Solved

powershell script to remove IPphone from AD

Posted on 2013-01-28
8
2,981 Views
Last Modified: 2013-01-30
hi all

i need to clear the IPphone field from our disabled users OU in active directory.
the disabled Accounts OU lives inside the Users OU.

our AD structure looks like this

domain.com
 -Asia
  --Australia
    --Sydney
      --Users (all active users are here)
           -----Disabled Accounts (need to remove IPphone details from here only)
           -----Another OU
           -----and one more

i have created the following script but im unsure if the OU setting is correct...

can somebody please confirm if the following code looks correct?



Const ADS_PROPERTY_CLEAR = 1

Set objUser = GetObject _
   ("LDAP://cn=USERNAME, ou=/ASIA/Australia/Sydney/Users/Disabled Accounts, dc=domain, dc=com")
 
objUser.PutEx ADS_PROPERTY_CLEAR, "IPphone", 0
objUser.SetInfo
0
Comment
Question by:BakerSyd
  • 4
  • 4
8 Comments
 
LVL 40

Expert Comment

by:Subsun
ID: 38829906
It should be the distinguishedname of user..
Set objUser = GetObject(“LDAP://cn=USERNAME,ou=Disabled Accounts,ou=Users,ou=Users,ou=Sydney,ou=Australia,ou=Asia,dc=domain, dc=com”)

Open in new window

0
 

Author Comment

by:BakerSyd
ID: 38833094
ahhh ok, that makes sense
is there a reason why you have 2 ou=Users in your code?


i have updated my script, and it looks like this

Const ADS_PROPERTY_CLEAR = 1

Set objUser = GetObject _
("LDAP://cn=AUSJB1, ou=Disabled Accounts, ou=Users, ou=Sydney, ou=Australia, ou=Asia, dc=domain, dc=com")
 
objUser.PutEx ADS_PROPERTY_CLEAR, "IPphone", 0
objUser.SetInfo

 


when i try to run this script it fails and gives me a lot of errors.


PS C:\users\ausamj\Desktop\Scripts> & '.\Remove IP Phone.ps1'
The term 'Const' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spell
ing of the name, or if a path was included, verify that the path is correct and try again.
At C:\users\ausamj\Desktop\Scripts\Remove IP Phone.ps1:1 char:6
+ Const <<<<  ADS_PROPERTY_CLEAR = 1
    + CategoryInfo          : ObjectNotFound: (Const:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Set-Variable : A positional parameter cannot be found that accepts argument 'GetObject'.
At C:\users\ausamj\Desktop\Scripts\Remove IP Phone.ps1:3 char:4
+ Set <<<<  objUser = GetObject _
    + CategoryInfo          : InvalidArgument: (:) [Set-Variable], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.SetVariableCommand

LDAP://cn=AUSJB1, ou=Disabled Accounts, ou=Users, ou=Sydney, ou=Australia, ou=Asia, dc=bakernet, dc=com
The term 'objUser.PutEx' is not recognized as the name of a cmdlet, function, script file, or operable program. Check t
he spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\users\ausamj\Desktop\Scripts\Remove IP Phone.ps1:6 char:14
+ objUser.PutEx <<<<  ADS_PROPERTY_CLEAR, "IPphone", 0
    + CategoryInfo          : ObjectNotFound: (objUser.PutEx:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

The term 'objUser.SetInfo' is not recognized as the name of a cmdlet, function, script file, or operable program. Check
 the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\users\ausamj\Desktop\Scripts\Remove IP Phone.ps1:7 char:16
+ objUser.SetInfo <<<<
    + CategoryInfo          : ObjectNotFound: (objUser.SetInfo:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException



im a complete noob in powershell scripting so forgive me for any stupid mistakes that ive done...

am i missing something from my script?
0
 
LVL 40

Accepted Solution

by:
Subsun earned 500 total points
ID: 38833946
is there a reason why you have 2 ou=Users in your code?
it's a typo.. Only one ou=Users is required..

am i missing something from my script?
The code you posted is for a vbscript..

If you want to use PowerShell to update the attribute then you can use the Quest AD PowerShell module..
http://www.quest.com/powershell/activeroles-server.aspx

For clearing ipphone attribute for single user, run the following command..
Set-QADuser username -objectAttributes @{ipphone=$null}

Open in new window


For all users in the disabled OU
Get-QADUser -SearchRoot "ou=Disabled Accounts, ou=Users, ou=Sydney, ou=Australia, ou=Asia, dc=domain, dc=com" | Set-QADuser -objectAttributes @{ipphone=$null}

Open in new window


If you have Win 2008 R2 Active Directory then you can use the Set-ADuser command from AD powershell..
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:BakerSyd
ID: 38833999
hi

thanks for the information, i had no idea that i was doing a vbscript... the site that i was looking at kept mentioning powershell.

cheers for clearing that up.


with the powershell scripts that you created for me, do i need to run that via the Quest AD Powershell Module?
i already have the Active Directory Module for Windows Powershell ... will that do the same thing?

appreciate the scripts
i will most certainly have to remove all the ipphone details from all the disabled users.

i am trying to run the single user script you provided me, but its giving me an error.

PS C:\Windows\system32> Set-QADuser AUSJB1 -objectAttributes @{ipphone=$null}
Set-QADUser : Access is denied.
At line:1 char:12
+ Set-QADuser <<<<  AUSJB1 -objectAttributes @{ipphone=$null}
    + CategoryInfo          : NotSpecified: (:) [Set-QADUser], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Quest.ActiveRoles.ArsPowerShellSnapIn.Powershell.Cmdl
   ets.SetUserCmdlet

PS C:\Windows\system32>



could this be a permissions issue?
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38834012
Active Directory Module for Windows PowerShell have *AD* commands.. like Set-ADUser, Get-ADUser

To clear IPPhone attribute for single user
Set-ADUser UserName -Clear ipphone

If you already have Quest AD PowerShell Module then you can use the code from my previous post..

Error says Access is denied, does your account have permission to modify the user attribute?
0
 

Author Comment

by:BakerSyd
ID: 38834119
yes my admin account has modify access for all OU's within the Australian OU...
my standard account does not.

standard: ausamj
admin: ausamj-a

i may need to run windows powershell with my admin account instead the local administrator account... maybe its not liking the local admin account

i installed quest AD Powershell Module as well, so i guess i can use both options...


i will give this a shot tomorrow when i get back into work and ill post back to let you know how i went.


thanks again!
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38834132
yes.. you need to use your admin account to run PowerShell..
0
 

Author Comment

by:BakerSyd
ID: 38837642
yes it worked!

as a test i ran the Get-QADUser commands to delete a single users iphone details.. and it worked...
so i then ran the script you gave me to delete from all users in the disabled accounts, and that worked perfectly as well.


thanks for your help!


cheers
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
A brief introduction to what I consider to be the best editor for PowerShell.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question