none
Modify a specific LDAP attribute in all user objects RRS feed

  • Question

  • Hi,

    I am not so familiar with Powershell & LDAP.

    I'd like to modify a specific attribute userWorkstations in all user objects.

    1) Check which user objects have this attribute and list the users and the specific attribute values

    I listed alls users wiith this attribute with this command:

    Get-ADUser -LDAPfilter "(userWorkstations=*string*)" -properties *|ft name, userWorkstations

    2) if a given string exists, then modify these attributes so that additional infos should be added after this string (NOT DELETE or REPLACE)

    How can I do 2) step?

    I think it is very simple for script experts, but not for me :-).

    Best Regards

    Birdal



    • Edited by _Birdal Thursday, April 19, 2018 1:29 PM
    Thursday, April 19, 2018 1:19 PM

Answers

  • That's exactly what I'm doing: replacing the current value with the current value $_.userWorkstations AND the additional string from $additionalString.

    "userWorkstations" = "$($_.userWorkstations)$additionalString"

    The other possibilities are -Remove (you don't want that) and -Add (the attribute is already propagated) which leaves us with -Replace.


    • Edited by TobyU Thursday, April 19, 2018 2:47 PM
    • Marked as answer by _Birdal Thursday, April 19, 2018 2:48 PM
    Thursday, April 19, 2018 2:33 PM
  • OK, I solved it.

    The correct one is:

    Get-ADUser -LDAPFilter "(samaccountname=*string*)" -Properties userWorkstations | foreach {
    
        $_ | Set-ADUser -Clear "userWorkstations"
    }

    Best regards

    Birdal


    • Marked as answer by _Birdal Thursday, April 19, 2018 3:25 PM
    • Edited by _Birdal Thursday, April 19, 2018 3:27 PM
    Thursday, April 19, 2018 3:25 PM

All replies

  • Hi,

    This should work like that:

    $additionalString = "myAdditionalString"
    Get-ADUser -LDAPFilter "(userWorkstations=*somestring*)" -Properties userWorkstations | foreach {
    
        $_ | Set-ADUser -Replace @{"userWorkstations" = "$($_.userWorkstations)$additionalString"}
    }


    Thursday, April 19, 2018 1:59 PM
  • Note using "-Properties *" just adds more overhead. Best to specify the userWorkstations attribute, the only non -default property you need in this case.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, April 19, 2018 2:25 PM
    Moderator
  • Note using "-Properties *" just adds more overhead. Best to specify the userWorkstations attribute, the only non -default property you need in this case.
    I've changed that right after posting it. Thanks.
    Thursday, April 19, 2018 2:28 PM
  • Hi Toby,

    you use "Replace" parameter. But I don't want replace (override) existing attribute values. I want only add string to these values.

    Best regards

    Birdal

    Thursday, April 19, 2018 2:28 PM
  • That's exactly what I'm doing: replacing the current value with the current value $_.userWorkstations AND the additional string from $additionalString.

    "userWorkstations" = "$($_.userWorkstations)$additionalString"

    The other possibilities are -Remove (you don't want that) and -Add (the attribute is already propagated) which leaves us with -Replace.


    • Edited by TobyU Thursday, April 19, 2018 2:47 PM
    • Marked as answer by _Birdal Thursday, April 19, 2018 2:48 PM
    Thursday, April 19, 2018 2:33 PM
  • As noted, the -Replace parameter is the only way to append a string to an existing value.

    However, in this case the userWorkstations attribute is a comma separated list of computer NetBIOS names. ADUC will list the individual computer names, parsing the comma separated list. And the user is only allowed to logon to the listed computers. So it would be best to also append a leading comma with your string. This way the string you are appending does not become part of the last computer name in the list (making the user unable to use that computer).


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, April 19, 2018 2:41 PM
    Moderator
  • Hi Toby,

    thank you. It worked well.

    If I want to delete the values of this attribute, ist this correct?

    Set-ADUser -Remove @{"userWorkstations"}

    Best regards

    Birdal

    Thursday, April 19, 2018 3:00 PM
  • If I want to delete the values of this attribute, ist this correct?

    Set-ADUser -Remove @{"userWorkstations"}

    Yes, that's right.
    • Marked as answer by _Birdal Thursday, April 19, 2018 3:09 PM
    • Unmarked as answer by _Birdal Thursday, April 19, 2018 3:25 PM
    Thursday, April 19, 2018 3:02 PM
  • Hi Toby,

    I used following to delete userWorkstations values, but I get error:

    Get-ADUser -LDAPFilter "(samaccountname=*string*)" -Properties userWorkstations | foreach {
    
        $_ | Set-ADUser -Remove @{"userWorkstations"}
    }

    Error:

    At C:\adm\ad\Delete_LDAP_userWorkstations_Attribute.ps1:17 char:49
    +     $_ | Set-ADUser -Remove @{"userWorkstations"}
    +                                                 ~
    Missing '=' operator after key in hash literal.
    At C:\adm\ad\Delete_LDAP_userWorkstations_Attribute.ps1:15 char:90
    + ... ions | foreach {
    +                    ~
    Missing closing '}' in statement block.
        + CategoryInfo          : ParserError: (:) [], ParseException
        + FullyQualifiedErrorId : MissingEqualsInHashLiteral

    Best Regards

    Birdal

    Thursday, April 19, 2018 3:14 PM
  • Sorry, my fault you should use:

     $_ | Set-ADUser -Clear userWorkstations

    -Remove only removes the specific value you provide using the hashtable @{"userWorkstations"="spacificvalue"}

    Thursday, April 19, 2018 3:24 PM
  • OK, I solved it.

    The correct one is:

    Get-ADUser -LDAPFilter "(samaccountname=*string*)" -Properties userWorkstations | foreach {
    
        $_ | Set-ADUser -Clear "userWorkstations"
    }

    Best regards

    Birdal


    • Marked as answer by _Birdal Thursday, April 19, 2018 3:25 PM
    • Edited by _Birdal Thursday, April 19, 2018 3:27 PM
    Thursday, April 19, 2018 3:25 PM
  • OK, I solved it.

    The correct one is:

    Get-ADUser -LDAPFilter "(samaccountname=*string*)" -Properties userWorkstations | foreach {
    
        $_ | Set-ADUser -Clear "userWorkstations"
    }

    Best regards

    Birdal


    Not necessary:

    Get-ADUser -LDAPFilter '(samaccountname=*string*)' | Set-ADUser -Clear userWorkstations

    This is why you should take the time to learn PowerShell. 


    \_(ツ)_/

    • Proposed as answer by jrv Thursday, April 19, 2018 4:52 PM
    Thursday, April 19, 2018 4:52 PM