Your basic ITPro blog... What's going on at work, what I'm interested in.

Wednesday, March 26, 2008

User Account Management

We had a very practical problem that we needed to solve today.

In the past, we had used the properties in the 'Profile' tab of AD user accounts to manage login scripts and home folders. We are now, however, using group policies to manage this stuff. We have been 'cleaning' our user accounts over time, removing these settings. But, the task was not yet done. And, we didn't know which account had been processed and which hadn't.

This morning, we decided to tackle this problem once and for all. At first, we were just going to sit down and go through our accounts, one by one, and delete the logon scripts and home folders settings. This, as you can imagine, would have taken a while. So, we thought, let's see if PowerShell can help us out... Of course it can!

The first thing I did was go in to my test environment and create these settings in a user account. Then, using the Quest cmdlets, I checked to see if these properties were available. The problem was, these properties are not, by default, exposed. That is, if I Get-QADUser to variable $user and then type '$user.' tab completion does not show these properties.

And here is where I learned something today...

Typing 'Get-QADUser -IncludeAllProperties -ReturnPropertyNamesOnly' gives you a list of all the properties available, not just the default properties that the cmdlet wants you to see. In this expended list you see, among many others, "scriptPath" and "homeDirectory".

With this information, finding and changing these property settings became as easy as a couple of one-liners... specifically:

Get-QADUser -ObjectAttributes @{scriptPath="netuse.bat"} | ForEach-Object {Set-QADUser $_.DN -ObjectAttributes @{scriptPath=''}}

and

Get-QADUser -ObjectAttributes @{homeDirectory="*"} | ForEach-Object {Set-QADUser $_.DN -ObjectAttributes @{homeDirectory=''}}

There were 30-40 accounts with logon scripts defined and around 25 accounts with home directories. These were spread among over 350 user accounts total! I think that researching and finding this scripted way to doing this was a good investment to time and energy.

No comments:

Additional Info

My photo
email: support (AT) mangrumtech (DOT) com
mobile: 480-270-4332