Set a single attribute

by rambog at 2012-10-02 11:59:26

I am scanning the tree looking for script paths to be changed. If an incorrect name is found (i.e., vbsNTLogonCombined.bat), it needs to be replaced with another script name (MHSNR-vbsNTLogonCombined.bat). The problem I run into is that methods of Put(), SetInfo(), or CommitChanges() don’t seem to work on the object type I am attempting to work on. How do I effect the change I need to occur within AD (if there is a way without having to invoke Quest tools, I would prefer).

$LogonScriptReportFile = New-Item -type file -force “C:\Lab\UserReports\Logon_Script.csv”
$ObjFilter = “(objectClass=User)”
$objSearch = New-Object System.DirectoryServices.DirectorySearcher
$objSearch.PageSize = 20000
$objSearch.Filter = $ObjFilter
$objSearch.SearchRoot = “LDAP://OU=Lab1,DC=labdomain,DC=lab,DC=org”
$AllObj = $objSearch.FindAll()
foreach ($Obj in $AllObj) {
$objItemT = $Obj.Properties
$UserID = $
Write-Host “$UserID has the batch file $Profile”
if ($Profile -eq ‘vbsNTLogonCombined.bat’)
Write-Host “$UserID needs to be modified”
“$UserID profile was modified to $Profile”|Out-File $LogonScriptReportFile -encoding ASCII -append
by Helmto108 at 2012-10-02 17:15:41
Hi, do you have access to the AD Module for PowerShell? This might work out for you.

[code2=powershell]$report = @()
$users = Get-ADuser -filter * -searchbase “OU=Lab1,DC=labdomain,DC=lab,DC=org” -Property scriptpath

ForEach ($user in $users) {
If ($User.scriptpath -eq ‘vbsNTLogonCombined.bat’) {

$temp = $null
$temp = New-Object PSObject
write-host “$($ needs to be modified”
$User.scriptpath = “MHSNR-vbsNTLogonCombined.bat”
$temp | Add-Member -Type NoteProperty -name Name -Value “$($User.Name) was modified to MHSRN-vbsNTLogonCombined.bat”
$report += $temp
Set-ADUser -instance $user
If ($report -ne @()) {
$report | Export-CSV LogonChangeResults.CSV}[/code2]
by Steve at 2012-10-02 17:25:43
That’s actually how I got hooked on Powershell was using it to change out logon scripts.

Using Quest’s AD tool module:
get-qaduser -logonscript BadOldScript.bat | set-qaduser -logonscript NiceNewScript.bat

Using MS’s AD module:
get-aduser -filter {scriptpath -eq “BadOldScript.bat”} | set-aduser -scriptpath "NiceNewScript.bat"
by rambog at 2012-10-04 18:14:26
Thank you. I was wondering if there were ways other than the Quest tools or having Windows Server 2008 Domain Controller (which should have installed). It seems that without these toolsets, it is difficult to writing to AD.
by RichardSiddaway at 2012-10-06 01:56:35
That’s not correct. The [ADSI] and {ADSISEARCHER] type accelerators expose a scripting interface that is just as powerful as the cmdlets. I haven’t found anything the cmdlets do that you can’t this way. There is also the AD provider which is a lot more capable than I originally thought. See the series of posts I did at for a comparison of various ways of using scripts, provider, MS and AD cmdlets