Richard Siddaway's Blog

Finding the logon scripts

What logon scripts are in your environment

"`nMicrosoft"            
Get-ADUser -LDAPFilter "(&(objectclass=user)(objectcategory=user)(scriptpath=*))" -Properties *|            
Format-Table Name, DistinguishedName, ScriptPath -AutoSize            
            
"`nAD provider"            
Get-ChildItem -Filter "(&(objectclass=user)(objectcategory=user)(scriptpath=*))" `
 -Path Ad:\"DC=Manticore,DC=org" -Recurse |             
foreach {             
 $user = [adsi]"LDAP://$($_.DistinguishedName)"            
 $user | select @{N="Name"; E={$_.name}},             
 @{N="DistinguishedName"; E={$_.distinguishedname}},            
 @{N="LogonScript"; E={$_.scriptpath}}            
} | Format-Table -AutoSize            
             
"`nQuest"            
Get-QADUser -LDAPFilter "(&(objectclass=user)(objectcategory=user)(scriptpath=*))" -IncludeAllProperties |            
Format-Table Name, DN, ScriptPath -AutoSize            
            
"`nScript"            
$root = [ADSI]""            
$search = [adsisearcher]$root            
$search.Filter = "(&(objectclass=user)(objectcategory=user)(scriptpath=*))"             
$search.SizeLimit = 3000            
$search.FindAll() | foreach {            
             
$user = $_.GetDirectoryEntry()            
$user | select @{N="Name"; E={$_.name}},             
 @{N="DistinguishedName"; E={$_.distinguishedname}},            
 @{N="LogonScript"; E={$_.scriptpath}}            
} | Format-Table -AutoSize

Standard search for any user that has the scriptpath attribute set and then display name, distinguished name and scriptpath (logon script name).

To search for a given logon script – change the search filter

"(&(objectclass=user)(objectcategory=user)(scriptpath=<logon_script_name>))"

To just get a list of active logon scripts change the Format-Table as shown below

Get-ADUser -LDAPFilter "(&(objectclass=user)(objectcategory=user)(scriptpath=*))" -Properties *|
sort scriptpath | select ScriptPath -Unique

Set user’s logon script

Staying on the profile tab we can also set a logon script

$ou = "OU=BlogTests,DC=Manticore,DC=org"            
            
"`nMicrosoft"            
$name = "UserA"            
Get-ADUser -Identity $name |            
Set-ADUser -ScriptPath "ls1.cmd"            
            
"`nAD provider"            
$name = "UserB"            
$dn = "cn=$name,$ou"            
Set-ItemProperty -Path AD:\$dn  -Name scriptpath -Value "ls1.cmd" -Force            
             
"`nQuest"            
$name = "UserC"            
Get-QADUser -Identity $name |            
Set-QADUser -LogonScript "ls1.cmd"            
            
"`nScript"            
$name = "UserD"            
$dn = "cn=$name,$ou"            
$user = [adsi]"LDAP://$dn"            
$user.scriptpath = "ls1.cmd"            
$user.SetInfo()

Simply set the name of the logon script file in the scriptpath attribute. Notice that the Quest cmdlet uses –LogonScript for the parameter

The full path isn’t required because logon scripts are in the netlogon share on domain controllers – you don’t want to set a specific domain controller usually

Finding the users home drives

To display the home drive information for your users

"`nMicrosoft"            
Get-ADUser -LDAPFilter "(&(objectclass=user)(objectcategory=user)(homeDirectory=*))" -Properties *|            
Format-Table Name, DistinguishedName, HomeDirectory, HomeDrive -AutoSize            
            
"`nAD provider"            
Get-ChildItem -Filter "(&(objectclass=user)(objectcategory=user)(homeDirectory=*))" `
 -Path Ad:\"DC=Manticore,DC=org" -Recurse |             
foreach {             
 $user = [adsi]"LDAP://$($_.DistinguishedName)"            
 $user | select @{N="Name"; E={$_.name}},             
 @{N="DistinguishedName"; E={$_.distinguishedname}},            
 @{N="HomeDirectory"; E={$_.homeDirectory}},            
 @{N="HomeDrive"; E={$_.homeDrive}}             
} | Format-Table -AutoSize            
             
"`nQuest"            
Get-QADUser -LDAPFilter "(&(objectclass=user)(objectcategory=user)(homeDirectory=*))" -IncludeAllProperties |            
Format-Table Name, DN, HomeDirectory, HomeDrive -AutoSize            
            
"`nScript"            
$root = [ADSI]""            
$search = [adsisearcher]$root            
$search.Filter = "(&(objectclass=user)(objectcategory=user)(homeDirectory=*))"             
$search.SizeLimit = 3000            
$search.FindAll() | foreach {            
             
$user = $_.GetDirectoryEntry()            
$user | select @{N="Name"; E={$_.name}},             
 @{N="DistinguishedName"; E={$_.distinguishedname}},            
 @{N="HomeDirectory"; E={$_.homeDirectory}},            
 @{N="HomeDrive"; E={$_.homeDrive}}             
} | Format-Table -AutoSize

In all cases perform an LDAP search with the filter set for any occurrence of the the home directory being set.

The cmdlets can immediately display the required attributes but for the provider and script we have to get a directory entry so we can select the required attributes.

Setting a users home directory

One task when creating a new user is to set their home directory. This information is on the Profile tab in the lower box.

In the GUI we would use the Connect radio button, select a drive letter and supply the UNC path to a share.  In PowerShell we do this

$ou = "OU=BlogTests,DC=Manticore,DC=org"            
            
"`nMicrosoft"            
$name = "UserA"            
Get-ADUser -Identity $name |            
Set-ADUser -HomeDirectory "\\fileserver\$name" -HomeDrive "H:"            
            
"`nAD provider"            
$name = "UserB"            
$dn = "cn=$name,$ou"            
Set-ItemProperty -Path AD:\$dn  -Name homeDirectory -Value "\\fileserver\$name"  -Force            
Set-ItemProperty -Path AD:\$dn  -Name homeDrive     -Value "H:"       -Force            
             
"`nQuest"            
$name = "UserC"            
Get-QADUser -Identity $name |            
Set-QADUser -HomeDirectory "\\fileserver\$name" -HomeDrive "H:"            
            
"`nScript"            
$name = "UserD"            
$dn = "cn=$name,$ou"            
$user = [adsi]"LDAP://$dn"            
$user.homeDirectory = "\\fileserver\$name"            
$user.homeDrive = "H:"            
$user.SetInfo()

The cmdlets supply parameters for HomeDirectory and HomeDrive – both fairly obvious

In the provider we have a couple of calls to Set-Itemproperty. The attribute names are self explanatory. The script is similar in that we get a directory entry for the user and set the appropriate attributes.

UK PowerShell group–February 2012 recording

The recording, slides and demo scripts from tonight’s PowerShell and SQL Server session are available as a single zip file for download from

https://skydrive.live.com/#cid=43CFA46A74CF3E96&id=43CFA46A74CF3E96%212943

The file is created with jzip but any zip handling program should be able to unzip it

Thank you to the attendees and especially for the questions – I’ve posted the answer to the question regarding accessing named instances using a port number here

http://msmvps.com/blogs/richardsiddaway/archive/2012/02/28/connecting-via-smo-to-a-named-instance.aspx

Next meeting will be 28 March 2012

Topic will probably be CIM in PowerShell v3

Group’s displayname

A question on the forum asked about setting the value for a group’s displayname attribute. 

When you first create a group using any of the techniques we have seen earlier the displayname property is not set.  You can set it like this

Get-QADGroup -Identity GroupDmlSecA
$group = "GroupDmlSecA"
Get-QADGroup -Identity $group
Get-QADGroup -Identity $group | Set-QADGroup -ObjectAttributes @{displayName = $group}

Not sure why you would want to do this as as far as I can tell the displayname is never used for a group – the name showing in AD Users and Computers is the object name (cn attribute) not the display name

Connecting via SMO to a named instance

A question came up in tonight’s User group session regarding connecting to SQL server instances using SMO

If you have just a default instance – just give the server name

$server = New-Object -TypeName "Microsoft.SqlServer.Management.Smo.Server" -ArgumentList "W08R2SQl12"

If you have a named instance the give the instance name as well

$serverI = New-Object -TypeName "Microsoft.SqlServer.Management.Smo.Server" -ArgumentList "W08R2SQl12\instance_name"

These work as long as the SQL Server browser service is running. 

If it isn’t this is what I think you have to do.

This is untested and a best guess. I will try and test.

$cons = "server=W08R2SQL12\instance_name,port_number;Trusted_Connection=true;multipleactiveresultsets=false"

$cn = New-Object -TypeName "System.Data.SqlClient.SqlConnection" -ArgumentList $cons
$serverZ = New-Object -TypeName "Microsoft.SqlServer.Management.Smo.Server" -ArgumentList $cn
If anyone manages to test this please let me know – I’ll test as soon as I can

Remove all members from a group

Do you need to remove all members from a group

$ou = "OU=BlogTests,DC=Manticore,DC=org"            
            
"`nMicrosoft"            
$group = "GroupUnvlSecA"            
Get-ADGroupMember -Identity $group |            
Remove-ADPrincipalGroupMembership -MemberOf $group -Confirm:$false            
            
            
"`nAD provider"            
$group = "GroupUnvlSecB"            
$ou = "OU=TestGroups,DC=Manticore,DC=org"            
            
$members = @()            
Set-ItemProperty -Path ad:\"cn=$group,$ou" -Name member -Value $members -Force            
            
"`nQuest"            
$group = "GroupUnvlSecC"            
Get-QADGroupMember -Identity $group |             
Remove-QADGroupMember -Identity $group            
            
            
"`nScript"            
$group = "GroupUnvlSecD"            
$ge = [adsi]"LDAP://cn=$group,$ou"            
            
$ge.member |            
foreach {            
  $ge.Remove("LDAP://$($_)")             
}

The Microsoft cmdlet and provider will moan about insufficient privileges if you get the syntax wrong

For the Microsoft cmdlet we can pipe the group membership into Remove-ADPrincipalGroupMembership. Notice the use of –Confirm.  if you don’t use that you will be asked to confirm every deletion.

The Quest cmdlet is a simple get | remove operation

The provider treats the members as an array so we can use an empty array to overwrite the memebrship

The script iterates through the members and uses the Remove() method to delete members

February UG meeting–Final reminder

The UK PowerShell group presents a Live Meeting tomorrow on using PowerShell with SQL Server

Details from

http://msmvps.com/blogs/richardsiddaway/archive/2012/02/09/february-powershell-group-meeting-sql-server-and-powershell.aspx

Copy group membership

We may need to copy the members of one group into a second

In these examples I’m copying the membership of a Universal group into a Domain Local group.  That’s just because I have those groups available. You can copy between any two groups but remember that global groups can only contain members from within the domain – in my test environment I only have a single domain so the restriction doesn’t apply.

$ou = "OU=BlogTests,DC=Manticore,DC=org"            
            
"`nMicrosoft"            
$gsource = "GroupUnvlSecA"            
$gtarget = "GroupDmlSecA"            
Get-ADGroupMember -Identity $gsource |            
foreach {            
 Add-ADGroupMember -Identity $gtarget -Members $($_.DistinguishedName)            
}            
            
"`nAD provider"            
$gsource = "GroupUnvlSecB"            
$gtarget = "GroupDmlSecB"            
$ou = "OU=TestGroups,DC=Manticore,DC=org"            
            
$m = Get-ItemProperty -Path ad:\"cn=$gsource,$ou" -Name member            
$members = @($m.member)            
Set-ItemProperty -Path ad:\"cn=$gtarget,$ou" -Name member -Value $members            
            
"`nQuest"            
$gsource = "GroupUnvlSecC"            
$gtarget = "GroupDmlSecC"            
Get-QADGroupMember -Identity $gsource |             
Add-QADGroupMember -Identity $gtarget            
            
            
"`nScript"            
$gsource = "GroupUnvlSecD"            
$gtarget = "GroupDmlSecD"            
            
$source = [adsi]"LDAP://cn=$gsource,$ou"            
$target = [adsi]"LDAP://cn=$gtarget,$ou"            
            
$source.member |            
foreach {            
  $target.Add("LDAP://$($_)")             
}

The two cmdlet based solutions involve getting the membership of the source group and piping it into a cmdlet that can add those members to a new group.

The provider simply gets the member property of the source group, converts it to an array and uses that to set the target group membership

The script iterates through the members of the source group and uses the Add() method to add them to the new group

New group from OU members

One topic that comes up fairly frequently is how can I put all of the members of an OU into a group.

We combine

http://msmvps.com/blogs/richardsiddaway/archive/2012/02/24/list-users-in-an-ou.aspx

and

http://msmvps.com/blogs/richardsiddaway/archive/2012/02/26/adding-a-user-to-a-group.aspx

$ou = "OU=BlogTests,DC=Manticore,DC=org"            
            
"`nMicrosoft"            
Get-ADUser -ResultSetSize 3000 -SearchBase $ou -Filter * -SearchScope OneLevel |             
foreach {            
 Add-ADGroupMember -Identity GroupUnvlSecA -Members $($_.DistinguishedName)            
}            
            
"`nAD provider"            
$groupdn = "CN=GroupUnvlSecB,OU=TestGroups,DC=Manticore,DC=org"            
$members = @()            
            
Get-ChildItem -Path AD:\$ou  |             
where {$_.objectclass -eq "user"} |             
foreach {            
$members = $members += $($_.DistinguishedName)            
}            
            
Set-ItemProperty -Path ad:\$groupdn -Name member -Value $members            
            
"`nQuest"            
Get-QADUser -SizeLimit 3000 -SearchRoot $ou -SearchScope OneLevel |             
Add-QADGroupMember -Identity GroupUnvlSecC             
            
            
"`nScript"            
$groupdn = "CN=GroupUnvlSecD,OU=TestGroups,DC=Manticore,DC=org"            
$group = [adsi]"LDAP://$groupdn"            
            
$root = [ADSI]"LDAP://$ou"            
$search = [adsisearcher]$root            
$search.Filter = "(&(objectclass=user)(objectcategory=user))"            
$search.SizeLimit = 3000            
$search.SearchScope = "OneLevel"            
$results = $search.FindAll()            
            
foreach ($result in $results){            
 $result.Properties |             
 foreach {             
  $group.Add("LDAP://$($_.distinguishedname)")             
  $group.SetInfo()             
 }            
}

Discover all of the users in a OU using the techniques that we have seen before and then loop through then adding the users to the group.

This provider will replace any existing members of the group – the others will just append the new members. In the case of the script an error will be thrown if the user is already a member.

List group members

We have seen how to add a user to a group but what about finding out who is in the group

## lists the members of a group            
$groupdn = "CN=GroupGblSecA,OU=TestGroups,DC=Manticore,DC=org"            
$groupname = "GroupGblSecA"            
            
"`nMicrosoft"            
Get-ADGroupMember -Identity $groupname |            
Format-Table name, distinguishedname             
            
"`nAD provider"            
Get-ItemProperty ad:\$groupdn -Name member |            
select -ExpandProperty member |            
Format-Table            
            
"`nQuest"            
Get-QADGroupMember -Identity $groupname |            
Format-Table Name, DN            
            
            
"`nScript"            
$root = [ADSI]""            
$search = [adsisearcher]$root            
$search.Filter = "(&(objectclass=group)(cn=$groupname))"            
$search.SizeLimit = 3000            
$search.FindOne() |            
foreach {            
 $_.GetDirectoryEntry()  |            
  select -ExpandProperty member            
}

The Microsoft and Quest cmdlets work in a similar manner except that Quest rename distinguishedname to DN

The provider is a get-itemproperty on the group’s member attribute and then use –ExpandProperty to display the members.

The script searches for the group and then gets a directory entry so the member property can be displayed. An alternative script would be

[adsi]"LDAP://$groupdn" |
select -ExpandProperty member

where we go straight to the directory entry for the group and expand the member property

Adding a user to a group

In this http://msmvps.com/blogs/richardsiddaway/archive/2012/02/19/bulk-create-groups-script.aspx and subsequent posts we saw how to create security groups.

The memberof tab on the user’s properties shows to which groups the user belongs. One of the more common administration tasks in AD is adding or removing users from a group. This is how we do it in PowerShell

## adds users to groups            
$ou = "OU=BlogTests,DC=Manticore,DC=org"            
            
"`nMicrosoft"            
$name = "UserA"            
Get-ADUser -Identity $name -Properties * |            
Add-ADPrincipalGroupMembership -MemberOf GroupGblSecA            
            
"`nAD provider"            
$name = "UserB"            
$grpmem = Get-ItemProperty ad:\"CN=GroupGblSecA,OU=TestGroups,DC=Manticore,DC=org" -Name member            
$members = @($grpmem.member)            
$members = $members += "cn=$name,$ou"            
Set-ItemProperty ad:\"CN=GroupGblSecA,OU=TestGroups,DC=Manticore,DC=org" -Name member -Value $members            
            
"`nQuest"            
$name = "UserC"            
Get-QADUser -Identity $name  |            
Add-QADGroupMember -Identity GroupGblSecA            
            
"`nScript"            
$group = [adsi]"LDAP://CN=GroupGblSecA,OU=TestGroups,DC=Manticore,DC=org"            
$name = "UserD"            
            
$group.Add("LDAP://cn=$name,$ou")             
$group.SetInfo()

The Microsoft and Quest cmdlets provide a cmdlet to achieve this task – with the Microsoft cmdlets we have to use Add-ADPrincipalGroupMembership rather than Add-ADGroupMember.

The provider treats the members of the group as as array so we use the standard technique of adding a member – using the users distinguished name

The script gets the group object and uses the Add() method – note that we have to give the whole LDAP string not just the distinguished name of the user

Using [wmiclass] accelerator and string substitution

Tripped over an interesting problem

I want to use the [wmiclass] accelerator because I need to find the key of a WMI class (code borrowed from PowerShell team blog – to be returned when I’ve finished with it)

$t = [WMIClass]$class

$t.properties |

select @{Name="PName";Expression={$_.name}} -ExpandProperty Qualifiers |

where {$_.Name -eq "key"} |

foreach {"The key for the $class class is $($_.Pname)"}

Now I wanted to add the namespace so I tried this

PS> $namespace="root\cimv2"
PS> $class="Win32_Process"
PS> [wmiclass]"\\.\$namespace:$class"
Cannot convert value "\\.\Win32_Process" to type "System.Management.ManagementClass". Error: "Invalid namespace "
At line:1 char:11
+ [wmiclass] <<<< "\\.\$namespace:$class"
    + CategoryInfo          : NotSpecified: (:) [], RuntimeException
    + FullyQualifiedErrorId : RuntimeException

Huh – of course root\cimv2 is valid

But its not a WMI problem its a string substitution problem

because

PS> $target = "$namespace:$class"
PS> $target
Win32_Process

Oh – no namespace

Its because of the colon

The way we get round it is to escape the : using a backtick `

[wmiclass]\\.\$namespace`:$class

Which works

Just a little WMI quirk to be aware of

Renaming a user account

Sometimes we need to rename account – possibly because a user has changed their name.

$ou = "OU=BlogTests,DC=Manticore,DC=org"            
            
"`nMicrosoft"            
$name = "UserA"            
Get-ADUser -Identity $name |             
Rename-ADObject -NewName "UserAA"            
            
"`nAD provider"            
$name = "UserB"            
$dn = "cn=$name,$ou"            
Rename-Item -Path AD:\$dn  -NewName "cn=UserBB" -Force            
             
"`nQuest"            
$name = "UserC"            
Get-QADUser -Identity $name -SizeLimit 3000 |            
Rename-QADObject -NewName "UserCC"            
            
## works but thhrows an error            
"`nScript"            
$name = "UserD"            
$dn = "cn=$name,$ou"            
$newou = [adsi]"LDAP://$ou"            
            
$user = [adsi]"LDAP://$dn"            
$user.MoveTo($newou, "UserDD")

The cmdlets provide a cmdlet to rename AD objects

The provider uses Rename-Item. My testing shows that a Get-Item | Rename-Item structure will not work. The path has to be explicitly given to Rename-Item

The script uses the MoveTo method to move the object to the same OU but change its name during the move. An error message will be produced but the action is performed correctly

AD Search Scopes

In AD we can define a scope for our search. In most of the examples we have seen we are starting at the root of the domain and searching every OU. This is the default – also known as a SubTree search i.e. it searches all children of the defined container.

This examples use Get-ADUser but we could use the Quest cmdlets or a script. But the provider is limited to the defined container or all child containers of the root.

$ou = "OU=BlogTests,DC=Manticore,DC=org"           
$user = "cn=usera,OU=BlogTests,DC=Manticore,DC=org"           
           
"`Default Scope"           
Get-ADUser -ResultSetSize 3000 -SearchBase $ou -Filter * |           
Format-Table Name, DistinguishedName           
           
"'nBase"           
Get-ADUser -ResultSetSize 3000 -SearchBase $ou -SearchScope Base -Filter * |           
Format-Table Name, DistinguishedName           
           
"'nOneLevel"           
Get-ADUser -ResultSetSize 3000 -SearchBase $ou -SearchScope OneLevel -Filter * |           
Format-Table Name, DistinguishedName           
           
"'nSubTree"           
Get-ADUser -ResultSetSize 3000 -SearchBase $ou -SearchScope SubTree -Filter * |           
Format-Table Name, DistinguishedName           
           
"'nBase Examples"           
"single user"           
Get-ADUser -ResultSetSize 3000 -SearchBase $user -SearchScope Base -Filter * |           
Format-Table Name, DistinguishedName           
           
"single object"           
Get-ADObject -ResultSetSize 3000 -SearchBase $ou -SearchScope Base -Filter * |           
Format-Table Name, DistinguishedName

The scope options are:

• Base
• OneLevel
• SubTree

SubTree is the defined container and all child containers – including their children etc

OneLevel is the defined container

Base is an oddity – it returns the object that is defined! So when we ask for all users in an OU using a base scope we get nothing back. If we give a specific user, or we use Get-ADObject we get that individual user or object returned!

List users in an OU

Just for completeness this is the code to list the users in an OU. It forms the basis of any bulk modification activity that is based on OU membership

$ou = "OU=BlogTests,DC=Manticore,DC=org"            
            
"`nMicrosoft"            
Get-ADUser -ResultSetSize 3000 -SearchBase $ou -Filter * |             
Format-Table Name, DistinguishedName            
            
"`nAD provider"            
Get-ChildItem -Path AD:\$ou  |             
where {$_.objectclass -eq "user"} |             
Format-Table Name, DistinguishedName            
            
"`nQuest"            
Get-QADUser -SizeLimit 3000 -SearchRoot $ou |             
Format-Table Name, DN            
            
            
"`nScript"            
            
$root = [ADSI]"LDAP://$ou"            
$search = [adsisearcher]$root            
$search.Filter = "(&(objectclass=user)(objectcategory=user))"            
$search.SizeLimit = 3000            
$results = $search.FindAll()            
            
foreach ($result in $results){            
    $result.Properties |             
    select @{N="Name"; E={$_.name}}, @{N="DistinguishedName"; E={$_.distinguishedname}}            
}

Modifying all users in an OU

A question was submitted via my blog asking how to set all accounts in an OU not to expire.  This can be split into two parts:

1. Find the user accounts in a particular OU
2. Set them not to expire

These two posts shoed how to get the users in an OU tree

http://msmvps.com/blogs/richardsiddaway/archive/2012/01/03/get-ad-users-in-an-ou-tree.aspx

http://msmvps.com/blogs/richardsiddaway/archive/2012/01/04/ad-provider-get-all-users-in-an-ou.aspx

While this post covers removing an expiry date from an account the same principles apply to any update

Lets put the two together

$ou = "OU=BlogTests,DC=Manticore,DC=org"            
            
"`nMicrosoft"            
Get-ADUser -ResultSetSize 3000 -SearchBase $ou -Filter * |             
Set-ADUser -Replace @{accountExpires = 0}            
            
"`nAD provider"            
Get-ChildItem -Path AD:\$ou  |             
where {$_.objectclass -eq "user"} |             
foreach {            
 $dn = "cn=$($_.name),$ou"            
 Set-ItemProperty -Path AD:\$dn  -Name accountExpires -Value "0" -Force            
}            
            
"`nQuest"            
Get-QADUser -SizeLimit 3000 -SearchRoot $ou |             
Set-QADUser -ObjectAttributes @{accountExpires = 0}            
            
"`nScript"            
            
$root = [ADSI]"LDAP://$ou"            
$search = [adsisearcher]$root            
$search.Filter = "(&(objectclass=user)(objectcategory=user))"            
$search.SizeLimit = 3000            
$search.FindAll() |            
foreach {            
  $user = $_.GetDirectoryEntry()            
  $user.Put("accountExpires", 0)            
  $user.SetInfo()            
}

For the cmdlets we use   Get-ADuser or Get-QADuser with the search root pointing to the appropriate OU. The results are piped into the matching set cmdlet.

The provider we pipe the results into foreach and use set-itemproperty on the attribute. Notice how we create the distinguished name – we could use the distinguished name property but I just adapted the code for dealing with a single user

The script does an LDAP search of the OU and pipes the results in to foreach. The GetDirectoryEntry() method is used and the resultant object has the account expiry date set to zero.

Removing the no preauthentication required setting

Our final act on the account tab is to discover how we remove this setting.

$ou = "OU=England,DC=Manticore,DC=org"            
            
"`nMicrosoft"            
$name = "UserA"            
Get-ADUser -Identity $name |            
Set-ADAccountControl -DoesNotRequirePreAuth:$false            
            
"`nAD provider"            
$name = "UserB"            
$dn = "cn=$name,$ou"            
$flag = (Get-ItemProperty -Path AD:\$dn  -Name useraccountcontrol).useraccountcontrol -bxor 4194304            
Set-ItemProperty -Path AD:\$dn  -Name useraccountcontrol -Value "$flag" -Confirm:$false            
            
"`nQuest"            
$name = "UserC"            
$user = Get-QADUser -Identity $name -IncludeAllProperties            
            
$flag = $user.userAccountControl -bxor 4194304            
$user.userAccountControl = $flag            
Set-QADUser -Identity $name -ObjectAttributes @{userAccountControl = $flag}            
            
"`nScript"            
$name = "UserD"            
$dn = "cn=$name,$ou"            
$user = [adsi]"LDAP://$dn"            
            
$flag = $user.userAccountControl.value -bxor 4194304            
$user.userAccountControl = $flag            
            
$user.SetInfo()

Its just the reverse of adding the setting

Discovering Users that do not require Kerberos pre-authentication

As this setting is controlled by the useraccountcontrol attribute we need the usual LDAP search

$ou = "OU=England,DC=Manticore,DC=org"            
            
"`nMicrosoft"            
Get-ADUser -LdapFilter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))" |             
Format-Table Name, DistinguishedName            
            
            
"`nAD provider"            
Get-ChildItem -Filter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))" `
 -Path Ad:\"DC=Manticore,DC=org" -Recurse |            
Format-Table Name, DistinguishedName            
            
            
            
"`nQuest"            
Get-QADUser -LdapFilter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))" |            
Format-Table Name, DN            
            
"`nScript"            
$root = [ADSI]""            
$search = [adsisearcher]$root            
$search.Filter = "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))"            
$search.SizeLimit = 3000            
$results = $search.FindAll()            
            
foreach ($result in $results){            
    $result.Properties |             
    select @{N="Name"; E={$_.name}}, @{N="DistinguishedName"; E={$_.distinguishedname}}            
}