Does anyone know of a way to query this UNIX attribute msSFU30MaxUidNumber in Active Directory with Powershell? I'm working on a script that will assign Unix attribute to users as needed. I also have the Quest AD Powershell module available.
How do I query msSFU30MaxUidNumber attribute with Powershell?
4.5k views Asked by mwalkerii At
3
There are 3 answers
0
On
Since you have the Quest AD cmdlets available, here's something quick based on JPBlanc's answer. It assumes that you are running your script with an account that already has privileges on the relevant AD attributes:
# The -IncludedProperties parameter is needed because msSFU30MaxUidNumber is not part of Get-QADObject's default attribute set
$ypDomain = Get-QADObject -Identity "cn=myYPDomain,cn=ypservers,cn=ypserv30,cn=RpcServices,cn=system,dc=dom,dc=fr" -IncludedProperties msSFU30MaxUidNumber
$maxUidNumber = $ypDomain.msSFU30MaxUidNumber
$newMaxUidNumber = $maxUidNumber + 1
# Sets the msSFU30UidNumber attribute for User1
Get-QADUser -samAccountName User1 | Set-QADUser -objectAttributes @{msSFU30UidNumber = $newMaxUidNumber}
# Increments the msSFU30MaxUidNumber for the YP domain.
$ypDomain | Set-QADObject -objectAttributes @{msSFU30MaxUidNumber = $newMaxUidNumber}
0
On
I borrowed this to set UNIX attributes (NISdomain, GID, loginshell, UIDnumber, UID) http://danieltromp.com/2014/06/09/powershell-ad-enable-unix-attributes/.
I updated it so it also updates the stored msSFU30MaxUidNumber. All scripts I've seen forget this. Prevents issues with duplicate UIDnumbers if you use ADUC to set UNIX attributes in the future (or even if you run the script again against another OU):
Remove-Variable -Name * -Force -ErrorAction SilentlyContinue
Import-Module ActiveDirectory
$NIS = Get-ADObject "CN=DOMAIN,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=Domain,DC=com" -Properties:* #Get NIS server information
$maxUid = $NIS.msSFU30MaxUidNumber #Get the last used User ID
$usuarios = Get-ADUser -Filter * -SearchBase "OU=NAME,OU=NAME,OU=NAME,DC=Domain,DC=com" -Properties:* #Get all users
foreach($usr in $usuarios)
{
if ($usr.mssfu30nisdomain -eq $null){
Set-ADUser -Identity "$($usr.SamAccountName)" -Replace @{mssfu30nisdomain="Domain"} #Enable NIS
Set-ADUser -Identity "$($usr.SamAccountName)" -Replace @{gidnumber="10005"} #Set Group ID
Set-ADUser -Identity "$($usr.SamAccountName)" -Replace @{loginShell="/bin/bash"} #Set Login Shell
$maxUid++ #Raise the User ID number
Set-ADUser -Identity "$($usr.SamAccountName)" -Replace @{uidnumber=$maxUid} #Set User ID number
Set-ADUser -Identity "$($usr.SamAccountName)" -Replace @{uid=$usr.SamAccountName} #Set UID
Write-Host -Backgroundcolor Green -Foregroundcolor Black $usr.SamAccountName changed #Write Changed Username to console
}
else{Write-Host -Backgroundcolor Yellow -Foregroundcolor Black $usr.SamAccountName unchanged} #Write Unchanged Username to console with a yellow background
}
$NIS | Set-ADObject -Replace @{msSFU30MaxUidNumber = $maxuid++}
$NIS | Set-ADObject -Replace @{msSFU30MaxUidNumber = $maxuid++}
It seems that you can find the highest value assigned so far stored in
msSFU30MaxUidNumberattribute oncn=yourYPDomain,cn=ypservers,cn=ypserv30,cn=RpcServices,cn=system,dc=dom,dc=fr.Here is a script given as is : I'am not able to test it in my configuration now, I just write a short translation to powershell from the VBscript found in a Microsoft Consulting France document(page 17).