Active Directory User Management with PowerShell Part I

For anyone that is searching for Microsoft's new powerful shell over net it may look like a cliche but it's true: As with so many other topics, Powershell is making your life a lot easier when it comes to Active Directory management. Most of time daily AD administration can be handled easily with AD Users and Computers mmc console. But what if you want to work with another attribute that cant be seen from this GUI? That is when adsiedit.msc join the game. But what if you will work with 1000 thousand objects instead of a few? I heard some say ADModify.exe!! These are great tools to help AD admins to manage their systems but each of them has its limitations and will lead us using too many GUI tools to do one certain job:

AD Management!!

for example to assign an AD user to a variable in powershell
PS C:\ps> $user1=[ADSI]"LDAP://Can Dedeoglu,OU=Users,DC=domain,DC=tr"

to get the value of the variable just call it by name
PS C:\ps> $user1
distinguishedName-----------------{CN=Can Dedeoglu,OU=Users,DC=domain,DC=tr}
As seen from output $user1 is now an ADSI object, completely represanting the user that was identified with its LDAP path. To see the attributes related with that object use this
PS C:\ps> $user1 get-member
TypeName: System.DirectoryServices.DirectoryEntry
Name MemberType Definition---- ---------- ----------accountExpires Property System.DirectoryServices.PropertyValueCollection accountExpires {get;set;}adminCount Property System.DirectoryServices.PropertyValueCollection adminCount {get;set;}authOrigBL Property System.DirectoryServices.PropertyValueCollection authOrigBL {get;set;}badPasswordTime Property System.DirectoryServices.PropertyValueCollection badPasswordTime {get;badPwdCount Property System.DirectoryServices.PropertyValueCollection badPwdCount {get;set;}cn Property System.DirectoryServices.PropertyValueCollection cn {get;set;}codePage Property System.DirectoryServices.PropertyValueCollection codePage {get;set;}company Property System.DirectoryServices.PropertyValueCollection company {get;set;}countryCode Property System.DirectoryServices.PropertyValueCollection countryCode {get;set;}deletedItemFlags Property System.DirectoryServices.PropertyValueCollection deletedItemFlags {get;set;}department Property System.DirectoryServices.PropertyValueCollection department {get;set;}displayName Property System.DirectoryServices.PropertyValueCollection displayName {get;set;}distinguishedName Property System.DirectoryServices.PropertyValueCollection distinguishedName
...
Here is the full list for my evrironment:
accountExpires, adminCount, authOrigBL, badPasswordTime, badPwdCount, cn, codePage, company, countryCode, deletedItemFlags, department, displayName, distinguishedName, dSCorePropagationData, extensionAttribute1, extensionAttribute2, extensionAttribute3, extensionAttribute4, extensionAttribute5, extensionAttribute6, garbageCollPeriod, givenName, homeMDB, homeMTA, instanceType, l, lastLogoff, lastLogon, lastLogonTimestamp, legacyExchangeDN, logonCount, mail, mailNickname, mDBUseDefaults, memberOf, mobile, msExchALObjectVersion, msExchHomeServerName, msExchMailboxGuid, msExchMailboxSecurityDescriptor, msExchPoliciesIncluded, msExchUserAccountControl, mSMQDigests, mSMQSignCertificates, name, nTSecurityDescriptor, objectCategory, objectClass, objectGUID, objectSid, physicalDeliveryOfficeName, primaryGroupID, proxyAddresses, pwdLastSet, sAMAccountName, sAMAccountType, servicePrincipalName, showInAddressBook, sn, telephoneNumber, textEncodedORAddress, title, userAccountControl, userPrincipalName, uSNChanged, uSNCreated, whenChanged, whenCreated
To see how many times this user has logged on the system use "logoncount" attribute:
PS C:\ps> $can.logoncount
4758
another example:
PS C:\ps> $can.department

SYSTEM & DATABASE OPERATION DEPARTMENT

OK, this is a good method if you know the exact LDAP path of the user that you want to work with, but at most this is not the case!!

PS C:\ps>$adsearcher=New-Object System.DirectoryServices.DirectorySearcher("(&(CN=Can*)(objectClass=User))")
PS C:\ps> $adsearcher.findall()

Result is:
LDAP://CN=Can Dedeoglu,OU=Users,OU=AVEA,DC=tt-tim,DC=tr {homemdb, physicaldeliveryofficename, distinguishedname,...

I'll give more examples and details in the next post..