Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to modify the sign-in script and profile path in Active Directory.
Hey, Scripting Guy! We are in the middle of an Active Directory migration (primarily moving our client computers from Windows XP to Windows 8). We are also consolidating our file servers and our profile servers. We have multiple sites, and in the past, each site had a one or more domain controllers, multiple file and print servers, and other stuff as needed.
Now, we are collapsing that infrastructure into a single server running Hyper-V. Needless to say, our profiles will be moving to different servers, and we will also be changing our sign-in scripts. So I need an easy way to modify these settings for our users. The new servers will be based on the user’s city locations. Can you help?
—RA
Hello RA,
Microsoft Scripting Guy, Ed Wilson, is here. Things have been busy around the Scripting House. I got up early to check the scripter@microsoft.com email and to write a couple of proposals for Windows PowerShell Saturday in Atlanta. According to Mark, I will be making two presentations—one for the beginner track and one for the advanced track. In addition, I have been working on my presentation that I will be conducting remotely for Windows PowerShell Saturday in Singapore.
Find the attribute names
The first thing we need to do is to find the ADSI attribute names for the profile path and for the sign-in script. I open up one of the user profiles and type some bogus information so that I can find the attributes in ADSI Edit. Here is the page from Active Directory Users and Computers:
Now I navigate to the same user object in ADSI Edit and look up the ADSI property names. The names make sense: ProfilePath and ScriptPath. This is shown here:
Get the information from AD DS
Now I need to retrieve the information from Active Directory Domain Services (AD DS). I could do all this from inside the Windows PowerShell console, but I decided to use the Windows PowerShell ISE instead. It has better intellisense, and for something like this, it makes things a bit more readable. I decide to use a couple of variables to hold the organizational unit (OU) and the properties that I need to retrieve. I then use Get-ADUser to retrieve the information. Here is this portion of the script:
Import-Module ActiveDirectory
$ou = “OU=Testou,Dc=Iammred,Dc=Net”
$properties = “ProfilePath”,”ScriptPath”, “l”
Get-ADUser -Filter * -SearchBase $ou -Properties $properties
I can highlight only this section of the script to test it. After I see that it works, I pipe the returned information to the Foreach-Object cmdlet. The hardest part of the script is to create the profile path and the script path. I decide to use parameter substitution and the Format operator to do this because, for me anyway, it is easier to read.
I build the profile path based on the city name. I then add Storage1 (which is the name of the storage server) and Profiles (which is the name of the folder that holds the profiles). Next, I use the user’s SamAccountName attribute. Here is the string:
$ProfilePath = “{0}\storage1\profiles\{1}” -f $_.l, $_.SamAccountName
Now, to create the script path. To do that, I again use the city name. I also store the scripts in Storage1, and I place them in a folder named Scripts. The sign-in script is based on the city name and the word LogonScript. Therefore, I am only substituting a single word: the city name, which is the l attribute. Here is the string I use for this:
$ScriptPath = “{0}\storage1\scripts\{0}_logonScript.ps1” -f $_.l
The rest is really easy. All I need to do is to use the Set-ADUser cmdlet to plug in the values. Here is that command:
Set-ADUser $_.samaccountname -ProfilePath $ProfilePath -ScriptPath $ScriptPath
The complete script is shown here:
Import-Module ActiveDirectory
$ou = “OU=Testou,Dc=Iammred,Dc=Net”
$properties = “ProfilePath”,”ScriptPath”, “l”
Get-ADUser -Filter * -SearchBase $ou -Properties $properties |
ForEach-Object {
$ProfilePath = “{0}\storage1\profiles\{1}” -f $_.l, $_.SamAccountName
$ScriptPath = “{0}\storage1\scripts\{0}_logonScript.ps1” -f $_.l
Set-ADUser $_.samaccountname -ProfilePath $ProfilePath -ScriptPath $ScriptPath
}
When I run the script, nothing returns. But that is what I want (I really do not want a whole bunch of errors). Here is the ISE and the blank output from running the script:
I check Active Directory Users and computers to ensure that everything worked as planned. It is fine, as shown here:
RA, that is all there is to using Windows PowerShell to create values for the sign-in script and the profile path. Active Directory Week will continue tomorrow when I will talk about logging an attribute change.
I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson, Microsoft Scripting Guy
0 comments