I am in a script making changes and then checking / verifying them. I want to look at the same DC both times. How do I determine what DC ARS is using.
Thanks
- Products
- Solutions
- Resources
- Trials
- Support
- Partners
- Communities
I am in a script making changes and then checking / verifying them. I want to look at the same DC both times. How do I determine what DC ARS is using.
Thanks
There a several different ways this might be done, but if you could explain your use case, that would help to give you the best options.
Kind regards
Stu
Hi Stu,
I am setting up a script to do bulk password updates which is working fine. The only thing I am doing after the reset is going back to get the passwordlastset attribute info. I am guess that the Set command goes to one DC and the Get is going to another because the get is showing the old passwordlastset info. So I want to force the set and the get commands to go to the same server. My thought was to use the server ARS is connected to.
If you're using the Active Roles commandlets to reset the password, it will depend if you're connect to an Active Roles Administration Service (including the -Proxy parameter) or connecting direct to AD.
If connecting to Active Roles, you need to add the LDAPServer as a control (-controls parameter), if your connecting to AD, you can defined the DC in the Service paramter
The below is not perfect, but may meet your needs, or atleast give you an example to work from. Note that I set UserMustChangePasswordAtNextLogon at the very end, otherwise the return value will be 01/01/1601 00:00:00
$DomainController = "DC.Domain.com"
$UseARS = $false
$ChangePasswordAtNextLogon = $true
$Users = Import-csv -Path "$($env:USERPROFILE)\Desktop\Users.csv" -Delimiter ";"
ForEach($User in $Users)
{
$Controls = @{"OperationReason"="Bulk password reset"}
If(([string]::IsNullOrEmpty($User.Identity)) -or ([string]::IsNullOrEmpty($User.Password))) {continue}
Write-Host "$($User.Identity)"
If(-not [string]::IsNullOrEmpty($User.LDAPServer))
{
$DC = $($User.LDAPServer)
}
ElseIf(-not [string]::IsNullOrEmpty($DomainController))
{
$DC = "$($DomainController)"
}
Else
{
$DC = "$($env:LOGONSERVER)".replace("\","")
}
$Controls.Add("LDAPServer","$DC")
$Start = Get-Date
$Pre = Get-QADUser -identity $User.Identity -DontUseDefaultIncludedProperties -IncludedProperties PwdLastSet -Proxy
Try
{
If($UseARS)
{
Set-QADUser -Identity $User.Identity -Control $Controls -UserPassword "$($User.Password)" -Proxy -ErrorAction Continue -WarningAction Continue | Out-null
}
Else
{
Set-ADAccountPassword -Identity $User.Identity -NewPassword ($user.password | ConvertTo-SecureString -AsPlainText -Force) –Reset -Server $DC -ErrorAction Continue -WarningAction Continue | Out-null
}
}
catch
{
"Some Error"
}
$Post = Get-QADUser -identity $User.Identity -DontUseDefaultIncludedProperties -IncludedProperties PwdLastSet -Proxy
$End = Get-date
$Operation = Get-QARSOperation -InitiatedAfter $Start -InitiatedBefore $End -InitiatedByMe -proxy
$LDAPServer = $null
ForEach($Control in $Operation.controls)
{
If($Control.id -eq "LDAPServer")
{
$LDAPServer = $Control.value
}
}
If(($LDAPServer) -and ($LDAPServer -ne $User.LDAPServer) -and ($LDAPServer -ne $DomainController))
{
Write-Host "`tLDAP Server: $($LDAPServer) - Different Server (From Control)" -ForegroundColor Red
}
Else
{
If(-not [string]::IsNullOrEmpty($LDAPServer))
{
Write-Host "`tLDAP Server: $($LDAPServer) (From Control)"
}
Else
{
If($UseARS)
{
Write-Host "`tLDAP Server: Default (Not listed in control)"
}
Else
{
Write-Host "`tLDAP Server: $DC (Use AD)"
}
}
}
Write-Host "`tPwdLastSet Before: $($Pre.PwdLastSet)"
Write-Host "`tPwdLastSet After: $($Post.PwdLastSet)"
Write-Host "`t`tTime Take: $((New-TimeSpan -Start $Start -end $End).Seconds) seconds"
if(($UseARS) -and ($ChangePasswordAtNextLogon))
{
Set-QADUser -Identity $User.Identity -UserMustChangePassword $true -Control $Controls -Proxy | Out-null
}
Else
{
Set-ADUser -Identity $User.Identity -ChangePasswordAtLogon $true -Server $DC -ErrorAction Continue -WarningAction Continue | Out-null
}
}
If you're using the Active Roles commandlets to reset the password, it will depend if you're connect to an Active Roles Administration Service (including the -Proxy parameter) or connecting direct to AD.
If connecting to Active Roles, you need to add the LDAPServer as a control (-controls parameter), if your connecting to AD, you can defined the DC in the Service paramter
The below is not perfect, but may meet your needs, or atleast give you an example to work from. Note that I set UserMustChangePasswordAtNextLogon at the very end, otherwise the return value will be 01/01/1601 00:00:00
$DomainController = "DC.Domain.com"
$UseARS = $false
$ChangePasswordAtNextLogon = $true
$Users = Import-csv -Path "$($env:USERPROFILE)\Desktop\Users.csv" -Delimiter ";"
ForEach($User in $Users)
{
$Controls = @{"OperationReason"="Bulk password reset"}
If(([string]::IsNullOrEmpty($User.Identity)) -or ([string]::IsNullOrEmpty($User.Password))) {continue}
Write-Host "$($User.Identity)"
If(-not [string]::IsNullOrEmpty($User.LDAPServer))
{
$DC = $($User.LDAPServer)
}
ElseIf(-not [string]::IsNullOrEmpty($DomainController))
{
$DC = "$($DomainController)"
}
Else
{
$DC = "$($env:LOGONSERVER)".replace("\","")
}
$Controls.Add("LDAPServer","$DC")
$Start = Get-Date
$Pre = Get-QADUser -identity $User.Identity -DontUseDefaultIncludedProperties -IncludedProperties PwdLastSet -Proxy
Try
{
If($UseARS)
{
Set-QADUser -Identity $User.Identity -Control $Controls -UserPassword "$($User.Password)" -Proxy -ErrorAction Continue -WarningAction Continue | Out-null
}
Else
{
Set-ADAccountPassword -Identity $User.Identity -NewPassword ($user.password | ConvertTo-SecureString -AsPlainText -Force) –Reset -Server $DC -ErrorAction Continue -WarningAction Continue | Out-null
}
}
catch
{
"Some Error"
}
$Post = Get-QADUser -identity $User.Identity -DontUseDefaultIncludedProperties -IncludedProperties PwdLastSet -Proxy
$End = Get-date
$Operation = Get-QARSOperation -InitiatedAfter $Start -InitiatedBefore $End -InitiatedByMe -proxy
$LDAPServer = $null
ForEach($Control in $Operation.controls)
{
If($Control.id -eq "LDAPServer")
{
$LDAPServer = $Control.value
}
}
If(($LDAPServer) -and ($LDAPServer -ne $User.LDAPServer) -and ($LDAPServer -ne $DomainController))
{
Write-Host "`tLDAP Server: $($LDAPServer) - Different Server (From Control)" -ForegroundColor Red
}
Else
{
If(-not [string]::IsNullOrEmpty($LDAPServer))
{
Write-Host "`tLDAP Server: $($LDAPServer) (From Control)"
}
Else
{
If($UseARS)
{
Write-Host "`tLDAP Server: Default (Not listed in control)"
}
Else
{
Write-Host "`tLDAP Server: $DC (Use AD)"
}
}
}
Write-Host "`tPwdLastSet Before: $($Pre.PwdLastSet)"
Write-Host "`tPwdLastSet After: $($Post.PwdLastSet)"
Write-Host "`t`tTime Take: $((New-TimeSpan -Start $Start -end $End).Seconds) seconds"
if(($UseARS) -and ($ChangePasswordAtNextLogon))
{
Set-QADUser -Identity $User.Identity -UserMustChangePassword $true -Control $Controls -Proxy | Out-null
}
Else
{
Set-ADUser -Identity $User.Identity -ChangePasswordAtLogon $true -Server $DC -ErrorAction Continue -WarningAction Continue | Out-null
}
}