In this article, we will briefly highlight a number of attributes that (mostly) exist from the beginning in Active Directory (AD). We will focus on the attributes that I would classify as serving for personnel records of employees. These include information about the department the employee works in, the title of their job position, their phone extension, and perhaps also their manager. I would also include the user's photo, which we discussed in the previous article Active Directory - user photos not only for Outlook 2010.
If we use an Exchange server for email, we consider it common that the email address is linked to the user's name and the Global Address List is automatically created. But perhaps we didn't realize that we can link a lot of other data this way. The newer versions of MS Outlook 2007 and especially Outlook 2010 increase the integration with data from AD (and not only from it, but also from various social networks) and allow displaying a number of data about the user. So then, wherever a user from AD (or our contact list) appears, we can hover over the name to display relevant user information. The user photos that Outlook 2010 also integrates from AD look very nice and useful.
The following description is based on using the Windows Server 2008 R2 domain, the Windows 7 client, the Outlook 2010 application together with the Exchange Server 2007 server.
Using PowerShell to Edit Active Directory
We will perform the configuration from a Windows 7 station where we have installed the Remote Server Administration Tools (RSAT). To have the PowerShell commands for Active Directory (AD) available, we need to activate this feature in Turn Windows Features On or Off - Remote Server Administration Tools - Role Administration Tools - AD DS and AD LDS Tools - Active Directory Module for Windows PowerShell.
Then we can use the Active Directory PowerShell Snap-In (from Administrative Tools) or (in my opinion better) Windows PowerShell ISE (Accesories - Windows PowerShell), a simple GUI for PowerShell, which I will use further. In any case, we must run the PowerShell interface with domain admin rights (or a user who has permission to make changes in AD). So we right-click the shortcut with Shift + right-click
and in the context menu, choose Run as different user.
If we use PowerShell ISE, we must first import the ActiveDirectory module after each startup to have the AD commands available.
Import-Module ActiveDirectory
Personnel Data Using PowerShell
In AD (or LDAP), there are a number of attributes that do not play a role in authentication/authorization, but provide additional information about the user. We can set individual attributes using the GUI Active Directory Users and Computers (ADUC), either through the user properties interface (tabs General, Address, Telephones, Organization) or directly into the attribute values (tab Attribute Editor or ADSIEdit application). Or using PowerShell, which we will certainly use if we want to add data to a large number of users in bulk. It's easy to create an export of data from the HR system and transform it into a PowerShell script that sets all our accounts.
Some of these attributes, along with the PowerShell command to set them, are listed in the following paragraphs.
Organizational Data
Data that stems from the company's organizational structure, such as the company name, division, department, office, and job title.
Set-ADUser bouska -Company "Firm Ltd." Set-ADUser bouska -Division "Technical Division" Set-ADUser bouska -Department "IT" Set-ADUser bouska -Title "IT Manager" Set-ADUser bouska -EmployeeID "1"
An interesting option is also to set the management structure, i.e., we can select a different user as the manager for each user. For managers, we then see a list of their subordinates, and for each employee, we can trace the entire organizational structure. This function can also be used in the Outlook calendar, where teams are automatically generated, and we can easily open (if we have the necessary permissions) the calendars of our colleagues in the department or our subordinates.
Set-ADUser bouska -Manager boss
Contact Information
Among the contact information, we can have an address, a number of phone numbers, an email, etc.
Note: The LDAP attribute telephoneNumber is set here via the OfficePhone parameter!
Set-ADUser bouska -Office "Prague" Set-ADUser bouska -StreetAddress "Street 50" Set-ADUser bouska -City "Prague 1" Set-ADUser bouska -PostalCode "10000" Set-ADUser bouska -Country "CZ" Set-ADUser bouska -OfficePhone "111" Set-ADUser bouska -Mobile " +420123456789"
Different Configuration Methods
As mentioned above, the Set-ADUser command is used to set the user parameters, its description is in the MS document Set-ADUser. To read the values, we can similarly use the Get-ADUser command.
If we are setting attributes for a single user, we don't have to set them one by one, but we can do it in bulk.
Set-ADUser bouska -StreetAddress "Street 50" -City "Prague 1" -PostalCode "10000" -Country "CZ"
We can also set the same attribute for multiple users. For example, for all those located in a particular Organizational Unit (OU).
Get-ADUser -Filter * -SearchBase "OU=Firm,DC=firm,DC=local" | Set-ADUser -StreetAddress "Street 50" -City "Prague 1" -PostalCode "10000" -Country "CZ"
Creating a User and Mailbox
This is not related to the above, but when we're talking about configuring users using PowerShell, we'll add the command to create a user along with an email mailbox on the Exchange 2007 server. If we use PowerShell ISE and not Exchange Management Shell, we must first load the Exchange server commands.
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.Admin
We create the user with the default password 123456
and specify the container in which the account will be created.
$pass = ConvertTo-SecureString -AsPlainText -Force -String '123456'
New-Mailbox -Name 'Petr Bouška' -Alias 'bouska' -OrganizationalUnit 'firm.local/Firm -UserPrincipalName 'bouska@firm.local' -SamAccountName 'bouska' -FirstName 'Petr' -Initials '' -LastName 'Bouška' -Password $pass -ResetPasswordOnNextLogon $false -Database 'MAIL\First Storage Group\Mailbox Database' -ActiveSyncMailboxPolicy 'Default'
We can also immediately add the user to some default groups.
Add-ADPrincipalGroupMembership -Identity bouska -MemberOf 'G Employees'
Dobry den,chtel bych se zeptat jak muzu zneutralizovat zablokovani www stranky pomoci powershell ISE?
respond to [1]Diego: format cé dvojtečka