When I run First part it works fine, however, the Second option (which I want to use) does not work and is giving me an error:
Error getting objects: The server has returned the following error:
invalid enumeration context
I Tried following this article.
I tried result page size with different values but it does not work either. I checked the second Cmdlet with Measure-Command and it is taking 17 minutes to fetch AD objects and time out time is mentioned in the ADWS server is 30 minutes.
Could you please help me to understand what is wrong? We do not want to user the first option; we want to import all account irrespective date and time.
I want to remove date filter which I am using in the first option and wanted to to get ad object in a script without mentioning days and should fetch all records old and the new one. Please help experts here :)
First
$from = ((Get-Date).AddDays(-100)).date
$to = ((Get-Date).AddDays(0)).date
$A = #(Get-ADUser -Filter { whenCreated -ge $from -and whenCreated -le $to } -Properties * -Server $DomainController)
Second
$A = #(Get-ADUser -Filter '*' -Properties * -Server $DomainController)
Related
I have a script that queries AD and processes the result:
$users=Get-ADUser -filter {...} -Properties ...
try {
foreach($user in $users) {
$obj=new-object PSObject #property {...}
[void]($arraylist.add($obj))
}
}
catch {...}
the Get-ADUser takes about 1.5sec and returns 1000+ rows, and the whole try block takes about 0.5sec.
the #Properties {...} part only processes $user fields and has no further interaction with the AD or any other resource. the try block runs without error.
if now I change the first line to
$users=Get-ADUser -filter {...} -Properties ... -Server <someDC>
just adding a -Server parameter, the Get-ADUsercommand takes about 3sec and the try block 20+sec
I tried many times to be sure that the remote connection is well established without any improvement. I tried with each of the available DCs and got the very same execution time each time. If I remove the -Server parameter, I get the original execution time back.
the problem has similarities with the one described in this post but the my problem is with the code executed after the Get-ADUser, not with the Get-ADUser by itself.
what is very disturbing is that it's the code after which get slower.
do you have any clue?
DC: Win2008R2
Client: Win7, Powershell5.1, AD Management Tools locally installed.
I'm currently trying to sync additional attributes from the AD (Active Directory) for user objects in SCSM (System Center Service Manager) using a PowerShell script.
The extension I wrote for this, includes an attribute for the expiration date of a AD user account (DateTime value, named DateTimeAttribute in the example) if the user account doesn't expire it should be empty/null.
Using Import-SCSMInstance, which should be similar to a CSV import, it kind of works by passing "null" for the field. The problem is that Import-SCSMInstance seems to be quite unreliable and it doesn't offer any kind of information of why it works or doesn't work. Using Update-SCSMClassInstance seems to work a lot better but I can't figure out a way to clear the field using this and even using [DateTime]::MinValue will result in an error, stating that it's an invalid value.
So would anyone have an idea on how to clear the value using Update-SCSMClassInstance or figure out why Import-SCSMInstance might or might not work?
A simple example for this could look like the following:
$server = "<ServerName>"
$extensionGuid = "<GUID>"
Import-Module 'C:\Program Files\System Center 2012 R2\Service Manager\Powershell\System.Center.Service.Manager.psd1'
New-SCManagementGroupConnection -ComputerName $server
$extensionClass = Get-SCSMClass -Id $extensionGuid
$scsmUserObject = Get-SCSMClassInstance -Class $extensionClass -Filter 'UserName -eq "<User>"'
# Error
$scsmUserObject.DateTimeAttribute = ""
# Works but fails on Update-SCSMClassInstance
$scsmUserObject.DateTimeAttribute = $null
$scsmUserObject.DateTimeAttribute = [DateTime]::MinValue
# Works
$scsmUserObject.DateTimeAttribute = "01-01-1970"
Update-SCSMClassInstance -Instance $scsmUserObject
It seems that you can't clear a date once it's filled. When you write $null, it sets the date to 1-1-0001 01:00:00, which is an invalid date causing the update-scsmclassinstance to fail.
What we have set as a user's AD property when we don't want something to expire, is 2999-12-31 (yyyy-MM-dd). Perhaps this could help, although it's not directly what you asked for...
Also, you can use the pipeline to update a property in SCSM:
Get-SCSMClassInstance -Class $extensionClass -Filter 'UserName -eq "<User>"' | % {$_.DateTimeAttribute = <date>; $_} | update-scsmclassinstance
It doesn't look like it's currently possible to clear custom date attributes using the PowerShell cmdlets.
We've been using Powershell to bulk update our AD for several years with data from a CSV file. The code is pretty straight forward:
$Empinfo = Import-CSV AFile.csv
$EmpAD = Get-Aduser someone
$EmpAD.Title = $EmpInfo.Title
$EmpAD.streetAddress = $Empifo.street
$EmpAD.PostalCode = $Empifo.zip
<snip>
Set-ADUser -Instance $EmpAD
Recently, the street and zip info have been blanked for some people due to organizational weirdness. When we run the same script and try to set, say streetAdress to nothing, Set-ADuser throws a "replace" error.
(Note that I tried setting streetaddress to a single space and it still failed.)
After much trial and error, today I was able to make it work by testing for blankness and using the following:
if (Empinfo.street -eq $null) {
Set-ADUser $EmpAD -Clear streetaddress,postalCode
} else {
$EmpAD.streetAddress = $Locations[$site].street
$EmpAD.PostalCode = $Locations[$site].zip
}
In other words, we have to issue a specific -Clear action to accomplish this.
Is this how we should expect this to work? I cannot see anything in the -Instance parameter docs that says you cannot empty an attribute in the manner we were trying.
Yes , you have to use -Clear like how you have already done in the sample code in order to accomplish this. Thats the correct way to do that.
Empty field is actually holding the attribute value as Null.
So clearing that is important.
I am trying to get a script running but I keep running across the same issue, I have domains A, B, and C all in the same forest; but when I try to do simple commands such as
Disable-ADAccount -Identity $User
I am not able to get it to complete because it can't find the user in Domain B, which the user is in Domain A.
So the question, is there a way to get a script to check all domains (A, B, C) for "User1" and preform the disable action on them. (Other than setting the Switch)
-server
I ran into this issue recently, and ended up writing a function to get a user's ADUser object. You could use that object to disable the user easily enough.
Function Get-DomainUser{
Param([String]$Alias)
BEGIN{$GCs = Get-ADForest|select -expand GlobalCatalogs|?{($_ -match "^(.*?)\.(.+?)$")}|%{[pscustomobject]#{'Server' = $matches[1];'Region' = $matches[2];'FQDN' = $_}}|group region|%{$_.group|select -first 1}
}
PROCESS{
$DomUser = Get-ADUser -Filter {samAccountName -eq $Alias} -Prop DisplayName
If(([string]::IsNullOrEmpty($DomUser.Name))){
ForEach($GC in $GCs){
$DomUser = Get-ADUser -Filter {samAccountName -eq $Alias} -Server $GC.FQDN -Prop DisplayName
If(!([string]::IsNullOrEmpty($DomUser.Name))){Break}
}
}
$DomUser
}
}
This gets a list of global catalog servers, groups them by sites, then gets only 1 server per site. Then it tries to get the user, and if it fails for the current user then it tries each site until it finds the user.
I am working on implementing some user creation in active directory using the built in powershell commandlets, recently I came across this issue. When attempting to read in a data file of users where $_.UID is one of the fields in the file, I do a Get-ADUser with the UID to check if the user already exists in ldap. If I get a null object, then I would like to create the user because this id is not already in ldap otherwise I would like to skip the entry in the datafile. My script as is creates the users the first time through. If I run it a second time on the same data file (users should no longer be null for the UID field) the if condition is still true and the script attempts to create users a second time. I am new to powershell scripting so I must be misunderstanding something. What am I doing wrong? Your help is appreciated!
Function createUsers{
Import-CSV "~\Desktop\inData.csv" | ForEach-Object {
$USER = Get-ADUser -LDAPFilter "(uid=$_.UID)"
if($USER -eq $Null){ #BROKEN DOESN'T DO ANYTHING
#(!$USER) Doesn't work either
Write-Host "Making next user."
.
.
.
}else{
Write-Host "Skipping, user exists!!"
}
}
}
I think that your problem is in your Get-ADUser Query. There is no property called "uid" in Active Directory. This will make $USER always null, and cause it to always want to create a new user.
Try using sAMAccountName instead:
$User = Get-ADUser -LDAPFilter "(sAMAccountName=$_.UID)"
To get a full list of all the properties available to you, I like to execute the following:
Get-ADUser MyUserName -Properties *