检查和更新 AD 用户的多个属性

Question

I am trying to do an update to Active Directory from a CSV. I want to check each value to see if the AD and CSV values match. If the AD value and CSV values don't match, then I want to update the AD value. finally I want to create a log of the values changed, which would eventually be exported to a CSV report.

Now there is about 30 values I want to check. I could do an if statement for each value, but that seems like the hard way to do it.

I am try to use a function, but I cant seem to get it working. I am getting errors like:

set-ADUser : replace
At line:94 char:9
+         set-ADUser -identity $ADUser -replace @{$ADValue = $DIAccount ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (JDoe:ADUser) [Set-ADUser], ADInvalidOperationException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.SetADUser

set-ADUser : The specified directory service attribute or value does not exist
Parameter name: Surname
At line:94 char:9
+         set-ADUser -identity $ADUser -replace @{$ADValue = $DIAccount ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (JDoe:ADUser) [Set-ADUser], ArgumentException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Commands.SetADUser

Any suggestions would be welcome Code I am using:

Function AD-Check ($ADValue, $ADUser, $ADAccount, $UpdateAccount)
{
    If ($ADAccount -ne $UpdateAccount)
    {
        set-ADUser -identity $ADUser -replace @{$ADValue = $UpdateAccount}
        $Change = "Updated"
    }
    Else
    {
        $Change = "No Change"
    }
 
    Return $Change
}

$Import = get-content C:\temp\ADUpdates.csv

Foreach ($user in $Import)
{
    $Account = get-aduser $User.Samaccountname -Properties *

    #First Name Check
    $Test = AD-Check "GivenName" $Account.samaccountname $Account.givenname $user.givenname
    $ChangeGivenName = $Test

    #Initials Check
    $Test = AD-Check "Initials" $Account.samaccountname $Account.Initials $user.Initials
    $ChangeInitials = $Test

    #Last Name Check
    $Test = AD-Check "Surname" $Account.samaccountname $Account.SurnameSurname $user.Surname
    $ChangeSurname = $Test
}

Reply to Theo, cant seem to add this any other way...

Thanks Theo, it seems to make sense, but getting an error.

Select-Object : Cannot convert System.Collections.Specialized.OrderedDictionary+OrderedDictionaryKeyValueCollection to one of the following types {System.String, 
System.Management.Automation.ScriptBlock}.

changed the following to get all properties for testing and it works.

$Account = Get-ADUser -Filter "SamAccountName -eq '$sam'" -ErrorAction SilentlyContinue -Properties $propsToCheck

Left the following and it kicks the error

$oldProperties = $Account | Select-Object $propsToCheck

Using the following just for testing:

$propertiesMap = [ordered]@{
    SamAccountName = 'sAMAccountName'
    mail           = 'mail'
    GivenName      = 'givenName'
    Initials       = 'initials'
    Surname        = 'sn'
    Office         = 'physicalDeliveryOfficeName'
    MobilePhone    = 'mobile'
    DistinguishedName = 'DistinguishedName'
}

Answer 1

Starting of with a WARNING:

Replacing user attributes is not something to be taken lightly and you need to check any code that does that on a set of testusers first.
Keep the -WhatIf switch to the Set-ADUser cmdlet so you can first run this without causing any problems to the AD.
Only once you are satisfied all goes according to plan, remove the -WhatIf switch.

Please carefully read all inline comments in the code.

In your code you use an input CSV file, apparently with properties and values to be checked/updated, but instead of using Import-Csv , you do a Get-Content on it, so you'll end up with just lines of text, not an array of parsed properties and values..

Next, as Mathias already commented, you need to use the LDAP attribute names when using either the -Add , -Remove , -Replace , or -Clear parameters of the Set-ADUser cmdlet.

To do what you intend to do, I would first create a hashtable to map the PowerShell attribute names to their LDAP equivalents. To see which property name maps to what LDAP name, you can use the table here

# create a Hashtable to map the properties you want checked/updated
# the Keys are the PowerShell property names as they should appear in the CSV
# the Values are the LDAP AD attribute names in correct casing.
$propertiesMap = [ordered]@{
    SamAccountName = 'sAMAccountName'
    GivenName      = 'givenName'
    Initials       = 'initials'
    Surname        = 'sn'
    Office         = 'physicalDeliveryOfficeName'
    Organization   = 'o'
    MobilePhone    = 'mobile'
    # etcetera
}

# for convenience, store the properties in a string array
$propsToCheck = $propertiesMap.Keys | ForEach-Object { $_.ToString() }

# import your CSV file that has all the properties you need checked/updated
$Import = Import-Csv -Path 'C:\temp\ADUpdates.csv'

# loop through all items in the CSV and collect the outputted old and new values in variable $result
$result = foreach ($user in $Import) {
    $sam = $user.SamAccountName
    # try and find the user by its SamAccountName and retrieve the properties you really want (not ALL)
    $Account = Get-ADUser -Filter "SamAccountName -eq '$sam'" -ErrorAction SilentlyContinue -Properties $propsToCheck
    if (!$Account) {
        Write-Warning "A user with SamAccountName '$sam' does not exist"
        continue  # skip this one and proceed with the next user from the CSV
    }
    # keep an object with the current account properties for later logging
    $oldProperties = $Account | Select-Object $propsToCheck

    # test all the properties and create a Hashtable for the ones that need changing
    $replaceHash = @{}
    foreach ($prop in $propsToCheck) {
        if ($Account.$prop -ne $user.$prop) {
            $ldapAttribute = $propertiesMap[$prop]       # get the LDAP name from the $propertiesMap Hash
            # If any of the properties have a null or empty value Set-ADUser will return an error.
            if (![string]::IsNullOrWhiteSpace($($user.$prop))) {
                $replaceHash[$ldapAttribute] = $user.$prop
            }
            else {
                Write-Warning "Cannot use '-Replace' with empty value for property '$prop'"
            }
        }
    }

    if ($replaceHash.Count -eq 0) {
        Write-Host "User '$sam' does not need updating"
        continue  # skip this one and proceed with the next user from the CSV
    }

    # try and do the replacements
    try {
        ##########################################################################################################
        # for safety, I have added a `-WhatIf` switch, so this wll only show what would happen if the cmdlet runs. 
        # No real action is performed when using '-WhatIf'
        # Obviously, there won't be any difference between the 'OLD_' and 'NEW_' values then
        ##########################################################################################################
        $Account | Set-ADUser -Replace $replaceHash -WhatIf
        # refresh the account data
        $Account = Get-ADUser -Identity $Account.DistinguishedName -Properties $propsToCheck
        $newProperties = $Account | Select-Object $propsToCheck
        # create a Hashtable with the old and new values for log output
        $changes = [ordered]@{}
        foreach ($prop in $propsToCheck) {
            $changes["OLD_$property"] = $oldProperties.$prop
            $changes["NEW_$property"] = $newProperties.$prop
        }
        # output this as object to be collected in variable $result
        [PsCustomObject]$changes
    }
    catch {
        Write-Warning "Error changing properties on user '$sam':`r`n$($_.Exception.Message)"
    }
}

# save the result as CSV file so you can open with Excel
$result | Export-Csv -Path 'C:\temp\ADUpdates_Result.csv' -UseCulture -NoTypeInformation