{"id":3035,"date":"2013-08-15T00:01:00","date_gmt":"2013-08-15T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2013\/08\/15\/use-powershell-to-log-changes-to-ad-ds-attributes\/"},"modified":"2013-08-15T00:01:00","modified_gmt":"2013-08-15T00:01:00","slug":"use-powershell-to-log-changes-to-ad-ds-attributes","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/use-powershell-to-log-changes-to-ad-ds-attributes\/","title":{"rendered":"Use PowerShell to Log Changes to AD DS Attributes"},"content":{"rendered":"

Summary<\/strong>: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to log changes made to Active Directory Domain Services attribute values.<\/p>\n

\"Hey, Hey, Scripting Guy! We are in the process of merging a couple of resource domains, and we need to modify some user accounts prior to the move. I have been tasked with making the changes, and I plan to use Windows PowerShell to perform the actual work. I need to create before and after logs. The before log shows the value of the attributes that I am going to change prior to running the script, and the after log will show the value of the attributes after running the script. Can you show me how I might go about doing this? Thanks, Scripting Guy, you are the best!<\/p>\n

—CX<\/p>\n

\"Hey, Hello CX,<\/p>\n

Microsoft Scripting Guy, Ed Wilson, is here. This morning I am sitting on the lanai, and sipping a cup of English Breakfast tea. I put a bit of lemon grass, hibiscus flower, rose hips, spearmint, and a cinnamon stick in the tea. The flowers give it a citrus flavor, and the mint makes it very refreshing. The trick is that I only let it steep for three minutes, and that keeps it from becoming too bitter. It took me several tries to get this one just right. Because it is pretty early, it is not too hot or humid outside yet. I have my Surface RT, and am checking my scripter@microsoft.com<\/a> email.<\/p>\n

So, CX, you did not specify how you want your logging to take place, but I decided that exporting to a CSV file would work out well. Then you could import it into Microsoft Excel if you want to do so.<\/p>\n

Finding the attribute and values<\/h2>\n

The first thing to do is to create a little script that will populate an attribute with before values. I am going to populate the Post Office Box attribute, so I need to look it up in ADSI edit. I come up with the following (surprisingly, it is named postOfficeBox<\/strong>):<\/p>\n

\"Image<\/a><\/p>\n

I write a little script to add values to this attribute. Here is the script:<\/p>\n

Import-Module activeDirectory<\/p>\n

$ou = “ou=testou,dc=iammred,dc=net”<\/p>\n

$i = 1<\/p>\n

Get-ADUser -Filter * -SearchBase $ou |<\/p>\n

ForEach-Object {<\/p>\n

Set-ADUser $_ -POBox “Post Office Box $i”<\/p>\n

$i++ }<\/p>\n

Now I want to see how many different cities are represented by the users in the organizational unit (OU). I modify my script a bit and use the –Unique<\/strong> parameter from the Select-Object<\/strong> command. This is shown here:<\/p>\n

Get-ADUser -Filter * -SearchBase $ou -properties $properties | select l -Unique<\/p>\n

The following output tells me that I have three cities:                                                                                                         <\/p>\n

Atlanta                                                                                                    <\/p>\n

Charlotte                                                                                                   <\/p>\n

Jacksonville  <\/p>\n

Therefore, I need to add a bit of logic to detect the city. If the city is Atlanta, I will set the postOfficeBox <\/strong>attribute to 222; if it is Charlotte, I will set it to 333; and if it is Jacksonville, I will set it to 444.<\/p>\n

Making the changes<\/h2>\n

The first thing I do is use the Get-ADUser<\/strong> cmdlet to return the user name and the postOfficeBox<\/strong> attribute. I use the Select-Object<\/strong> cmdlet to get these two attributes, and I pipe the output to Export-CSV<\/strong>. No problem…until I open the spreadsheet in Excel. Here is the results:<\/p>\n

\"Image<\/a><\/p>\n

The issue is that for some reason, the postOfficeBox<\/strong> attribute is a collection. I therefore modify my script a bit, and I select the first PO Box. Here is the script:<\/p>\n

Import-Module activeDirectory<\/p>\n

$ou = “ou=testou,dc=iammred,dc=net”<\/p>\n

$Before = “c:\\fso\\before.csv”<\/p>\n

 <\/p>\n

$properties = “PostOfficeBox”<\/p>\n

Get-ADUser -Filter * -SearchBase $ou -properties $properties |<\/p>\n

Select name, @{L=’pobox’;E={$_.postofficebox[0]}} |<\/p>\n

Export-Csv -Path $before -NoTypeInformation -Force<\/p>\n

Now I open the script in Excel, and it appears like I expected:<\/p>\n

\"Image<\/a><\/p>\n

So now I use the Get-ADUser<\/strong> cmdlet to retrieve my user objects. I pipe everything to a Foreach-Object<\/strong> cmdlet, and I use a Switch<\/strong> statement inside the Foreach-Object<\/strong>. I read a Switch<\/strong> statement like a series of If <\/strong>statements, for example: If the city matches Atlanta, then I set the POBox variable to 222.<\/p>\n

I then use the Set-ADUser<\/strong> cmdlet inside the Foreach-Object<\/strong> cmdlet to make the actual changes. Here is the script:<\/p>\n

Import-Module activeDirectory<\/p>\n

$ou = “ou=testou,dc=iammred,dc=net”<\/p>\n

$properties = “l”,”PostOfficeBox”<\/p>\n

Get-ADUser -Filter * -SearchBase $ou -properties $properties |<\/p>\n

ForEach-Object {<\/p>\n

 Switch ($_.l)<\/p>\n

 { “Atlanta” {$pobox = “POBox 222”}<\/p>\n

   “Charlotte” {$pobox = “POBox 333”}<\/p>\n

   “Jacksonville” {$pobox = “POBox 444”} }<\/p>\n

Set-ADUser $_ -POBox $pobox<\/p>\n

}<\/p>\n

Now I run my documentation script again and open the Excel spreadsheet. I can see that the changes took place as expected. Cool.<\/p>\n

\"Image<\/a><\/p>\n

CX, that is all there is to using Windows PowerShell to make changes to AD DS attribute values and to log the changes. Active Directory Week will continue tomorrow when I will talk about different ways of working with Active Directory.<\/p>\n

I invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n

Ed Wilson, Microsoft Scripting Guy<\/strong> <\/p>\n","protected":false},"excerpt":{"rendered":"

Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to log changes made to Active Directory Domain Services attribute values.  Hey, Scripting Guy! We are in the process of merging a couple of resource domains, and we need to modify some user accounts prior to the move. I have been tasked with making […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[7,3,20,45],"class_list":["post-3035","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-active-directory","tag-scripting-guy","tag-user-accounts","tag-windows-powershell"],"acf":[],"blog_post_summary":"

Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to log changes made to Active Directory Domain Services attribute values.  Hey, Scripting Guy! We are in the process of merging a couple of resource domains, and we need to modify some user accounts prior to the move. I have been tasked with making […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/3035","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=3035"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/3035\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=3035"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=3035"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=3035"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}