Powershell – How to add a to the description field in ADUC using Powershell/Exchange Management Shell

active-directoryexchange-2007powershell

This is my first attempt at Powershell so bear with me if I have overlooked something simple. I've spent several days digging around online and have yet to come up with a good answer as to how to go about adding data to the Description field under the General tab in ADUC. I seem to be able to get everything else added just fine. I've referenced the Attribute Editor and it shows it as being called "description" but obviously that's not the case (or so it seems). I also noticed "Notes" was called "Info" in there, so I guess I can't use the Attribute Editor as a definitive source.

Anyway, I've found a few good references online to help me with this script, basically just wanting to be able to add a new user in AD via Exchange Management Shell, so some of this may look familiar to those that frequent Powershell forums.

#Define Environment Variables
$exchangeserver="EXCH07" 
$userou="OU=Users,DC=Company,DC=Com"
$companyname="XYZ"
$mailboxdatabase="Mailbox Database"

#Prompt for Username and Password
$firstname = read-host -prompt "Enter First Name"
$lastname = read-host -prompt "Enter Last Name"
$username = read-host -prompt "Enter User Name"
$department = read-host -prompt "Enter Department"
$title = read-host -prompt "Enter Job Title"
$manager = read-host -prompt "Enter Manager Username"
$phone = read-host -prompt "Enter Telephone Number"
$Name=$Lastname+", "+$Firstname
$accountpassword = read-host -assecurestring -prompt "Enter Password"
$upn = $username+ "@Company.com"
$description = read-host -prompt "Enter Description"
$office = read-host -prompt "Enter Office Location"
$notes = read-host -prompt "Enter the Organizational Chart Number"

#Create user and enable mailbox
New-Mailbox  -name $name -userprincipalname $upn -Alias $username -OrganizationalUnit $userou -SamAccountName $username -FirstName $FirstName -Initials '' -LastName $LastName -Password $accountpassword -ResetPasswordOnNextLogon $false -Database $mailboxdatabase

#Pause for 20 seconds for AD 
write-host -foregroundcolor Green "Pausing for 20 seconds for AD Changes"
Start-Sleep -s 20 

#Set user properties
Get-Mailbox $username | Set-User -Company $companyname -Department $department -title $title -Manager $manager -phone $phone -office $office -notes $notes -description $description

exit

When I rem out the -description line, it works fine, if I leave it in there it gives me an error "Set-User : A parameter cannot be found that matches parameter name 'description
'." I've seen references to using ADSI instead but It would be nice if this would work as every other field I've populated works just fine. Anyone have any suggestions as to what it might be called, or a valid reason why it simply won't work? I'm also posting a question with regards to giving rights to a folder via PS, but putting that in a separate question.

Best Answer

You are getting the error because you cannot set the description field using Set-User. This is an exchange CMDLET which does not allow for modification of that attribute. To modify the description attribute, you will need to use Set-ADUser. This is available in the Active Directory module. You can Import the Active Directory module using Import-module activedirectory. Something like this should help:

Import-Module ActiveDirectory
Set-ADUser -Company $companyname -Department $department -title $title -Manager $manager -officephone $phone -office $office -description $description

You will still need to set the "notes" attribute using Set-User.

Related Solutions

Security – Grant account write access to specific attributes on Active Directory User object

While @sysdmin1138 answer was correct it's worth mentioning that changing the scope is not the only reason why things are missing from the view. There are things that invisible by default.

Some objects such as physicalDeliveryOfficeName are hidden from view so you can't delegate them easily. A lot of other attributes are also hidden, but physicalDeliveryOfficeName is very specific and can be good example on how things works for Delegation.

The Per-Property Permissions tab for a user object that you view through Active Directory Users and Computers may not display every property of the user object. This is because the user interface for access control filters out object and property types to make the list easier to manage. While the properties of an object are defined in the schema, the list of filtered properties that are displayed is stored in the Dssec.dat file that is located in the %systemroot%\System32 folder on all domain controllers. You can edit the entries for an object in the file to display the filtered properties through the user interface.

A filtered property looks like this in the Dssec.dat file:

[User]
propertyname=7

To display the read and write permissions for a property of an object, you can edit the filter value to display one or both of the permissions. To display both the read and write permissions for a property, change the value to zero (0):

[User]
propertyname=0

To display only the write permission for a property, change the value to 1:

[User] 
propertyname=1

To display only the read permissions for a property, change the value to 2:

[User]
propertyname=2

After you edit the Dssec.dat file, you must quit and restart Active Directory Users and Computers to see the properties that are no longer filtered. The file is also machine specific so changing it on one machine doesn’t update all others. It’s up to you whether you want it visible everywhere or not.

Full story about physicalDeliveryOfficeName and how to change it with screenshots can be read at my blog.

PS1. Since physicalDeliveryOfficeName is special case, after modifying this setting look for Read/Write Office Location. Unfortunately the name physicalDeliveryOfficeName never shows up.

PS2. Unless those settings are uncovered by modifying dssec.dat you won't be able to see them. Since this file is per computer it's entirely possible it's visible on some computers and not visible on others depending whether someone made the change earlier or not. This could explain why you could see it before and not later on.

PS3. Sorry for resurrection but just spent few hours trying to find the cause so thought I would share it for future reference.

Managing SharePoint permissions via Active Directory

If you have a "Manager" AD Group set as a certain permission in SharePoint, then that permission level will populate for all the users that is in that group. Any managers that are added to the AD Group will propagate to the associated permissions effective almost immediately. The problem in there lies that you would like to seperate permissions based on data from AD other than that of the group itself.

AD Groups are the best way to go. They can be easily updated, easy to track in AD, and SharePoint doesnt have to track all the users. Just assign the AD group to the permission level of the site collection, site, list, folder, or document.

Best Answer

Related Solutions

Security – Grant account write access to specific attributes on Active Directory User object

Managing SharePoint permissions via Active Directory

Related Topic