As topic states. How can I put 1 extra day to the selected user account.
I know AD goes by Windows File Time. Does anyone know the easiest and least code written method?
You can modify the accountExpires property of an AD user through the Set-ADUser cmdlet included in Windows Server 2008 R2:
Import-Module activedirectory
$expireDate = (Get-ADUser -Identity "John Appleseed" -Properties accountExpires).accountExpires
$renewedExpireDate = ([System.DateTime]::FromFileTime($expireDate)).AddDays(1)
Set-ADUser -Identity "John Appleseed" -AccountExpirationDate $renewedExpireDate
As you said, the value of the accountExpires property is represented as a Windows file time, which is a 64-bit integer. In this example we convert it to a DateTime to easily modify it and then pass it to the -AccountExpirationDate parameter to update the user.
Using Quest AD module:
Set-qaduser <username> -AccountExpires ( [datetime]( get-qaduser <username> -IncludeAllProperties ).AccountExpires ).AddDays(1)
This can also be accomplished in a multi domain environment by adding the -server switch and passing in the domain string (i.e. "domain.corp.root"). I also had to move the .accountExpires as it was in the wrong place in this code sample. Thanks for providing this, it was exactly what I needed.
Import-Module ActiveDirectory
$expireDate = (Get-ADUser -Identity "samaccountname" -Properties accountExpires -server "domain.corp.root")
$renewedExpireDate = ([System.DateTime]::FromFileTime($expireDate.accountExpires)).AddDays(1)
Set-ADUser -Identity "samaccountname" -AccountExpirationDate $renewedExpireDate -server "domain.corp.root"
Related
I am kinda new to powershell and started a role in support. Working on a powershell script that will do the following things:
Disable a user account
Remove all AD Groups except for Domain Users
Edit the description
Move AD object to a disabled users OU
I think I can probalby change the "$TargetOU = OUPath" because the disabled users OU is never really going to change...if that's the issue then i'll feel like a dumby lol.
I am trying and failing to complete this! I don't know what is going wrong. Powershell isn't faulting out or anything it is just not executing?
Thank you for any help!
My code is here:
Import-Module ActiveDirectory
$TargetOU = "OU=DisabledUsers"
Import-Csv "C:temp\DisableTest.csv" | ForEach-Object {
$samAccountName = $_."samAccountName"
Get-AdPrincipalGroupMembership -Identity $samAccountName {Where-Object -Property Name -Ne -Value 'Domain Users' | Remove-AdGroupMember -Members $samAccountName}
Get-ADUser -Identity $samAccountName | Disable-ADAccount
Get-ADUser -Identity $samAccountName -Description "Disabled Per Request XXXX"
Move-ADObject -Identity $UserDN -TargetPath $TargetOU
}
Need it to do four things:
Disable a user account
Remove all AD Groups except for Domain Users
Edit the description
Move AD object to a disabled users OU
You have several issues:
$TargetOU = "OU=DisabledUsers"
This should be the full distinguished name, so something like OU=DisabledUsers,DC=example,DC=com
Get-AdPrincipalGroupMembership -Identity $samAccountName {Where-Object -Property Name -Ne -Value 'Domain Users' | Remove-AdGroupMember -Members $samAccountName}
The sytax here is messed up. You want to pipe (|) the results from Get-AdPrincipalGroupMembership into Where-Object, but you have braces ({). The closing brace at the end of the line is thus unnecessary. The Where-Object cmdlet also lets you simplify the syntax to something more readable, like Where Name -ne 'Domain Users'.
Get-ADUser -Identity $samAccountName -Description "Disabled Per Request XXXX"
This should be Set-ADUser, which is explains why this isn't changing anything.
Move-ADObject -Identity $UserDN -TargetPath $TargetOU
You haven't defined $UserDN, so it's not going to find the user. And as already mentioned , the target path should be the full distinguished name.
You're also looking up the account several times. Every time you pass just the username, it has to search for the account. As you have it, it would be searching for the account 5 times. You can avoid that (and speed things up) by calling Get-ADUser once and passing the result into each of the other commands.
And just for simplicity, you can omit -Identity since the first parameter is assumed to be the identity.
Putting everything together, it would look something like this:
Import-Module ActiveDirectory
$TargetOU = "OU=DisabledUsers,DC=example,DC=com" #Change this to the real value
Import-Csv "C:temp\DisableTest.csv" | ForEach-Object {
$user = Get-ADUser $_."samAccountName"
Get-AdPrincipalGroupMembership $user | Where Name -ne 'Domain Users' | Remove-AdGroupMember -Members $user
Disable-ADAccount $user
Set-ADUser $user -Description "Disabled Per Request XXXX"
Move-ADObject $user -TargetPath $TargetOU
}
I have multiple domains in my forest, and I'm trying to write a script that will work with any user in the forest, so I'm using a global catalog in my script.
This works to retrieve the data, but when I try and modify the data I'm getting
Set-ADUser : The server is unwilling to process the request
If I use the domain controller (DC) as the server name, the modification completes as it should. I'd like to avoid writing a switch to set the server name. Is there anything else I can do here?
Get-ADUser $user -Server "contoso.local:3268" | %{Set-ADUser -Identity $_.distinguishedname -SamAccountName $_.SamAccountName -Server "contoso.local:3268"}
I'm not really clear on what you're trying to do here. Global catalog ports are read only (for LDAP).
If you want to make sure you find a domain controller that is a global catalog, you can use the following:
Get-ADDomainController -Discover -Service GlobalCatalog
Based on your comment, maybe what you need is $PSDefaultParameterValues:
$PSDefaultParameterValues = #{
"*-AD*:Server" = "contoso.local:3268"
}
Get-ADUser $user |
%{Set-ADUser -Identity $_.distinguishedname -SamAccountName $_.SamAccountName }
I'm Beginner in PowerShell scripting and
I want write a script or run a PowerShell command on server to reset password to an OU in my AD.
Ex. : All users in
OU "Test"
Domain : MyServer.MyDomain.com
Perhaps someone to help me.
Thanks in advance ;)
Try this:
Get-ADUser -Filter * -SearchBase "OU=Test,DC=myserver,DC=mydomain,DC=com" | % { Set-ADUser $_ -ChangePasswordAtLogon $true }
Though this will fail for accounts which have the password never expires attribute set
If you wish to change all accounts to have passwords that expire then run the following:
Get-ADUser -Filter * -SearchBase "OU=Test,DC=myserver,DC=mydomain,DC=com" | % { Set-ADUser $_ -PasswordNeverExpires $false }
I'm using powershell to modify some AD extensionattribute.
This is my code to add an extensionattribute
Set-ADUser -Identity "anyUser" -Add #{extensionAttribute4="myString"}
It works, but how can I remove the same extensionattribute? I can't find anything similar to -remove.
You could try using the -Clear parameter
Example:-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName
http://technet.microsoft.com/en-us/library/ee617215.aspx
I used the following today - It works!
Add a value to an extensionAttribute
$ThisUser = Get-ADUser -Identity $User -Properties extensionAttribute1
Set-ADUser –Identity $ThisUser -add #{"extensionattribute1"="MyString"}
Remove a value from an extensionAttribute
$ThisUser = Get-ADUser -Identity $User -Properties extensionAttribute1
Set-ADUser –Identity $ThisUser -Clear "extensionattribute1"
I have struggled a long time to modify the extension attributes in our domain.
Then I wrote a powershell script and created an editor with a GUI to set and remove extAttributes from an account.
If you like, you can take a look at it at http://toolbocks.de/viewtopic.php?f=3&t=4
I'm sorry, that the description in the text is in German. The GUI itself is in English.
I use this script on a regular basis in our domain and it never deleted anything or did any other harm. I provide no guarantee, that this script works as expected in your domain. But as I provide the source, you can (and should) have a look at it, before you run it.
Extension attributes are added by Exchange. According to this Technet article something like this should work:
Set-Mailbox -Identity "anyUser" -ExtensionCustomAttribute4 #{Remove="myString"}
Or the -Remove parameter
Set-ADUser -Identity anyUser -Remove #{extensionAttribute4="myString"}
To clear the value you can always reset it to $Null. For example:
Set-Mailbox -Identity "username" -CustomAttribute1 $Null
Set-ADUser -Identity anyUser -Replace #{extensionAttribute4="myString"}
This is also usefull
I need to create a Powershell script that sets some user attributes in Active Directory.
I'm using the Set-AdUser command and passing in a user object as follows:
$user = Get-AdUser -Identity $userIdentity
$user.MemberOf = $dn_of_group
Set-ADUser -Instance $user
this returns an error of 'The adapter cannot set the value of property "MemberOf"'.
Is it possible to set the MemberOf property from powershell?
If so, what am I doing wrong?
You cannot modify the MemberOf property - you need to add the user to the group using the Add-ADGroupMember Cmdlet:
Add-ADGroupMember $dn_of_group $user