Using Set-ADUser to change an AD account outside current forest

This topic contains 4 replies, has 3 voices, and was last updated by Profile photo of Caroline Shields Caroline Shields 2 months, 3 weeks ago.

  • Author
    Posts
  • #65511
    Profile photo of Caroline Shields
    Caroline Shields
    Participant

    So I'm trying to a bulk change to users' proxyaddresses. The issue is that these users reside in different AD forests and I keep getting this error:

    Set-ADUser : Cannot find an object with identity: 'xxx' under: 'DC=loc1,DC=dc,DC=company,DC=com'.

    which makes sense because these users are spread throughout these forests:
    dc=loc2,DC=dc,DC=company,DC=com
    dc=loc3,DC=dc,DC=company,DC=com
    dc=loc4,DC=dc,DC=company,DC=com

    I able to use the Get-ADUser properties of the user in the other forests using this command:

    $User = get-aduser -filter {UserPrincipalName -eq $upn} -Server FQDN:3268

    but I can't seem to figure out how to get the set-aduser command to check all forests for the user. It seems to be only checking the forest that my AD account currently resides in (dc=loc1).

    Any help would be appreciated. I should warn you that I'm new to ps, so if you could show the actual code, that would help tremendously.

  • #65532
    Profile photo of Frank Tucker
    Frank Tucker
    Participant

    My PS knowledge is also low...Few thoughts:
    A loop to check all forests
    Use a credential that is global to run the script
    Try select-object and use the object-guid with get-aduser and not use the upn

  • #65533
    Profile photo of random commandline
    random commandline
    Participant

    I don't have an AD environment to test, but something like this should work.

    $forest = '
    loc1.dc.company.com
    loc2.dc.company.com
    loc3.dc.company.com
    loc4.dc.company.com'.Trim() -split "`n"
    
    # List of users
    $user = Import-Csv userlist.csv
    # Check each server for users then make a change
    foreach ($f in $forest){
        foreach ($u in $user){
            $instance = Get-AdUser -Server $f -Properties proxyaddress -Filter {UserPrincipalName -eq $u}
            $instance.ProxyAddress = "yournewaddress"
            Set-ADUser -Instance $instance
        }
    }
    
    • #65646
      Profile photo of Caroline Shields
      Caroline Shields
      Participant

      Thanks Random, that worked perfectly. I had to change the $forest to just actual text, it didn't like the split formatting for whatever reason.

      May I ask why would putting the cmdlet in a variable work over just running the straight cmdlet?

      $Forest = Get-ADForest |select domains
      
      $user = Import-Csv c:\conflicts.csv
      ForEach ($u in $User){
      foreach ($f in $forest){
          
          $upn = $u.UPN
          $sn = "smtp:"+$u.OldEmail
          $obj = Get-AdUser -Server $f -Properties proxyaddresses -Filter {UserPrincipalName -eq $upn}
          If ($obj -ne $null){
          $obj.ProxyAddesses += $sn
          Set-ADUser -Instance $obj
          break
          }else{continue}
          }
      }
      
    • #65746
      Profile photo of Caroline Shields
      Caroline Shields
      Participant

      Ok, I had an epiphany and found a better way. Instead of going through all the domains trying to find the correct domain, why not just get the domain directly? Here is the updated code. Make sure to update the with your AD Global Catalog FQDN:

      $user = Import-Csv C:\proxytest.csv
      ForEach ($u in $User){
      
          $upn = $u.UPN
          $sn = "smtp:"+$u.OldEmail
      
          #this searches for the user and the OU they are listed in
          $dname = Get-AdUser -Server :3268 -Properties canonicalname -Filter {UserPrincipalName -eq $upn}
        
          #this extracts the OU
          $ou = $dname.CanonicalName
          $pos = $ou.IndexOf("/")
          $dn = $ou.Substring(0, $pos)
      
          #in AD, you need to specify the actual domain they are listed in
          $obj = Get-AdUser -Server $dn -Properties proxyaddresses -Filter {UserPrincipalName -eq $upn}
          
          If ($obj -ne $null){
          $obj.ProxyAddresses += $sn
          
          #removes the proxyaddress
          #$obj.ProxyAddresses.Remove($sn)
      
          Set-ADUser -Instance $obj
          }else{
          write-host "User does not exist in AD: "$upn}
      
          }
      

You must be logged in to reply to this topic.