stackoom
  简体   繁体   中英

Powershell set-aduser isn't updating AD?

 原文  2015-07-29 07:07:45       powershell/ active-directory

Question

I'm using Powershell to play around with Active Directory and, though I can get stuff out, I'm having troubles making changes.

I don't think it's a permissions problem since I'm not actually seeing an error with the test entry that was set up for me, something I do see if I try to change a different entry.

I'm using psexec (since runas has no command-line password parameter) to run Powershell as a different domain user, since my own account doesn't have rights to change AD. Executing whoami within Powershell confirms I'm running as the correct user.

What I'm doing basically boils down to:

PS C:\Temp> get-aduser -identity Xyzzy.Test -properties surname
    DistinguishedName : CN=Xyzzy Test,OU=Users,DC=company,DC=com
    Enabled           : True
    GivenName         : Xyzzy
    Name              : Xyzzy Test
    ObjectClass       : user
    ObjectGUID        : b1d2a3ff-3ee4-56b7-bc89-12ad345678a9
    SamAccountName    : Xyzzy.Test
    SID               : S-1-5-21-9999999999-888888888-77777777-66666
    Surname           : Test
    UserPrincipalName : Xyzzy.Test@company.com

PS C:\Temp> set-aduser -identity Xyzzy.Test -surname "xyzzy"

Then, when I again run the same get-aduser , I find the surname hasn't changed at all.

It seems to be failing silently since there is no error produced by the set-aduser .

What could cause this to not work yet not report an error?

1 answers

solution1
 4 ACCPTED  2015-07-29 20:42:38

This might not be the cause of your specific issue, but it has been an issue for me in the past so it may help someone else at least.

The AD cmdlets automatically determine which domain controller to use. They don't necessarily use the same DC from one command to another. That means you might update a DC, then make a query that hits another DC which hasn't yet had the changes replicated to it.

For this reason I suggest that when working on an operation you want to be somewhat atomic, typically all of the interaction you'll do with AD in a single function or script, you make sure to explicitly use the same DC.

The way to do this is with the -Server parameter.

Since it's annoying to keep specifying -Server on every call, you can use$PSDefaultParameterValues for this purpose.

$PSDefaultParameterValues = @{
    "*-AD*:Server" = "MyDC"
}

Possibly even better, find a DC at runtime:

$PSDefaultParameterValues = @{
    "*-AD*:Server" = Get-ADDomainController -Writable -Discover -Service ADWS -ForceDiscover | Select-Object -ExpandProperty Name
}

Don't use a script block (like I had before my edit) because it will re-run that block on every call, which will give you a different DC every time (just what you're trying to avoid).

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Cannot convert Error on updating a attribute in ad using set-aduser Powershell Set-ADUser doesn't run in scheduled task Unable to update AD fields with Set-ADUser Set-ADUser address attribute using PowerShell Powershell: Error wieth Set-ADUser powershell Set-Aduser Credentials - how to automate? PowerShell Set-ADUser properties with Foreach Set-ADuser: Is it possible to use DisplayName to update a user attribute in AD? Set-ADuser in Foreach set-aduser attributes different than AD properties?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM