I have a script that allows people to create a new user from scratch or copying another user but for some reason it is not copying AD group memberships. Any help would be greatly appreciated.
I am getting the user information with this command which is working fine.
$userToCopy = Get-ADUser -identity $copyUsername -Properties Department, title, Company, MemberOf
Then I am asking questions to get updated info for the new user then creating the new use with this command and everything works but the group memberships do not copy over which I was expecting that using the $userToCopy as the -Instance would do.
New-ADUser -SamAccountName "$username" -Name "$fname $lname" -DisplayName "$fname $lname" -Surname "$lname" -GivenName "$fname" -userprincipalname "$fname.$lname#$domain" `
-AccountPassword $secPassword -ChangePasswordAtLogon $True -Office "$empID" -MobilePhone "$mobilePhone" -OfficePhone "$officePhone" -Title "$jobTitle" -department "$department" `
-ProfilePath "" -Path "$OUDN" -Instance $userToCopy -Credential $UserCredential -Server "BOM.chris.domain" -Enabled $True -Company "Chris"
This issue makes sense and then again it doesn't. Since ADUC supports copying groups from another account, it would seem like the same feature would be available with New-ADUser -Instance. However, New-ADUser does not seem to support updating group membership with any of its parameters. I can only guess, but I imagine this is because MemberOf is a calculated property rather than a direct attribute defined by the schema. You could do the following though with one line of code after creating the user.
Add-ADPrincipalGroupMembership -Identity $username -MemberOf $UserToCopy.MemberOf -Server "BOM.chris.domain"
The code above without -Identity $username could be piped into after the New-ADUser command provided you add the -Passthru switch to New-ADUser.
Related
I'm new to PowerShell and am still learning the ropes. I want to create a script for work that I can force a change at the next logon for many users.
I have this:
Set-ADAccountPassword -Identity -ChangePasswordAtLogon:$True -path 'C:\users\mohahigg\desktop\userpassword.txt' (ConvertTo-SecureString 'password2022' -AsPlainText -Force)
I know it's not the best, but what went wrong (in detail), and how can I fix it?
First, you need to extract the username from the text file. You've chosen an odd way of doing it. If it's just one user, you could simply write the name in the command instead of in a file. However, we will get the username and set it in the $user variable:
$user = Get-Content 'C:\users\mohahigg\desktop\userpassword.txt'
Next, we will reset the user's password.
-Path is not a valid parameter for the Set-ADAccountPassword command
-ChangePasswordAtLogon is also not a valid parameter
See all parameters in the official documentation: Set-ADAccountPassword
Set-ADAccountPassword -Identity $user -NewPassword (ConvertTo-SecureString 'password2022' -AsPlainText -Force) -Reset
Lastly, we will force the password change at the next logon, which is done in another command, Set-ADUser. See the official documentation for this: Set-ADUser.
Set-ADUser -Identity $user -ChangePasswordAtLogon $true
Putting it all together:
$user = Get-Content 'C:\users\mohahigg\desktop\userpassword.txt'
Set-ADAccountPassword -Identity $user -NewPassword (ConvertTo-SecureString 'password2022' -AsPlainText -Force) -Reset
Set-ADUser -Identity $user -ChangePasswordAtLogon $true
I am using the following powershell code for creating new mailboxes in my organization.
$users = Import-CSV C:\mailboxes.csv
$users| foreach {
$Password = convertto-securestring $_.password -asplaintext -force
new-mailbox -name $_.name -alias $_.alias -FirstName $_.Firstname -LastName $_.Lastname -userPrincipalName $_.userPrincipalName -PrimarySmtpAddress $_.PrimarySmtpAddress -Database $_.database -RetentionPolicy "b3a83dc4-e471-4d05-b357-25535aa027af" -OrganizationalUnit $_.OrganizationalUnit -Password $Password –ResetPasswordOnNextLogon:$false
}
Is there a way to insert a static text/value to this "zip code" and "po box" boxes, on the new active directory user, created along with this mailboxes?
for example , zip code should contain: "0101010101" and P.O Box should contain "000"
Your assistance is most appreciated
One option is to use Set-ADUser from the ActiveDirectory module. At the beginning of your script (before any loops), you can run the following if you have the module available to your current session.
Import-Module ActiveDirectory
After your New-Mailbox command, you can add the Set-ADUser command:
Set-ADUser -Filter "UserPrincipalName -eq '$($_.userprincipalname)'" -PostalCode "01010101" -POBox "000"
Sometimes AD replication can cause inconsistencies with multiple commands against AD objects. To get around that, you would typically use the -Server parameter to consistently target a domain controller that will see all of your read and write operations. The alternative (a slower one) is to run the AD user modifications after all of the mailboxes have been created and data has replicated to the AD Site you would be targeting.
AdminOfThings - Thanks for your reply.
So tell me,
Considering your last comment about the AD User modification conflict that i might occur,
i`m thinking some sort of "time delay" code might resolve such issues.
would it be logical to add something like "Start-Sleep" command to add a delay between
the "new-mailbox" and "Set-ADUser" commands as you suggested?
if so can you...write down how my script should like exactly, adding all things together please?
Thanks.
I'm making PS script which is going to make users from arrays. Everything works fine with this on:
New-ADUser `
-Name $naam `
-SamAccountName $naam -UserPrincipalName $usprinc `
-AccountPassword $password `
-HomeDrive X: `
-HomeDirectory $eigenmap `
-Path "$lastou, OU=USERS_ABC, OU= BEDRIJF ABC, DC= kurzynowski, DC= local" `
-PassThru | Enable-ADAccount
When I'm making users this way, their home dirs aren't created. I've checked AD users and computers for each user properties. Each user has correct path and drive letter in their home dir. But i get no dirs for those users in my share. Anybody has idea y?
Using powershell 2.0, I have a simple script to create a New-ADUser. The user must change their password on next logon and the account must be disabled. This works until I create the account in disabled mode.
According to the documentation, ensuring PasswordNeverExpires is $false will allow for change password at logon, but that didn't help. Would anyone know why ChangePasswordAtLogon isn't applying if enabled is set to false?
Code (I have included the other settings I am using in case they matter):
New-ADUser -Name "NewPerson" `
-Path "DC=WhereEver" `
-AccountPassword $SecureStringHere `
-PasswordNeverExpires $False `
-ChangePasswordAtLogon $True `
-enabled $False `
-UserPrinciplaName "NewPerson" `
-DisplayName "NewPerson" `
-Description "NewPerson" `
-ProfilePath "path" `
-ScriptPath "path"
If you don't know how to fix this any ideas on what could be going wrong are appreciated, thank you!
Apparently it's the password that causes the effect, although I can't explain why. The documentation doesn't say anything about this AFAICS. Remove -ChangePasswordAtLogon $True from the New-ADUser statement and set the option afterwards via
Set-ADUser -Identity 'NewPerson' -ChangePasswordAtLogon $true
and the account should be created the way you expect.
I am trying to import users into AD using a CSV file, PowerShell, and Quest's AD CmdLets. When the users are added the UserPrincipleName is not added.
Here is a sample CSV:
FirstName,LastName,DisplayName,SamAccount,UserPrincipleName,Email
FirstA,LastA,"First Last",FLastAL.ou1,FLastAL.ou1#clients.domain.local,FLastA#outemail.com
First2A,Last2A,"First2 Last",FLast2AL.ou1,FLast2AL.ou1#clients.domain.local,FLast2A#outemail.com
Here is the PowerShell snippit:
$Users = Import-Csv $UserFile
foreach ($User in $Users)
{
New-QADUser -FirstName $User.FirstName -LastName $User.LastName -DisplayName $User.DisplayName -SamAccountName $User.SamAccount -Name $User.SamAccount -UserPrincipalName $User.UserPrincipalName -ParentContainer "OU=$OUName,OU=Customers,DC=clients,DC=domain,DC=local"
}
Also, is this maybe a better question for ServerFault now that it is live? I feel it is definitely in a gray area.
FWIW, I checked with the latest QAD release (v1.2) and it works.
I think the problem was the fact that we are using Exchange 2007 which does not use RUS. When I used the Exchange 2007 CmdLets to do the same thing everything is working correctly.