Modifying Directory Service Objects with Windows PowerShell
Modifying an object is equivalent to writing an attribute to an existing object in Active Directory. If an attribute contains a value, modifying it will clear the existing value and replace it with a different value.
Typically, the type of modification you make to an object will depend on the type of object you want to modify and various characteristics of the attribute — for example, whether the attribute holds a single value or multiple values. For simplicity, however, the following task descriptions illustrate how to write a single value to the same attribute in three different objects.
Modifying attributes of Active Directory objects involves three basic steps:
1. Connect to the Active Directory object you want to modify.
2. Modify one or more of the object’s attributes.
3. Commit the change to Active Directory.
The goal of the three scripts in this section is to write an attribute to each of the objects created in "Creating Directory Service Objects" blog. The objects include the HR OU, the MyerKen user account, and the Atl-Users global group. The description attribute is contained in all three of these objects, so it is used as the attribute to modify.
Modifying an Attribute of an OU
The following script modifies the description attribute of the OU named HR in the na.fabrikam.com domain. The description attribute is assigned the value Human Resources. To carry out this task, the script performs the following steps:
1. Connect to the HR OU object in the na.fabrikam.com domain.
In contrast with the create task, the HR OU is referred to as an object rather than a container because the task completed in this script is to write an attribute of an object.
2. Modify the object’s attributes by assigning the description attribute the value Human Resources.
3. Commit the change to the OU in Active Directory.
Writing the description Attribute to an OU
$objOU = [ADSI]"LDAP://localhost:389/ou=HR,dc=NA,dc=fabrikam,dc=com"
$objOU.Put("description", "Human Resources")
$objOU.SetInfo()
Modifying an Attribute of a User Account
The following script modifies the description attribute of the user account named MyerKen in the HR OU of the na.fabrikam.com domain. The description attribute is assigned the value HR employee. To carry out this task, the script performs the following steps:
1. Connect to the MyerKen user account object in the HR OU of the na.fabrikam.com domain.
2. Modify the object’s attributes by assigning the description attribute the value HR employee.
3. Commit the change to the user account in Active Directory.
Writing the description Attribute to a User Account
$objUser = [ADSI]"LDAP://localhost:389/cn=MyerKen,ou=HR,dc=NA,dc=fabrikam,dc=com"
$objUser.Put("description", "HR employee")
$objUser.SetInfo()
Modifying an Attribute of a Group
The following script modifies the description attribute of the group account named Atl-Users in the HR OU of the na.fabrikam.com domain. The description attribute is assigned the value of Atlanta users. To carry out this task, the script performs the following steps:
1. Connect to the Atl-Users group in the HR OU of the na.fabrikam.com domain.
2. Modify the object’s attributes by assigning the description attribute the value Atlanta users.
3. Commit the change to the group in Active Directory.
Writing the description Attribute to a Group
$objGroup = [ADSI]"LDAP://localhost:389/cn=Atl-users,ou=HR,dc=NA,dc=fabrikam,dc=com"
$objGroup.Put("description", "Atlanta users")
$objGroup.SetInfo()
Important observations about the scripts in this section are:
- They perform the same basic steps: They connect to an Active Directory object, modify an attribute of the object, and write the change to the corresponding Active Directory object.
- They use the same method (Put) without regard to the class of object being modified.
Arul Kumaravel
Development Manager
Windows PowerShell
Microsoft Corporation
PSMDTAG:FAQ: How to modify directory Services objects ?
PSMDTAG:FAQ: How to modify ADSI objects?
Comments
- Anonymous
August 04, 2006
a note on setting properties,
if you use AD (not ADAM) you can also set the property directly,
also the setinfo ( commitchanges()) will be called automagicly.
So :
$objUser.Put("description", "HR employee")
$objUser.SetInfo()
can be replaced by
$objUser.Description = "HR employee"
Greetings //o// - Anonymous
September 28, 2006
PingBack from http://pathologicalscripter.wordpress.com/2006/09/28/invisible-methods-for-adsi/ - Anonymous
January 21, 2009
PingBack from http://www.keyongtech.com/2832025-managing-local-users-in-powershell - Anonymous
January 22, 2009
  Windows PowerShell: Working with Active Directory One thing I will say here. I was teaching a