Powershell – how to set multiple action on get-aduser “dataset”

active-directorypowershell

I'm trying to run a script that modify password for multiple AD user accounts, enable the accounts and force a password change at next logon.

I use this code but that's not work :

Get-ADUSER -Filter * -SearchScope Subtree -SearchBase "OU=myou,OU=otherou,DC=mydc,DC=local" | Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "NewPassord" -Force) | Enable-ADAccount | Set-ADUSER -ChangePasswordAtLogon $true

If I run the Get-ADuser line with ONLY one of the other line that's run fine ex :

Get-ADUSER -Filter * -SearchScope Subtree -SearchBase "OU=myou,OU=otherou,DC=mydc,DC=local" | Enable-ADAccount

Where I'm wrong ? I'm new to PowerShell probably I'm misunderstanding something.

Best Answer

Your pipeline doesn't work the way you expect it does.

$UserList=Get-ADUSER -Filter * -SearchScope Subtree -SearchBase "OU=myou,OU=otherou,DC=mydc,DC=local"
foreach ($User in $UserList) {
    Set-ADAccountPassword $User -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "NewPassord" -Force
    Enable-ADAccount $User
    Set-ADUSER $user -ChangePasswordAtLogon $true
}

Pipelines aren't good for multiple actions on the same object. They only work if each command in the pipeline forwards the same object as the initial object. For that, iterating through a loop makes a lot more sense.

Related Solutions

PowerShell: Get-ADUser Properties with åäö

Thanks to all the help here I got to the bottom of this odd behavior, much appreciated!

Turns out the "-Filter" argument accepts "åäö" interchangeably with "aao". This is not the doing of PowerShell but further down the stack (thanks @RyanRies for looking into it). That's the reason why the following snippet works:

$Company = "aao"
Get-ADUser -Filter "company -eq '$Company'" # Matches company "åäö"

It also turns out the query is not case sensitive, so this works too:

$Company = "AaO"
Get-ADUser -Filter "company -eq '$Company'" # Matches company "åäö"

Actually, "åäö" works too as long as it is a unicode query (thanks @Daniel):

$Company = "$([char]0x00E4)$([char]0x00E5)$([char]0x00F6)" # "åäö"
Get-ADUser -Filter "company -eq '$Company'" # Matches company "åäö"

In the end this leaves us with two options:

Replace "åäö" with "aao" in your queries. The output will be identical to using "åäö".
Replace "åäö" with unicode (@joel-coel, thanks for the nudge), e.g. with a script.

I chose to go with the second option and the outcome looks a bit like this:

function UniReplace($n){
    [char][int]"0x$n"
}

$Company = "åäö"
$Company = $Company -Replace 'ä',"$(UniReplace E4)"
$Company = $Company -Replace 'Ä',"$(UniReplace C4)"
$Company = $Company -Replace 'å',"$(UniReplace E5)"
$Company = $Company -Replace 'Å',"$(UniReplace C5)"
$Company = $Company -Replace 'ö',"$(UniReplace F6)"
$Company = $Company -Replace 'Ö',"$(UniReplace D6)"

echo "This is the content of string `$Company: $Company"
Get-ADUser -Filter "company -eq '$Company'"

I guess that is as good as it gets for now.

Powershell – Accounts suddenly expiring when created with ‘NET USER /ADD /expires:NEVER’

Your usage of NET USER with /EXPIRES:NEVER appears to be correct.
https://support.microsoft.com/en-us/kb/251394
However it is a VERY old tool, probably not getting much attention back in Redmond. After I create an account that way, and look at the account, the PNE flag is not set.

Why are you still using "NET.EXE"? There are powershell cmdlets for new user creation that are much more useful.

write-host "Password for new account:"
$pass1 = read-host -assecurestring
$pass2 = ConvertTo-SecureString -AsPlainText "something" -force
New-ADUser -SamAccountName "glenjohn" -Name "glenjohn" -GivenName "Glen" -Surname "John" -DisplayName "Glen John" -UserPrincipalName "glenjohn@stuff.com" -Accountpassword $pass1 -enabled $true -PasswordNeverExpires $true

EDIT:

Oops! I overlooked the word "local" in your post.
You CAN do local account in powershell, but it takes 8-10 lines of code.
Try this:

NET USER JOE "password" /ADD /y
WMIC USERACCOUNT WHERE "Name='JOE'" SET PasswordExpires=FALSE

Best Answer

Related Solutions

PowerShell: Get-ADUser Properties with åäö

Powershell – Accounts suddenly expiring when created with ‘NET USER /ADD /expires:NEVER’

Related Topic