PowerShell for Windows Admins

Dec 9 2012   3:41AM GMT

Bulk modifications using Set-AdUser

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

 

The standard approach to the bulk modification of users is to create a CSV file with an identifier and the data you want to change. Here’s part of a CSV file that could be used to modify some AD attributes – Division, City and Office

SamAccountName,Division,Office,City
mgreen,Accounting,"Main Office","New York"
dgreen,Sales,"North East",Boston
jgreen,Marketing,"North West",Seattle
bkent,Manufacturing,"North",Chicago

I always like to first test what is set

$users = Import-Csv -Path C:\Scripts\adtest.csv            
            
foreach ($user in $users) {            
 Get-ADUser -Identity $user.SamAccountName -Properties * |            
 select SamAccountName, Division, Office, City             
}

A simple loop through each user and display the data. I’ve used –Properties * to ensure that I get the data I want. I could have put the attribute names in to restrict the returned data – might be a good idea if you are working with lots if user accounts at once

SamAccountName      Division            Office              City              
————–      ——–            ——              —-              
mgreen                                                                        
dgreen                                                                        
jgreen                                  Test                                  
bkent               AD Admin            ADML House          Peterborough

With Set-ADUser you get two options – a named parameter or the Add, Replace, Clear, Remove parameters.  See the help file for more details. All of our attributes have named parameters  so we can use this code

# Import AD Module             
Import-Module ActiveDirectory            
            
# Import CSV into variable $userscsv            
#$userscsv = import-csv D:\areile\Desktop\adtest.csv            
$users = Import-Csv -Path C:\Scripts\adtest.csv            
# Loop through CSV and update users if the exist in CVS file            
            
foreach ($user in $users) {            
#Search in specified OU and Update existing attributes            
 Get-ADUser -Filter "SamAccountName -eq '$($user.samaccountname)'" -Properties * -SearchBase "cn=Users,DC=manticore,DC=org" |            
  Set-ADUser -City $($user.City) -Office $($user.Office) -Division $($user.Division)            
}

Import the CSV file and loop through the users. For each user get the user object and pipe to Set-ADUser. The new attribute values are set from the CSV file data

Alternatively if you know the LDAP name of the attribute OR there isn’t a parameter for that attribute use the –Replace parameter.

# Import AD Module             
Import-Module ActiveDirectory            
            
# Import CSV into variable $userscsv            
#$userscsv = import-csv D:\areile\Desktop\adtest.csv            
$users = Import-Csv -Path C:\Scripts\adtest.csv            
# Loop through CSV and update users if the exist in CVS file            
            
foreach ($user in $users) {            
#Search in specified OU and Update existing attributes            
 Get-ADUser -Filter "SamAccountName -eq '$($user.samaccountname)'" -Properties * -SearchBase "cn=Users,DC=manticore,DC=org" |            
  Set-ADUser -Replace @{l = "$($user.City)"; physicalDeliveryOfficeName = "$($user.Office)"; division = "$($user.Division)"}            
}

The thing to note here is that the LDAP attribute names don’t always match the GUI names which are used as parameters. Get-ADUser seems to translate OK though!  You can find the correct name using ADSIEdit.

Note also that the help file for Set-AdUser is incorrect in at least once place – the list of attribute name-value pairs must be separated by semi-colons NOT commas as the help file states

8  Comments on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • denveritguy
    You make this stuff seem almost doable!  Any chance you could help me with a quickie that will search and replace a string in an Active Directory user object's CN attribute?
    0 pointsBadges:
    report
  • Richard Siddaway
    Have a look at this - I think it answers your question http://itknowledgeexchange.techtarget.com/powershell/renaming-a-user/
    4,030 pointsBadges:
    report
  • Sagar25

    Here is the code I am using to modify the attribute of the object class "User" in active directory. The attribute is "cvx-informationStewart". Can anyone help how to update the attribute that has hyphen as I am getting error.

    .Csv data contains:
    "samAccountName","informationSteward"
    "!tqjz","tqjz"

    Code :

    Add-PSSnapin Quest.ActiveRoles.ADManagement

    foreach ($record in (Import-Csv C:\name.csv)) {
      $user = $record.samAccountName
      $command = “Set-QADUser -identity $user”

      foreach ( $attr in (Get-Member -InputObject $record -MemberType NoteProperty) ) {
         $value = $record.($attr.Name)
         if ( $value -and ( $attr.Name -ne ‘samAccountName’ ) ) {
              $command += ” -” + $attr.Name + ” ‘” + $value + ”’”
         }
       }
      write-host $command
      Invoke-Expression $command

    }

    40 pointsBadges:
    report
  • Richard Siddaway
    Why are you putting the command into a string and using Invoke-Expression
    4,030 pointsBadges:
    report
  • MarioTunes
    Hello,
    The script is perfect.
    Is it possible to get report at the end of script?

    Thank you
    0 pointsBadges:
    report
  • Richard Siddaway
    You could do a couple of things: 1) You could use -Passthru on Set-AdUser which would show you which users had been changed 2) Perform another Get-ADUser to show the changed data and pipe to Export-Csv
    4,030 pointsBadges:
    report
  • PHarstvedt
    Have tried to get the first example above to work and keep getting error message -- Get-ADUser : The search filter cannot be recognized.

    There is currently only one value line in my CSV and if I manually enter the command "Get-ADUser -Identity" with a valid samaccountname from the powershell command prompt the information is returned. 

    What else can I try?
    0 pointsBadges:
    report
  • PHarstvedt
    If I try this:
    $users = Import-Csv -Path C:\Datamart\UPDATES\TEST_ACCOUNT2.csv  
    $outcsv = 'c:\datamart\ADexport\Selected_AD_Users.csv'          
                
    foreach ($user in $users) {            
     Get-ADUser -Identity $user.SamAccountName -Properties * |            
     select SamAccountName, employeeID, title, Office| export-csv $outcsv
    }

    I get the message: Cannot validate the argument on parameter 'Identity'. The argument is null. Supply a non-null argument and try the command again.

    What am I missing?

    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: