Modifying AD Attributes and Groups

by leffrt at 2012-09-20 08:44:38

Working on a script that will modify a few attributes and add accounts to a couple groups. A little back story, while we wait to decide on an Identity Management tool we need to automate the creation of user accounts in AD based off of the users being created in SAP. Our SAP team is using a connector to create the new accounts in AD. The problem is that this connector isn’t very robust, it only creates the accounts with basic fields. It will not enter a UPN and it creates the accounts with a UserAccountControl value of 514 or 544 (can’t remember).

We need to create a script to be run nightly that will modify newly created accounts, changing the UAC attribute to 512, adding an initial password and adding the accounts to a couple critical groups. I spent some time working on this script and finally got it working. My question for you advanced Powershell users is how efficient is the script I created and can it be done any better? There will eventually be 7000-9000 users in the OU and possibly a couple hundred modifications a night (high turnover :)) Here is the script. Thanks!

######################################################################
#
# Name: Nitro.ps1
# Author: Roger Leff
# Version: 1.0
# Date: 2012-09-18
# Comments:
# 1. PowerShell 2.0 script to modify the new accounts created by the
# SAP connector for new Retail employees.
# 2. Quest Powershell CMDLETS were used due to more advanced options.
# 3. Script is run against accounts in the AppAcct OU that do not have
# the extensionAttribute7 attribute populated. This was used instead
# of the whenCreated attribute in case the script was not launched at
# some point, which would throw off the variable using whenCreated
# in the last 24 hours. We can control the population of the custom
# attribute.
#
######################################################################

#Import the Active Directory Powershell Module and Quest Powershell Snapin

Import-Module ActiveDirectory -ErrorAction SilentlyContinue
Add-PSSnapin Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue

#Set Variables

$SearchBase = "OU=Test,OU=Test,OU=Test,OU=Test,DC=Test,DC=Com"
$Group1 = "GroupName1"
$Group2 = "GroupName2"
$OUArr = @(Get-QADUser -SearchRoot $SearchBase -ObjectAttributes @{extensionAttribute7=‘’})

# Evaluate if accounts are returned, if not exit otherwise continue with script

IF ($OUArr.count -eq $Null)
{Exit}

ELSE
{

# Set initial password, UserAccessControl, extensionAttribute7 and UPN for newly created accounts

Get-QADUser -SearchRoot $SearchBase -ObjectAttributes @{extensionAttribute7=‘’} | ForEach-Object {$_ | Set-QADUser -userPassword ‘Password’ -ObjectAttributes @{UserAccountControl=‘512’;extensionAttribute7=‘FLAG’} -UserPrincipalName "$($.sAMAccountName)@test.com"}

# Add newly created accounts to the GroupName1 Security Group

ForEach ($User in $OUArr) {Add-QADGroupMember -Identity $Group1 -Member $User}

# Add newly created accounts to the GroupName2 Security Group

ForEach ($User in $OUArr) {Add-QADGroupMember -Identity $Group2 -Member $User}

}

# End
by jonhtyler at 2012-09-20 10:27:12
Hi…

It appears that you are doing the same query twice. Once for the $OUArr variable, and then again when you set the password.

I would suggest that you do something like the following:

Get-QADUser -SearchRoot $SearchBase -ObjectAttributes @{extensionAttribut7=''}) | foreach-object {
Set-QADUser $
.DN -userPassword 'Password' -ObjectAttributes @{UserAccountControl='512';extensionAttribute7='FLAG'} -UserPrincipalName "$($.sAMAccountName)@test.com"
Add-QADGroupMember -Identity $Group1 -Member $

Add-QADGroupMember -Identity $Group2 -Member $_
}


By doing this, you will eliminate the need for the "IF" statement that checks for any returned user objects. If there are no user objects, nothing flows through the pipeline, and nothing gets acted on. It also keeps you from doing so many iterations through your loops…you have the object at the beginning, act on it with all that you need to, and be done with it.

Hope that helps.
by leffrt at 2012-09-20 10:54:36
Definately a better process. I was originally trying to do this, but I guess I had the syntax wrong somewhere because it would bomb out if the Get-QADUser command returned a null value. I tested your suggestions and it worked great. Thanks for the suggestions.
by jonhtyler at 2012-09-20 11:08:55
Glad to help!
by RichardSiddaway at 2012-09-20 11:11:48
I also wouldn’t load the Active Directory module if you aren’t using it
by leffrt at 2012-09-20 11:31:30
Good point. Thanks.