Using Powershell Scripting to Bulk Modify Active Directory Objects

One of the strengths of Windows PowerShell scripting is the ability to leverage both .NET and COM objects. Scripting with System.DirectoryServices is now possible, the main purpose of this blog post is to provide a sample script used to bulk modify Active Directory objects. Specifically - what this script does is take arguments for an LDAP search such as the Search Root, LDAP filter, and Search Scope. It then runs the search and runs a modification against the results returned. For example, say you want to find all users in a certain department and set their extensionAttribute1 to a certain value. With a script in place you can accomplish this against many users in a matter of seconds.

There are tools out there currently (such as ADModify) that will perform bulk modifications for you, and in 99% of instances it works fine. But what about that 1% of the time that you need something really custom done that it or other tools like it were not designed to handle? With this script and a little bit of scripting know-how, the possibilities become infinite.

One of the limitations of the script as it stands currently is that it does not handle multi-valued attributes or attribute removal. This functionality can be easily added to the script. Let's say you want it to handle multivalued attributes. You could add a required parameter such as $IsMultiValued that the user passes in to denote a multivalued add. You then could add to the ModifyUser() code a test for $IsMultiValued, and if true do $UserADSI.PutEx instead of $UserADSI.Put. Or say you want to clear an attribute, simply use $UserADSI.PutEx with the ADS_PROPERTY_CLEAR flag. That's the real power behind PowerShell scripting; it is completely 100% customizable to meet specific needs.

Please note: this script is a sample and is not officially supported by Microsoft. Please see the script itself for more details.

You can download the script from here.

- Marc Nivens

Comments (3)
  1. Simon says:

    Thanks for the script. it will not doubt come in handy.

    btw. You are missing double quotes around the ldap filter in the 2 examples you give in the script ;o)


  2. RM says:

    Is it possible to flag a mailbox for deletion when simply deleting an AD user from ADUC via powershell or VB?

  3. vmzare says:

    You might also find the bulk user creation powershell script at my blog and  how the same script was utilized to provision exchange server 2007 in 5 steps.

    Let’s xchange ideas

Comments are closed.

Skip to main content