
 Get-ADUser -Filter "SamAccountName -eq '$($user.samaccountname)'" -Properties * -SearchBase "cn=Users,DC=manticore,DC=org" |            
  Set-ADUser -Replace @{l = "$($user.City)"; physicalDeliveryOfficeName = "$($user.Office)"; division = "$($user.Division)"}            
}

The thing to note here is that the LDAP attribute names don’t always match the GUI names which are used as parameters. Get-ADUser seems to translate OK though!  You can find the correct name using ADSIEdit.

Note also that the help file for Set-AdUser is incorrect in at least once place – the list of attribute name-value pairs must be separated by semi-colons NOT commas as the help file states

8  Comments on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • denveritguy
    You make this stuff seem almost doable!  Any chance you could help me with a quickie that will search and replace a string in an Active Directory user object's CN attribute?
    0 pointsBadges:
    report
  • Richard Siddaway
    Have a look at this - I think it answers your question http://itknowledgeexchange.techtarget.com/powershell/renaming-a-user/
    6,715 pointsBadges:
    report
  • Sagar25

    Here is the code I am using to modify the attribute of the object class "User" in active directory. The attribute is "cvx-informationStewart". Can anyone help how to update the attribute that has hyphen as I am getting error.

    .Csv data contains:
    "samAccountName","informationSteward"
    "!tqjz","tqjz"

    Code :

    Add-PSSnapin Quest.ActiveRoles.ADManagement

    foreach ($record in (Import-Csv C:\name.csv)) {
      $user = $record.samAccountName
      $command = “Set-QADUser -identity $user”

      foreach ( $attr in (Get-Member -InputObject $record -MemberType NoteProperty) ) {
         $value = $record.($attr.Name)
         if ( $value -and ( $attr.Name -ne ‘samAccountName’ ) ) {
              $command += ” -” + $attr.Name + ” ‘” + $value + ”’”
         }
       }
      write-host $command
      Invoke-Expression $command

    }

    40 pointsBadges:
    report
  • Richard Siddaway
    Why are you putting the command into a string and using Invoke-Expression
    6,715 pointsBadges:
    report
  • MarioTunes
    Hello,
    The script is perfect.
    Is it possible to get report at the end of script?

    Thank you
    0 pointsBadges:
    report
  • Richard Siddaway
    You could do a couple of things: 1) You could use -Passthru on Set-AdUser which would show you which users had been changed 2) Perform another Get-ADUser to show the changed data and pipe to Export-Csv
    6,715 pointsBadges:
    report
  • PHarstvedt
    Have tried to get the first example above to work and keep getting error message -- Get-ADUser : The search filter cannot be recognized.

    There is currently only one value line in my CSV and if I manually enter the command "Get-ADUser -Identity" with a valid samaccountname from the powershell command prompt the information is returned. 

    What else can I try?
    0 pointsBadges:
    report
  • PHarstvedt
    If I try this:
    $users = Import-Csv -Path C:\Datamart\UPDATES\TEST_ACCOUNT2.csv  
    $outcsv = 'c:\datamart\ADexport\Selected_AD_Users.csv'          
                
    foreach ($user in $users) {            
     Get-ADUser -Identity $user.SamAccountName -Properties * |            
     select SamAccountName, employeeID, title, Office| export-csv $outcsv
    }

    I get the message: Cannot validate the argument on parameter 'Identity'. The argument is null. Supply a non-null argument and try the command again.

    What am I missing?

    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: