I am just learning about Powershell. I want to try and update data in AD, but my AD Server and Powershell are on different servers.
For example, my AD server is 111.111.111.111 and my Powershell.exe is on server 222.222.222.222. I am using ColdFusion programming to execute my Powershell script.
Here is my ColdFusion script :
<cfoutput>
<cfexecute name="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
arguments="C:\Users\Public\Documents\ADtest.ps1" />
</cfoutput>
Here is my Powershell script ADtest.ps1 :
$userID = "11111"
$password = "p#ssw0rd"
$ADuser = Get-ADUser $userID
If($ADuser)
{
Enable-ADAccount -Identity $userID
Set-adaccountpassword $userID -reset -newpassword (ConvertTo-SecureString -AsPlainText $password -Force)
Set-aduser $userID -changepasswordatlogon $true
}
Is it possible to execute a powershell script to update AD (Active directory) data on a different server?
Most Powershell AD Commands use the parameter -Server for specifying the target DC:
Get-ADUser -Identity $Username -Server $DC
Having said that Powershell usually does not switch DCs during the execution of the script.
Hope that helps -tom
Related
I'm new to PowerShell and am still learning the ropes. I want to create a script for work that I can force a change at the next logon for many users.
I have this:
Set-ADAccountPassword -Identity -ChangePasswordAtLogon:$True -path 'C:\users\mohahigg\desktop\userpassword.txt' (ConvertTo-SecureString 'password2022' -AsPlainText -Force)
I know it's not the best, but what went wrong (in detail), and how can I fix it?
First, you need to extract the username from the text file. You've chosen an odd way of doing it. If it's just one user, you could simply write the name in the command instead of in a file. However, we will get the username and set it in the $user variable:
$user = Get-Content 'C:\users\mohahigg\desktop\userpassword.txt'
Next, we will reset the user's password.
-Path is not a valid parameter for the Set-ADAccountPassword command
-ChangePasswordAtLogon is also not a valid parameter
See all parameters in the official documentation: Set-ADAccountPassword
Set-ADAccountPassword -Identity $user -NewPassword (ConvertTo-SecureString 'password2022' -AsPlainText -Force) -Reset
Lastly, we will force the password change at the next logon, which is done in another command, Set-ADUser. See the official documentation for this: Set-ADUser.
Set-ADUser -Identity $user -ChangePasswordAtLogon $true
Putting it all together:
$user = Get-Content 'C:\users\mohahigg\desktop\userpassword.txt'
Set-ADAccountPassword -Identity $user -NewPassword (ConvertTo-SecureString 'password2022' -AsPlainText -Force) -Reset
Set-ADUser -Identity $user -ChangePasswordAtLogon $true
How to Assign a custom app setup policy to users in a group using Powershell ?
Assigning a custom app setup policy to users in a group
1.Install-Module -Name AzureAD
/*Skype for Business Online, Windows PowerShell Module can be downloaded and installed */
Import-Module SkypeOnlineConnector
$userCredential = Get-Credential $sfbSession = New-CsOnlineSession -Credential $userCredential Import-PSSession $sfbSession
connect-AzureAD -Credential $userCredential
$group = Get-AzureADGroup -SearchString "TeamsApp"
$members = Get-AzureADGroupMember -ObjectId $group.ObjectId -All $true | Where-Object {$_.ObjectType -eq "User"}
$members | ForEach-Object { Grant-CsTeamsAppSetupPolicy -PolicyName "Teams App Policy Test" -Identity $_.UserPrincipalName}
Installation file for Skype for Business Online, Windows PowerShell Module https://www.microsoft.com/en-us/download/details.aspx?id=39366
Reference
https://learn.microsoft.com/en-us/microsoftteams/teams-app-setup-policies
https://learn.microsoft.com/en-us/microsoftteams/teams-powershell-overview
https://learn.microsoft.com/en-us/office365/enterprise/powershell/connect-to-all-office-365-services-in-a-single-windows-powershell-window
https://learn.microsoft.com/en-us/skypeforbusiness/set-up-your-computer-for-windows-powershell/set-up-your-computer-for-windows-powershell
https://learn.microsoft.com/en-us/office365/enterprise/powershell/manage-skype-for-business-online-with-office-365-powershell
I have a script that allows people to create a new user from scratch or copying another user but for some reason it is not copying AD group memberships. Any help would be greatly appreciated.
I am getting the user information with this command which is working fine.
$userToCopy = Get-ADUser -identity $copyUsername -Properties Department, title, Company, MemberOf
Then I am asking questions to get updated info for the new user then creating the new use with this command and everything works but the group memberships do not copy over which I was expecting that using the $userToCopy as the -Instance would do.
New-ADUser -SamAccountName "$username" -Name "$fname $lname" -DisplayName "$fname $lname" -Surname "$lname" -GivenName "$fname" -userprincipalname "$fname.$lname#$domain" `
-AccountPassword $secPassword -ChangePasswordAtLogon $True -Office "$empID" -MobilePhone "$mobilePhone" -OfficePhone "$officePhone" -Title "$jobTitle" -department "$department" `
-ProfilePath "" -Path "$OUDN" -Instance $userToCopy -Credential $UserCredential -Server "BOM.chris.domain" -Enabled $True -Company "Chris"
This issue makes sense and then again it doesn't. Since ADUC supports copying groups from another account, it would seem like the same feature would be available with New-ADUser -Instance. However, New-ADUser does not seem to support updating group membership with any of its parameters. I can only guess, but I imagine this is because MemberOf is a calculated property rather than a direct attribute defined by the schema. You could do the following though with one line of code after creating the user.
Add-ADPrincipalGroupMembership -Identity $username -MemberOf $UserToCopy.MemberOf -Server "BOM.chris.domain"
The code above without -Identity $username could be piped into after the New-ADUser command provided you add the -Passthru switch to New-ADUser.
I am using the following powershell code for creating new mailboxes in my organization.
$users = Import-CSV C:\mailboxes.csv
$users| foreach {
$Password = convertto-securestring $_.password -asplaintext -force
new-mailbox -name $_.name -alias $_.alias -FirstName $_.Firstname -LastName $_.Lastname -userPrincipalName $_.userPrincipalName -PrimarySmtpAddress $_.PrimarySmtpAddress -Database $_.database -RetentionPolicy "b3a83dc4-e471-4d05-b357-25535aa027af" -OrganizationalUnit $_.OrganizationalUnit -Password $Password –ResetPasswordOnNextLogon:$false
}
Is there a way to insert a static text/value to this "zip code" and "po box" boxes, on the new active directory user, created along with this mailboxes?
for example , zip code should contain: "0101010101" and P.O Box should contain "000"
Your assistance is most appreciated
One option is to use Set-ADUser from the ActiveDirectory module. At the beginning of your script (before any loops), you can run the following if you have the module available to your current session.
Import-Module ActiveDirectory
After your New-Mailbox command, you can add the Set-ADUser command:
Set-ADUser -Filter "UserPrincipalName -eq '$($_.userprincipalname)'" -PostalCode "01010101" -POBox "000"
Sometimes AD replication can cause inconsistencies with multiple commands against AD objects. To get around that, you would typically use the -Server parameter to consistently target a domain controller that will see all of your read and write operations. The alternative (a slower one) is to run the AD user modifications after all of the mailboxes have been created and data has replicated to the AD Site you would be targeting.
AdminOfThings - Thanks for your reply.
So tell me,
Considering your last comment about the AD User modification conflict that i might occur,
i`m thinking some sort of "time delay" code might resolve such issues.
would it be logical to add something like "Start-Sleep" command to add a delay between
the "new-mailbox" and "Set-ADUser" commands as you suggested?
if so can you...write down how my script should like exactly, adding all things together please?
Thanks.
Using Set-ADAccountPassword normally you don't get any output. The get-help of Set-ADAccountPassword says there is a -PassThru parameter to "Return the new or modified object" however I can't get any output at all.
Set-ADAccountPassword -Identity <username> -Reset -NewPassword -PassThru (ConvertTo-SecureString -AsPlainText "TempP#$$W0rd" -Force)
The command works, but there is no output. I'd like to get it working singularly first, and then eventually use Get-ADUser to pipe an OU of users to Set-ADAccountPassword and display the list of objects that were modified. I just can't understand why -PassThru appears to do nothing.
Thank you
Place -passthru at the end of the command and watch out for those quotes around TempP#$$W0rd. The double quotes allow for variable expansion in the string. $$ is an automatic variable representing the last token in the last line powershell received. This may make your password something completely different than what you think it is.
Example
PS:>Get-ChildItem C:\
PS:>"TempP#$$W0rd"
TempP#C:\W0rd
Single quote it instead. I'm not at a computer with the AD module on it but this should work.
Set-ADAccountPassword -Identity <username> -Reset -NewPassword (ConvertTo-SecureString -AsPlainText 'TempP#$$W0rd' -Force) -PassThru
Here's a good article that explains -PassThru
I've been battling this all morning and can't seem to get any output from -PassThru either. I'd be interested to see what the difference is between those it works for and those it doesn't. I'm running this with PS4.0 on a Windows Server 2008 R2 Domain.
Set-ADAccountPassword -Identity $UserDN -Credential $AdminCred -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $Pass -Force) -PassThru
I ended up re-imaging my machine from Win7 which then had ps v3 and later v4 installed on it, to Win8 which obviously comes with ps v4. Ran the same script and it worked.
Perhaps somewhere along the upgrade path something broke.