We help IT Professionals succeed at work.

script to edt/set employeeType attribute for all users in only one OU

5,611 Views
Last Modified: 2012-05-11
Greetings,

My scripting skills are purely administrative but I need to go a little deeper with this one.  I need to set the employeeType attribute to "faculty" for every employee account (object) in one specific OU called Employee.  Can someone point me to a good example of this?  I am looking right now but would like to save myself a few hours of google searches....
Comment
Watch Question

I would use PowerShell with Quest Cmdlets.

for example this one liner would do.

get-qaduser -search mydomain.net/Employee -searchroot 0 | set-qaduser -objectattributes @{employeetype="facutly"}
Adam BrownSenior Systems Admin
CERTIFIED EXPERT
Top Expert 2010

Commented:
Powershell's a great way to do stuff like this. If you have Windows 2008 R2, you can utilize the Native AD powershell, if not you can utilizt the Quest Powershell cmdlets. http://www.quest.com/powershell/activeroles-server.aspx has the download for those. I'll give you the script for the quest version. Let me know if you have 2008 R2 and I can write one up for that as well.
get-qaduser -searchroot <CN of OU> | set-qaduser -objectattributes @{employeetype='Faculty'}

Open in new window

Adam BrownSenior Systems Admin
CERTIFIED EXPERT
Top Expert 2010

Commented:
DN, not CN, sorry. So if Users is a child of Home in Company.local, you'd use "ou=users,ou=home,dc=company,dc=local"

Author

Commented:
I have installed Windows Powershell on my desktop.  I have Domain Admin rights so I should be able to run the command from Powershell on my desktop right?  And I forgot some info.  The domain is webauth.edu and the OU is Employee.  

I need every employee in the Employee OU to have their employeeType attribute set to faculty.  Are the eamples provided changing only a single user or all users in the OU?  Do you use a wildcard or something?

Author

Commented:
So my powershell command would look like...

get-qaduser -search webauth.edu/Employee -searchroot 0 | set-qaduser -objectattributes @{employeeType="facutly"}

And this will change the employeeType attribute for all webauth.edu employees in the Employee OU to faculty...right?
Adam BrownSenior Systems Admin
CERTIFIED EXPERT
Top Expert 2010

Commented:
I *think* you have to run the command from a DC, but I'll test real quick to make sure. The command in my example uses the SearchRoot switch to limit the changes to the OU that you tell it to search. Basically, the first command get-qaduser will find all the users in that OU, the second, set-qaduser, will make the change on all the objects that the first command picks up.
Adam BrownSenior Systems Admin
CERTIFIED EXPERT
Top Expert 2010

Commented:
Also, -search isn't a useable switch for get-qaduser. You would use -searchroot.
Its not necessary to run the command from the DC.

Also, you may use the -whatif parameter to do a test run first.

get-qaduser -searchroot mydomain.net/Employee -searchroot 0 | set-qaduser -objectattributes @{employeetype="faculty"} -whatif

Also, you said you have powershell, but did you install the Quest cmdlets ?
Adam BrownSenior Systems Admin
CERTIFIED EXPERT
Top Expert 2010

Commented:
(BTW, the -searchroot 0 isn't necessary)
Ooops  I meant -sizelimit 0
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Adam BrownSenior Systems Admin
CERTIFIED EXPERT
Top Expert 2010

Commented:
:D Typeos are fun.

Author

Commented:
Quest cmdlets ?  I only installed Windows Powershell.  To run this command I need Quest cmdlets or is this all native to Powershell?
I guess you missed the link in the second comment on this thread.

Author

Commented:
I just installed the ActiveRoles Management Shell for Active Directory on my local system where I have Windows Powershell.  Looks pretty cool.  I'm going to run the command with the -whatif option and see what happens...

Author

Commented:
Loaded the Quest tools and the script worked beautifully!  So how do I award the points.  Both of you said the same thing but RickSheikh said it first...
You may need to relax the execution policy first i.e

set-executionpolicy -execution remotesigned
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.