One of the most common tasks I see performed with PowerShell is syncing user attributes to Active Directory (AD). Every organization seems to have some kind of product that stores employee information other than AD itself.

Adam Bertram

Adam is a Microsoft Cloud and Datacenter Management Most Valuable Profressional (MVP) who specializes in Windows PowerShell. You can reach Adam at adamtheautomator.com or on Twitter at @adbertram.

Usually, that external product is some kind of HR system. You can get employee information from an external product into AD in a few different ways. You can either figure out how to pull the employees directly from that system's database, use its API (if available), or get the data into some kind of format that both the product can export and PowerShell can read. To choose the most common path, let's pick a common format that both can understand: comma-separated values (CSV).

If a CSV file can represent employees with one employee per row, PowerShell can natively read this CSV file. Once PowerShell can read the CSV, it's then a matter of figuring out if that same employee has a user account in AD. If so, it ensures all the attributes you care about are the same as in the CSV file. If not, it creates a new user altogether.

Let's go over how create a PowerShell script that will read a CSV file full of employees, attempt to find a match in AD, and, if found, check to ensure a few AD attributes are the same as what's in the CSV.

Because the CSV fields are important, here's what the CSV file looks like:

FirstName,LastName,Department
Adam,Bertram,IT
Bob,Jones,Accounting
Joe,Bridges,HR

We'll then read this CSV with  Import-Csv to gather up all the users into a variable.

CSV users

CSV users

This CSV is about as easy as it can get, and it looks like this will be an easy task, but think again. The first problem is going to be making a unique 1:1 match between a CSV row and a single AD user account. Since I'm going to assume that there might be multiple users with the same first name, last name, or department, we can't use any of these fields for the unique identifier.

Thus, we will have to create a unique field on the fly. For this example, I'm going to assume that each user in AD has a username of first initial/last name. Using the first and last name in the CSV, we can generate a "fake" username in PowerShell.

Generating usernames

Generating usernames

If you run this now, you'll see it generates our "fake" usernames. We now need to perform an AD search to see if our fake username exists in AD. Using the ActiveDirectory module, we can make this happen with the Get-AdUser cmdlet. If we find a match, we can then look at each applicable user attribute and compare it with the CSV field.

Since the CSV may not always contain only fields that match up to AD attributes, we created an $attributesToSync variable to look only for those. Since attributes were in a variable, we were then able to have Get-AdUser return only those properties we're concerned about by using the Properties parameter. We then read each attribute and compared what was in the CSV file with what the AD user looked like. If they didn't match, we ran Set-AdUser to change them to match.

This example is a basic example of what it takes to perform a CSV --> AD user sync. We didn't even consider things like when the CSV field does not exactly match the AD attribute or non-string attributes like the accountExpires AD attribute that requires a date conversion! Learning how to do this is important, but you can also try out a community module called PSADSync that takes care of most of the details for you. If you have trouble creating your own sync script, check it out in the PowerShell Gallery.

Win the monthly 4sysops member prize for IT pros

Share
1+

Users who have LIKED this post:

  • avatar

Related Posts

2 Comments
  1. RNR 2 months ago

    There's a typo on line 7: ... -Properties $a ttributesToSync)

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017

Log in with your credentials

or    

Forgot your details?

Create Account