none
Modifying Active directory problems RRS feed

  • Question

  • I imported users from xml file to AD. I created some attributes in my AD schema which are starting with letter 'v'.

    I am try to modify some attributes of AD users using this script. 

    $path_to_users_xml = "C:\veracross\facstaff.xml"   
    $Dataxml = [Xml] (Get-Content $path_to_users_xml)
     $Datas =  $Dataxml.facstaff.facstaff
    
    
    
     #$datas
    
     foreach ($facstaff in $Datas )
      {
      $facstaff
    
        $OU = "ou=Staff,dc=psi,dc=kiev,dc=ua"   
        $login = [string] $facstaff.email_1
        $login =  $login.replace("@psi.kiev.ua", "")
        
      $hash= @{
    
      Company = $facstaff.faculty_type 
      Title = $facstaff.job_title  
      Department = $facstaff.department 
      Enabled = $true
      Path = $OU
      vbiography = $facstaff.biography
      vrole = $facstaff.roles
      vSchoolLevel = $facstaff.School_Level
      vupdatedate = $facstaff.update_date
    
      }
     Get-ADUser -identity $login -properties Company,Title,Department,vbiography,vrole,vschoollevel,vupdatedate
        Set-ADUser $login -Replace $hash 
    
    }
                

    But I receive error listed down :

    Set-ADUser : An attempt was made to modify an object to include an attribute that is not legal for its class
    At C:\Users\Administrator\Desktop\Scripts\Creaters\Staff_User_Update.ps1:53 char:5
    +     Set-ADUser $login -Replace $hash
    +     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (XXXX:ADUser) [Set-ADUser], ADException
        + FullyQualifiedErrorId : An attempt was made to modify an object to include an attribute that is not legal for its class,Microsoft.ActiveDirectory.Management.Commands.Set 
       ADUser

    Thursday, February 12, 2015 8:47 AM

Answers

  • Hi Kerem,

    the Enabled Property in LDAP is a bit (the second one) on the userAccountControl Property. Easiest to use the -Enabled switch on Set-ADUser.

    use Move-ADObject to move a User to another OU.

    Cheers,
    Fred


    There's no place like 127.0.0.1

    Thursday, February 12, 2015 9:31 AM

All replies

  • Hi Kerem,

    • try ensuring the spelling of the properties in your hashtable
    • When modifying the schema, did you ensure the attributes you created were legal for user objects?
    • Try dropping individual properties from the hashtable until you found the guilty property.

    Cheers,
    Fred


    There's no place like 127.0.0.1

    Thursday, February 12, 2015 8:59 AM
  • Hi Fred,

    thanks for quick reply.

    i found these fields are not allowed:

    Enabled = $true
      Path = $OU

    Thanks,

    Thursday, February 12, 2015 9:17 AM
  • Hi Kerem,

    the Enabled Property in LDAP is a bit (the second one) on the userAccountControl Property. Easiest to use the -Enabled switch on Set-ADUser.

    use Move-ADObject to move a User to another OU.

    Cheers,
    Fred


    There's no place like 127.0.0.1

    Thursday, February 12, 2015 9:31 AM
  • The Path property is not recognized by Set-ADUser. However, you can assign $True to the Enabled property, as long as the user has a password.

    Richard Mueller - MVP Directory Services

    Thursday, February 12, 2015 2:33 PM
    Moderator
  • The Path property is not recognized by Set-ADUser. However, you can assign $True to the Enabled property, as long as the user has a password.

    Richard Mueller - MVP Directory Services

    True but you cannot alter Enabled in a "Replace" hash.  use -Enabled

    Get-ADUser -identity $login | Set-ADUser $login -Replace $hash -Enabled $true

    Do not retrieve extra properties with Get-AdUser when used this way.  It adds nothing.


    ¯\_(ツ)_/¯


    • Edited by jrv Thursday, February 12, 2015 3:44 PM
    Thursday, February 12, 2015 3:43 PM