Summary: Learn how to use Windows PowerShell and the Active Directory cmdlets to find and replace missing email addresses.
Hey, Scripting Guy! I am hoping you can help me. We recently decommissioned a domain and moved all the users from that domain into an organizational unit (OU) under our corporate domain. This has simplified maintenance, and is generally a good thing. The problem is I now need to create mail addresses for all of my users. I do not want to do this manually. Now here is the thing. We have already begun creating email addresses for some of the users in this new domain. I am hoping I can create a Windows PowerShell script that will search the OU for users that do not have an email address, and then I would like to take that list of users and create new email addresses for each of the users.
I would like to keep their user account name and append it with our top-level domain name. After the list of new email addresses has been created, I would like to apply the email addresses to the user accounts in the OU. The reason I cannot just blast through the OU and add/replace email addresses is because some of the email addresses in the OU do not conform to the username@mydomain.com format. My boss has given me a week to come up with the script; after that time, he is going to hire a consulting company to do this. It would be really great if I could get this done before that time. Can you help me?
—AN
Hello AN,
Microsoft Scripting Guy Ed Wilson here. About three years ago, I wrote a pretty cool Windows PowerShell script that searched through Active Directory and found missing attributes. The script was not super easy, and took a little time to write (not weeks, however). That was before we had the Microsoft Active Directory cmdlets. Now, I can run a single command that locates users with missing mail attributes. In fact, I can also pipe the results of that query, and set the missing attribute in the same command. Pretty cool! You should be able to run the command, go lie on the beach for a week, and return tanned, relaxed, and a hero to your boss because you avoided hiring a consultant.
I do not have the Remote Server Administration Tools (RSAT) installed on my laptop, but with Windows PowerShell, that is not a problem. I use Windows PowerShell remoting to connect to a remote domain controller. I chose one that I knew was near me, but I could have allowed Windows PowerShell to connect to any domain controller that was not busy. I connect to the domain controller by using the Enter-PSSession command and specifying the name of the domain controller. This command is shown here:
PS C:\Users\Administrator.NWTRADERS> Enter-PSSession dc1
The next thing I do is import the ActiveDirectory module and change my working directory (to give myself a bit of extra room on the command line). These commands are shown here:
[dc1]: PS C:\Users\Administrator\Documents> Import-Module act*
[dc1]: PS C:\Users\Administrator\Documents> sl c:\
The next thing I do is create a query that returns all of the users that do not have an email address. I pipe the results to the Measure-Object cmdlet, which counts how many users do not have an email address. There are a couple of things to notice in the query. The first is that I specify the resultsetsize parameter to $null. This causes the command to return all the objects. If I wanted to only return one object, the command would be resultsetsize 1. The second thing is that the exclamation point (!) is used for the not operator. Therefore, the LDAPFilter means show me all mail attributes that do not have a mail attribute set to anything (the asterisk is the wildcard character for anything):
[dc1]: PS C:\> Get-ADUser -LDAPFilter “(!(mail=*))” -resultSetSize $null | Measure-Object
Count : 2536
Average :
Sum :
Maximum :
Minimum :
Property :
I now decide to limit my query to only the organizational unit (OU) that contains the users with the missing email addresses. To do this, I use the searchbase parameter. The command is shown here:
[dc1]: PS C:\> Get-ADUser -LDAPFilter “(!(mail=*))” -resultSetSize $null -searchbase “ou=test,dc=nwtraders,dc=com”
After I see that the query returns the appropriate user objects, I send the results to the ForEach-Object (the alias is %). Inside the ForEach-Object cmdlet, I call the Set-ADUser cmdlet to modify each active directory account that the query returns with a newly created email address. The Set-ADUser cmdlet needs to know which user to connect to, so I pipe the distinguishedname attribute to the identity parameter. The Set-ADAUser cmdlet contains an email parameter, and nothing special is required to set an email value (note the email address in Active Directory is called mail, but the cmdlet uses email to help avoid confusion). I create the email address by getting the samaccountname attribute and concatenating it with “@nwtraders.com.” The command is one logical line (I did not put any line continuation characters so as to avoid extra garbage. I also removed the PS> stuff, so that only the command remains. Obviously, you would need to modify your OU, and email suffix):
Get-ADUser -LDAPFilter “(!(mail=\.name*))” -resultSetSize $null -searchbase “ou=test,dc=nwtraders,dc=com”| % {set-aduser -identity $_.distinguishedname -email ($_.samaccountname + “@nwtraders.com”)}
As shown in the following figure, the command created a new email address for the user; the command worked like a champ.
Well, AN, that is it. Thanks for an interesting question. I invite you to join me tomorrow for more Windows PowerShell goodness.
I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson, Microsoft Scripting Guy
0 comments