locked
Set-ADUser generating logon event on domain controllers for every call RRS feed

  • Question

  • While looping though a long list of users in a job every night we've noticed that we get separate logon events for every call to Set-ADUser. Is there a way to force the process to authenticate just once? It's more of a curiosity than anything else. The only real side effect is a spike in our log monitoring tools.

    Justin Cervero - MS Enterprise Admin - Appalachian State University

    Friday, February 16, 2018 9:16 PM

Answers

  • Expectation is also irrelevant. As I said in the original post, this is merely a curiosity.

    What I am asking is if there is a way to modify the behavior. If make the changes directly via LDAP, authentication only happens once on bind. If I hold the connection open I can make changes to multiple objects without generating authentication events for each modification.

    Is it possible to make the powershell tools behave in a similar fashion? And hey, look, I found one:

    https://blogs.msdn.microsoft.com/adpowershell/2009/03/11/active-directory-powershell-the-drive-is-the-connection/

    "there is a caveat here. When using the above method, a new connection will be opened and closed for each cmdlet invocation. This is ok for one or two operations but is very inefficient for bulk operations. So how can you share a single connection across multiple cmdlet invocations?

    The answer is: create an Active Directory PSDrive and run the cmdlets under the drive's context. The Active Directory PSDrive maintains a live connection to the specified/discovered server and it will be reused by all the cmdlets running under its context. The drive also maintains the lifecycle of the connection, so if the connection gets closed due to timeout or some other reason, then a new connection is created underneath."

    Thanks for the really helpful comments! Hey, at least you helped me think though it.


    Justin Cervero - MS Enterprise Admin - Appalachian State University

    • Marked as answer by J Cervero Saturday, February 17, 2018 3:43 PM
    Saturday, February 17, 2018 3:43 PM

All replies

  • Why are you using Set-AdUser every night?  We cannot answer this question based on the information provided.


    \_(ツ)_/

    Saturday, February 17, 2018 8:59 AM
  • The why is irrelevant. Assume I have a good business case for setting something on every user every night.

    Outside of the scope of my application, Set-ADUser *appears* to cause an authentication event every time it's called. I can think of a number of reasons for why that makes sense. What I'm looking for is wether or not there is a way to alter that behavior when you know you will be running it in batch. Further, is this the only AD PS command that behaves that way? Does Get-ADUser *also* authenticate every time it's called?


    Justin Cervero - MS Enterprise Admin - Appalachian State University

    Saturday, February 17, 2018 3:21 PM
  • As a trained AD administrator you know that all accesses to AD cause an authentication series to be logged.  All AD CmdLets cause authentication to be logged at the DC that handles the call.  If auditing is enabled then more events will be logged.

    Why would you not expect this behavior?


    \_(ツ)_/

    Saturday, February 17, 2018 3:25 PM
  • Expectation is also irrelevant. As I said in the original post, this is merely a curiosity.

    What I am asking is if there is a way to modify the behavior. If make the changes directly via LDAP, authentication only happens once on bind. If I hold the connection open I can make changes to multiple objects without generating authentication events for each modification.

    Is it possible to make the powershell tools behave in a similar fashion? And hey, look, I found one:

    https://blogs.msdn.microsoft.com/adpowershell/2009/03/11/active-directory-powershell-the-drive-is-the-connection/

    "there is a caveat here. When using the above method, a new connection will be opened and closed for each cmdlet invocation. This is ok for one or two operations but is very inefficient for bulk operations. So how can you share a single connection across multiple cmdlet invocations?

    The answer is: create an Active Directory PSDrive and run the cmdlets under the drive's context. The Active Directory PSDrive maintains a live connection to the specified/discovered server and it will be reused by all the cmdlets running under its context. The drive also maintains the lifecycle of the connection, so if the connection gets closed due to timeout or some other reason, then a new connection is created underneath."

    Thanks for the really helpful comments! Hey, at least you helped me think though it.


    Justin Cervero - MS Enterprise Admin - Appalachian State University

    • Marked as answer by J Cervero Saturday, February 17, 2018 3:43 PM
    Saturday, February 17, 2018 3:43 PM
  • Alternately you could add the aduser identities into a one-line ad-hoc command. I’m guessing you have a script that that runs multiple lines of Set-AdUser?
    Saturday, February 17, 2018 3:51 PM
  • We do. We pick up a file from our Banner ERP with updated fac/staff/student records and then run Set-ADUser for each user with any data updated by HR or the Registrar during the day. I'm not sure I understand the one-line ad-hoc suggestion.

    Justin Cervero - MS Enterprise Admin - Appalachian State University

    Saturday, February 17, 2018 4:00 PM
  • Yes.  I didn't think of that.  You can also use ADSI and reuse the Locator which will retain the connection.  This is how the AD provider drive works.


    \_(ツ)_/

    Saturday, February 17, 2018 4:03 PM
  • Alternately you could add the aduser identities into a one-line ad-hoc command. I’m guessing you have a script that that runs multiple lines of Set-AdUser?

    Set-AdUser cannot be run as bulk.  It is one connection per account.  AD really has no good batch operations at the API level.

    Justin's method  and direct ADSI are the best and only way to do this.

    To bad that Set-AdUser doesn't support "Filter".  That would allow selections of users to target with "Set" "Update" and "Add" calls.


    \_(ツ)_/

    Saturday, February 17, 2018 4:07 PM
  • We do. We pick up a file from our Banner ERP with updated fac/staff/student records and then run Set-ADUser for each user with any data updated by HR or the Registrar during the day. I'm not sure I understand the one-line ad-hoc suggestion.

    Justin Cervero - MS Enterprise Admin - Appalachian State University


    I should also mention that this can also be done from SQLServer using a link to the OLEDB ActiveDirectory provider.  The query can give you an updatable dataset.  This should create only one connection to AD for the table.

    \_(ツ)_/

    Saturday, February 17, 2018 4:10 PM