Let non-admin user change an attribute
-
Tuesday, November 27, 2012 3:30 PM
Hello,
I wan to to allow my HR technician to change an AD attribute (Pager) based on the IPPhone. In other words, he knows the IPPhone and needs to update the Pager.
I'm thinking of a script that asks in a GUI for the IPPhone of the AD user and after he hits OK, it asks for the new Pager and after OK it updates that information on AD.
Is it possible to do? Is it best done with powershell cmdlets or vbscript?
Thanks a lot,
Marcelo Viegas
Marcelo
All Replies
-
Tuesday, November 27, 2012 4:24 PM
You can do it with either. Look in the repository for examples of scripts that can update atributes in Active Directory.
¯\_(ツ)_/¯
-
Tuesday, November 27, 2012 4:26 PMModerator
Perhaps easier to do in ADUC, on the "Telephones" tab. You would need to give the person access to ADUC, and grant permissions to write the attribute. To delegate permission to update an attribute, see this link:
http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html
Also, see this thread:
Richard Mueller - MVP Directory Services
- Proposed As Answer by Bill_StewartMicrosoft Community Contributor, Moderator Tuesday, November 27, 2012 4:29 PM
-
Tuesday, November 27, 2012 5:11 PM
Hi Richard,
When talking about AD rights, I believe this is the best choice to give rights to someone do something, but I'm concerned not on the right itself, but on the best procedure to update the information.
I could install AD administrative tools on his PC and show him how to custom search an user object (based on its pager information) and navigate on the several tabs on the user and only try to update the ipPhone information, but I believe that might be very confusing and time consuming to someone from Human Resources.
So, my ideia was to build a script just to ask the essential information to give him what he needs.
Marcelo
Marcelo
-
Tuesday, November 27, 2012 5:13 PM
I can find several examples of such scripts, but couldn't find any that asks (in a GUI) for an attribute and updates another... any hints?You can do it with either. Look in the repository for examples of scripts that can update atributes in Active Directory.
¯\_(ツ)_/¯
Marcelo
-
Tuesday, November 27, 2012 5:39 PMModerator
Hi,
There's probably not a script already written that works exactly as you want it to.
Bill
-
Tuesday, November 27, 2012 5:56 PM
I can find several examples of such scripts, but couldn't find any that asks (in a GUI) for an attribute and updates another... any hints?You can do it with either. Look in the repository for examples of scripts that can update atributes in Active Directory.
¯\_(ツ)_/¯
Marcelo
You can use a non-GUI script but I recomemnd using ADUC. It is alsready build and tested and has documentaation. A user can easily learn to use it and, if you need to have the user adjust more items, all you need to do is delegate the new items. No software to deploy.
If you want simplicity for the user then forget the GUI and use a commandline prompt. Search for a user and enter the IPPhone.
Of course you are free to write a GUI as an HTA or as PowerSHell Windows Forms script. There are many examples of these in the repository.
Make it easy on yourself. Since you don't want to learn scripting just use the ADUC solution. It is what most admins opt for I believe.
¯\_(ツ)_/¯
-
Tuesday, November 27, 2012 11:33 PMModerator
I've never coded GUI apps (except in VB), but PowerShell code to prompt for iPPhone, make sure there is only one user with that value, display info on the user, prompt for pager, then update (using PowerShell AD modules) could be similar to below:
$IPPhone = Read-Host "Enter the IPPhone of the user"
$Users = Get-ADUser -LDAPFilter "(iPPhone=$IPPhone)" -Properties distinguishedName, sAMAccountName, pager, iPPhone
If ($Users)
{
$Count = 0
ForEach ($User In $Users)
{
$DN = $User.distinguishedName
$Name = $User.sAMAccountName
$Pager = $User.pager
$Count = $Count + 1
}
If ($Count -gt 1)
{
"More than one user found with iPPhone $IPPhone"
ForEach ($User In $Users)
{
$User.distinguishedName + " (" + $User.sAMAccountName + ")"
}
}
Else
{
"User Distinguished Name: $DN"
"Pre-Windows 2000 Logon Name: $Name"
"Pager: $Pager"
$NewPager = Read-Host "Enter pager number for this user"
If ($NewPager.Length -gt 0)
{
Set-ADUser -Identity $DN -Replace @{pager="$NewPager"}
"Done"
}
Else {"No value entered"}
}
}
Else {"No user found with iPPhone $IPPhone"}
-----
Richard Mueller - MVP Directory Services
- Proposed As Answer by jrvMicrosoft Community Contributor Tuesday, November 27, 2012 11:49 PM
- Marked As Answer by magviegas Wednesday, November 28, 2012 10:32 AM
-
Tuesday, November 27, 2012 11:51 PM
Even a console window can be viewed as GUI. It is just not that pretty.
¯\_(ツ)_/¯
-
Wednesday, November 28, 2012 9:19 AM
A quick way of integrating a GUI is by using the Microsoft.VisualBasic assembly. It is easier to implement than using Windows forms, here is some examples you could implement in Richards scripts:
[void][System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') $IPPhone = [Microsoft.VisualBasic.Interaction]::InputBox("Enter the IPPhone of the user", "IPPhone of the user", "") [Microsoft.VisualBasic.Interaction]::MsgBox("More than one user found with iPPhone $IPPhone",0,"Notification")
Jaap Brasser
http://www.jaapbrasser.com -
Wednesday, November 28, 2012 10:32 AM
Hi Richard,
That will do it! Just adapted to be as automated as possible and created a .bat file that calls this script.
import-module ActiveDirectory $IPPhone = Read-Host "Insira o numero mecanografico" $Users = Get-ADUser -LDAPFilter "(iPPhone=$IPPhone)" -Properties distinguishedName, displayName, sAMAccountName, pager, iPPhone If ($Users) { $Count = 0 ForEach ($User In $Users) { $DN = $User.distinguishedName $Display = $User.displayName $Name = $User.sAMAccountName $Pager = $User.pager $Count = $Count + 1 } If ($Count -gt 1) { "Mais de um colaborador encontrado com o numero $IPPhone" ForEach ($User In $Users) { $User.distinguishedName + " (" + $User.sAMAccountName + ")" } } Else { "" "Nome: $Display" "Numero do TAG: $Pager" "" $NewPager = Read-Host "Insira o novo numero do TAG" If ($NewPager.Length -gt 0) { Set-ADUser -Identity $DN -Replace @{pager="$NewPager"} "" "Feito!" "" Write-Host "Aperte qualquer tecla para fechar..." $x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") } Else { "" "Nenhum valor inserido!" "" Write-Host "Aperte qualquer tecla para fechar..." $x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") } } } Else { "" "Nenhum colaborador encontrado com o numero $IPPhone" "" Write-Host "Aperte qualquer tecla para fechar..." $x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") }
Thanks a lot for your help!!!
Marcelo
- Edited by magviegas Wednesday, November 28, 2012 10:34 AM
.png)
