Powershell user creation script - powershell

I have created a user creation script using powershell and everything works except the attribute "ipPhone"
Can anyone tell my why i Can't add the following line?:
$Mobile = Read-Host " xxxx "
$ipPhone = Read-Host " xxx"
New-ADUser -ipPhone "$ipPhone"
It works for
-Mobile "$Mobile"
But it dosent work for ipPhone? Do I need to use Set-ADuser instead?
Help with Attribute

Cmdlet New-ADUser does not have a parameter called ipPhone.
You can set it, but then use
-OtherAttributes #{'ipPhone' = $ipPhone}
If you use Set-ADUSer, you will need to do
-replace #{'ipPhone' = $ipPhone}

Related

Add smtp Proxy Addresses from users listed in a text file using PowerShell

I am trying to create a simple script to add Proxy Addresses to the AD field using PowerShell.
I was able to get it working using this, but now I am at a roadblock on how I can do this importing the usernames from a text file.
$Username = Read-Host -Prompt "Enter the username'
Set-AdUser $Username -add #{ProxyAddresses = "smtp:$Username#example.com,smtp:$Username#marketing.example.com" -split ","}
What I want to do now is instead of prompting for a username to be entered I just want to have a text file with username like this.
Text File Of Usernames: These will all be on a separate line. I am not sure how to format that way on here.
jallen
sdiggs
gdavis
mhyde
twhite
I am confused how to go forward with this. To my understanding I want to use Get-Content to create the username array and then for each line in the text file add the proxy addresses.
$Username = Read-Host -Prompt "Enter the username'
Set-AdUser $Username -add #{ProxyAddresses = "smtp:$Username#example.com,smtp:$Username#marketing.example.com" -split ","}
I want to remove the need for user input and import the username variables from a text file.
Assuming you have the txt file with each user in a new line as shown in your question, you're right, you can use Get-Content to read your file then you need to loop over each line:
(Get-Content path\to\yourfile.txt).Trim() | ForEach-Object {
try {
Set-AdUser $_ -Add #{ ProxyAddresses = "smtp:$_#example.com,smtp:$_#marketing.example.com".Split(",") }
}
catch {
# can do error handling here
Write-Error $_
}
}
The use of Trim() in this example is so it removes any excess of white space from the beginning and end of all lines.

Set-ADuser extensionAttribute won't work but things like title will

I am writing a simple script that takes an already created user and updates an attribute based on what the admin put in.
The code works just fine if I replace extensionAttribute with for example title or something like that, but it won't with extensionAttributes.
I have tried a few things and other extensionAttributes but the code is so simple and it works with other Attributes. I am guess extensionAttributes require a bit more in the code that I am missing.
$name = Read-Host "AD Logon Name"
$key = Read-Host "Azure Key"
Set-ADUser $name -extensionAttribute6 $key -PassThru
Set-ADUser : A parameter cannot be found that matches parameter name 'extensionAttribute6'
Even though it exists it is not finding it.
Set-ADUser has a limited set of parameters covering the most commonly used attributes in AD. However, given the sheer amount of existing attributes and the fact that the AD schema is extensible, an attempt to have all attributes represented as parameters just wouldn't be feasible.
For attributes that are not represented as parameters use the parameter -Add or -Replace with a hashtable argument.
Set-ADUser $name -Replace #{'extensionAttribute6' = $key} -PassThru
Old thread, but this worked for me:
Import-Csv -Path "C:\data\12345.csv" |ForEach-Object {
Set-ADUser $_.samAccountName -replace #{
description = "$($_.description)"
extensionAttribute1 = "$($_.extensionAttribute1)"
extensionAttribute3 = "$($_.extensionAttribute3)"
initials = "$($_.initials)";
#additionalAttributeName = "$($_.additionalAttributeName)"
#additionalAttributeName = "$($_.additionalAttributeName)"
#additionalAttributeName = "$($_.additionalAttributeName)"
#additionalAttributeName = "$($_.additionalAttributeName)"
#additionalAttributeName = "$($_.additionalAttributeName)"
}
}
The top row of your .csv file would look like the following for this example:
samAccountname,description,extensionAttribute1,extensionAttribute3,initials

Using Powershell and ADSI to set local passwords

I'm trying to automate setting a bunch of local user accounts' password on a Windows 2008 server. I've tried a few things and this works if I don't use a variable for the username like this:
$user = [adsi]"WinNT://$computer/SomeUserName"
My script block is below... any ideas what I'm doing wrong?
$accounts = Get-Content c:\userlist.txt
$computer = SomeComputerName
$password = "MyPassword"
Foreach($account in $accounts)
{
$user = [adsi]"WinNT://$computer/$account"
$user.SetPassword("$Password")
$user.SetInfo()
}
The error I get when I use the $account variable for the user (from the text file list) is:
The following exception occurred while retrieving member "SetInfo": "The group name could not be found.
Thanks for any help...
It seems that your machine tries to resolve the $account value to a local group name.
You can specify that it is a User object you want, by following the account name with a comma and the string user:
$user = [adsi]"WinNT://$computer/$account,user"

creating local users using a xml file as source with powershell scripting

I'm trying to create bulk localusers with xml source file with all details in it using powershell scripting. Below is my sample xml file with code I'm using for creating the users. Can anyone help me out getting this to work?
# To run this script use: & "C:\Users\rLisdonk\Desktop\ToServer\Test.ps1"
$computerName = "USSECAVDSPDWK27"
$serviceAccountWebName = "saAsaWeb"
$serviceAccountWebPassword = "MyPassword123"
"Get computer info"
$computer = [ADSI]("WinNT://" + $computerName + ",computer")
"Determine if user [saAsaWeb] exists"
$serviceAccount = [ADSI]("WinNT://" + $computerName + "/$serviceAccountWebName" + ",user")
if(!$serviceAccount.Name)
{
"Create user [saAsaWeb]"
$user = $computer.Create("user", $serviceAccountWebName)
"Set password"
$user.SetPassword($serviceAccountWebPassword)
$user.SetInfo()
"Disable [User must change password at next logon]"
$user.PasswordExpired = 0
$user.SetInfo()
"Enable [Password never expires]"
$wmiuser = Get-WmiObject -class "Win32_UserAccount" -filter "name=’$serviceAccountWebName’"
$wmiuser.PasswordExpires = $false
$wmiuser.Put()
}
Powershell will only substitute the variable with the value inside double quotes, single quotes will return the literal value. You will want to escape the single quotes with a ` backtick character, so it would be:
$wmiuser = Get-WmiObject Win32_UserAccount -filter "LocalAccount=True AND name=`'$serviceAccountWebName`'"
When you run it, it needs to be ran with elevated permissions. If you are looking to do this on a remote machine, you need to do so via Remoting, or use WMI entirely. Without a specified error I assume it is this WMI query is most likely what is holding you up.

Powershell: How do you set the Read/Write Service Principal Name AD Permissions?

In Powershell, how do you set the Read/Write Service Principal Name AD user permissions?
Normally during my build process, I use ADSIedit to navigate to that object, and then go through all the security tabs to get down to put a checkmark next to:
Read Service Principal Name
Write Service Principal Name
But navigating through ADSIedit can take a long time so I'm trying to script the process. If I have a PowerShell LDAP bind with a new user created, how can I use PowerShell to set both of these properties for this user account?
The following is a hacked out code-snippet of the possible pertinent portions of my install script:
$strDomain = "dc=my,dc=com"
$objDomain = [ADSI] "LDAP://" + strDomain
$strSCCMSQLPW = Read-Host -assecurestring "Please enter a password for the " + $strSCCMSQL + " account: "
New-ADUser -SamAccountName $strSCCMSQL + -Name $strSCCMSQL -AccountPassword $strSCCMSQLPW -Enabled $true -Path $strUsersOU + "," + $strDomain -PasswordNeverExpires $true
You need to add an ActiveDirectoryAccessRule object to the ACL of the target object. For setting property specific rigths the trick is to pass in the schemaIDGUID to the attribute. So first we need to find the schemaIDGUID from the Service-Principal-Name schema entry. In the sample code i statically refer to the Service-Principal-Name, better yet would have been to search for the ldapDisplayname to find the entry but I'm sure you can sort that out. In any case this code should do the job:
Function Set-SpnPermission {
param(
[adsi]$TargetObject,
[Security.Principal.IdentityReference]$Identity,
[switch]$Write,
[switch]$Read
)
if(!$write -and !$read){
throw "Missing either -read or -write"
}
$rootDSE = [adsi]"LDAP://RootDSE"
$schemaDN = $rootDSE.psbase.properties["schemaNamingContext"][0]
$spnDN = "LDAP://CN=Service-Principal-Name,$schemaDN"
$spnEntry = [adsi]$spnDN
$guidArg=#("")
$guidArg[0]=$spnEntry.psbase.Properties["schemaIDGUID"][0]
$spnSecGuid = new-object GUID $guidArg
if($read ){$adRight=[DirectoryServices.ActiveDirectoryRights]"ReadProperty" }
if($write){$adRight=[DirectoryServices.ActiveDirectoryRights]"WriteProperty"}
if($write -and $read){$adRight=[DirectoryServices.ActiveDirectoryRights]"readproperty,writeproperty"}
$accessRuleArgs = $identity,$adRight,"Allow",$spnSecGuid,"None"
$spnAce = new-object DirectoryServices.ActiveDirectoryAccessRule $accessRuleArgs
$TargetObject.psbase.ObjectSecurity.AddAccessRule($spnAce)
$TargetObject.psbase.CommitChanges()
return $spnAce
}
Sample lines for calling the function...
$TargetObject = "LDAP://CN=User,OU=My User Org,DC=domain,DC=net"
$Identity = [security.principal.ntaccount]"domain\user"
Set-SpnPermission -TargetObject $TargetObject -Identity $Identity -write -read
Here is an example using Quest to set the permissions on the service principal name attributes.
First, add Quest:
Add-PSSnapin Quest.ActiveRoles.ADManagement;
Set the permission (using Add-QADPermission):
Get-QADUser UserName | Add-QADPermission -Account 'SELF' -Rights 'ReadProperty,WriteProperty' -Property 'servicePrincipalName' -ApplyTo 'ThisObjectOnly';
You can use Quest AD cmdlets. It makes AD permission stuff very easy in PowerShell.
Read this blog for some examples on how to add AD permissions or even copy the AD permissions.
Just lookup Add-QADPermission and it should do your job.