Solved

powershell script to remove IPphone from AD

Posted on 2013-01-28
8
2,840 Views
Last Modified: 2013-01-30
hi all

i need to clear the IPphone field from our disabled users OU in active directory.
the disabled Accounts OU lives inside the Users OU.

our AD structure looks like this

domain.com
 -Asia
  --Australia
    --Sydney
      --Users (all active users are here)
           -----Disabled Accounts (need to remove IPphone details from here only)
           -----Another OU
           -----and one more

i have created the following script but im unsure if the OU setting is correct...

can somebody please confirm if the following code looks correct?



Const ADS_PROPERTY_CLEAR = 1

Set objUser = GetObject _
   ("LDAP://cn=USERNAME, ou=/ASIA/Australia/Sydney/Users/Disabled Accounts, dc=domain, dc=com")
 
objUser.PutEx ADS_PROPERTY_CLEAR, "IPphone", 0
objUser.SetInfo
0
Comment
Question by:BakerSyd
  • 4
  • 4
8 Comments
 
LVL 40

Expert Comment

by:Subsun
ID: 38829906
It should be the distinguishedname of user..
Set objUser = GetObject(“LDAP://cn=USERNAME,ou=Disabled Accounts,ou=Users,ou=Users,ou=Sydney,ou=Australia,ou=Asia,dc=domain, dc=com”)

Open in new window

0
 

Author Comment

by:BakerSyd
ID: 38833094
ahhh ok, that makes sense
is there a reason why you have 2 ou=Users in your code?


i have updated my script, and it looks like this

Const ADS_PROPERTY_CLEAR = 1

Set objUser = GetObject _
("LDAP://cn=AUSJB1, ou=Disabled Accounts, ou=Users, ou=Sydney, ou=Australia, ou=Asia, dc=domain, dc=com")
 
objUser.PutEx ADS_PROPERTY_CLEAR, "IPphone", 0
objUser.SetInfo

 


when i try to run this script it fails and gives me a lot of errors.


PS C:\users\ausamj\Desktop\Scripts> & '.\Remove IP Phone.ps1'
The term 'Const' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spell
ing of the name, or if a path was included, verify that the path is correct and try again.
At C:\users\ausamj\Desktop\Scripts\Remove IP Phone.ps1:1 char:6
+ Const <<<<  ADS_PROPERTY_CLEAR = 1
    + CategoryInfo          : ObjectNotFound: (Const:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Set-Variable : A positional parameter cannot be found that accepts argument 'GetObject'.
At C:\users\ausamj\Desktop\Scripts\Remove IP Phone.ps1:3 char:4
+ Set <<<<  objUser = GetObject _
    + CategoryInfo          : InvalidArgument: (:) [Set-Variable], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.SetVariableCommand

LDAP://cn=AUSJB1, ou=Disabled Accounts, ou=Users, ou=Sydney, ou=Australia, ou=Asia, dc=bakernet, dc=com
The term 'objUser.PutEx' is not recognized as the name of a cmdlet, function, script file, or operable program. Check t
he spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\users\ausamj\Desktop\Scripts\Remove IP Phone.ps1:6 char:14
+ objUser.PutEx <<<<  ADS_PROPERTY_CLEAR, "IPphone", 0
    + CategoryInfo          : ObjectNotFound: (objUser.PutEx:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

The term 'objUser.SetInfo' is not recognized as the name of a cmdlet, function, script file, or operable program. Check
 the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\users\ausamj\Desktop\Scripts\Remove IP Phone.ps1:7 char:16
+ objUser.SetInfo <<<<
    + CategoryInfo          : ObjectNotFound: (objUser.SetInfo:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException



im a complete noob in powershell scripting so forgive me for any stupid mistakes that ive done...

am i missing something from my script?
0
 
LVL 40

Accepted Solution

by:
Subsun earned 500 total points
ID: 38833946
is there a reason why you have 2 ou=Users in your code?
it's a typo.. Only one ou=Users is required..

am i missing something from my script?
The code you posted is for a vbscript..

If you want to use PowerShell to update the attribute then you can use the Quest AD PowerShell module..
http://www.quest.com/powershell/activeroles-server.aspx

For clearing ipphone attribute for single user, run the following command..
Set-QADuser username -objectAttributes @{ipphone=$null}

Open in new window


For all users in the disabled OU
Get-QADUser -SearchRoot "ou=Disabled Accounts, ou=Users, ou=Sydney, ou=Australia, ou=Asia, dc=domain, dc=com" | Set-QADuser -objectAttributes @{ipphone=$null}

Open in new window


If you have Win 2008 R2 Active Directory then you can use the Set-ADuser command from AD powershell..
0
 

Author Comment

by:BakerSyd
ID: 38833999
hi

thanks for the information, i had no idea that i was doing a vbscript... the site that i was looking at kept mentioning powershell.

cheers for clearing that up.


with the powershell scripts that you created for me, do i need to run that via the Quest AD Powershell Module?
i already have the Active Directory Module for Windows Powershell ... will that do the same thing?

appreciate the scripts
i will most certainly have to remove all the ipphone details from all the disabled users.

i am trying to run the single user script you provided me, but its giving me an error.

PS C:\Windows\system32> Set-QADuser AUSJB1 -objectAttributes @{ipphone=$null}
Set-QADUser : Access is denied.
At line:1 char:12
+ Set-QADuser <<<<  AUSJB1 -objectAttributes @{ipphone=$null}
    + CategoryInfo          : NotSpecified: (:) [Set-QADUser], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Quest.ActiveRoles.ArsPowerShellSnapIn.Powershell.Cmdl
   ets.SetUserCmdlet

PS C:\Windows\system32>



could this be a permissions issue?
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38834012
Active Directory Module for Windows PowerShell have *AD* commands.. like Set-ADUser, Get-ADUser

To clear IPPhone attribute for single user
Set-ADUser UserName -Clear ipphone

If you already have Quest AD PowerShell Module then you can use the code from my previous post..

Error says Access is denied, does your account have permission to modify the user attribute?
0
 

Author Comment

by:BakerSyd
ID: 38834119
yes my admin account has modify access for all OU's within the Australian OU...
my standard account does not.

standard: ausamj
admin: ausamj-a

i may need to run windows powershell with my admin account instead the local administrator account... maybe its not liking the local admin account

i installed quest AD Powershell Module as well, so i guess i can use both options...


i will give this a shot tomorrow when i get back into work and ill post back to let you know how i went.


thanks again!
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38834132
yes.. you need to use your admin account to run PowerShell..
0
 

Author Comment

by:BakerSyd
ID: 38837642
yes it worked!

as a test i ran the Get-QADUser commands to delete a single users iphone details.. and it worked...
so i then ran the script you gave me to delete from all users in the disabled accounts, and that worked perfectly as well.


thanks for your help!


cheers
0

Join & Write a Comment

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now