I'm attempting to write a script that checks an AD OU for any accounts that are enabled, or set to not have a password required, or password never to expire, or not set to be hidden from the address list. Then, the script will disable any of those for security purposes. Here's the script so far:
Function Update-ADUser
{
[CmdletBinding()]
param(
[Parameter(Mandatory=$true)]
[string]$user
)
BEGIN{}
PROCESS{
Set-ADUser -instance $user -Server dc01
}
END{}
}
$lostUsers = Get-ADUser -filter {PasswordNotRequired -eq $true -or PasswordNeverExpires -eq $true -or Enabled -eq $true -or msExchHideFromAddressLists -eq $false } -SearchBase "OU=Lost Users,OU=DEPT,DC=School,DC=edu" -Server dc01 -properties enabled, PasswordNeverExpires, PasswordNotRequired, msExchHideFromAddressLists
foreach ($user in $lostUsers)
{
if ($user.PasswordNotRequired -eq $true)
{
$user.PasswordNotRequired = $false
}
if ($user.PasswordNeverExpires -eq $true)
{
$user.PasswordNeverExpires = $false
}
if ($user.msExchHideFromAddressLists -ne $true )
{
$user.msExchHideFromAddressLists = $true
}
if ($user.Enabled -eq $true)
{
$user.Enabled = $false
}
Update-ADUser -user $user
}
Most of the script runs fine. $lostUsers
creates an array that uses Get-ADUser
to search for only records that have one of the attributes required. Then my foreach/if
statements set each attribute to what is should be for each record.
My problem occurs when I call the Update-ADUser
function. I keep getting an error, Set-ADUser : The instance parameter object must be of type: 'Microsoft.ActiveDirectory.Management.ADUser'.
I tried removing the [string] from [string]$user
in the function but that gives me another error, Set-ADUser : The server is unwilling to process the request.
I'm using an domain admin account to run the script, so I know that's not causing this error.
I could use Set-ADUser
in each if
statement, instead of calling the Update-ADUser
function, but that doesn't seem efficient as the script is then making up to four changes per record instead of just one with the function. I also thought about just using one statement to change all four attributes for all the found records, but that seems inefficient as well since some attributes were already correctly set and would thus just be written over again.
I can't figure out why the Set-ADUser
command isn't working. I basically copied the syntax from the Set-ADUser
help. Can anyone enlighten me on this?
Dunno what I'm missing here but wouldn't replacing the line (at the very end of your foreach)
Update-ADUser -user $user
with...
Set-ADUser -instance $user -Server dc01
...do exactly what you want?
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.