40 Common Actions For Active Directory and Exchange User Accounts
[INSTALL]
In a Powershell 5, or 7 Terminal Session (PowerShell 7 is a lot better choice)
Install the Cimitra's Active Directory and Exchange Script with the command below. Copy and paste command below in your PowerShell terminal on a Windows Server that has the Cimitra Agent for Windows installed. This same Windows Server should also be an Active Directory Domain Controller.
iwr https://git.io/Jc5YN | iex
Go to the directory c:\cimitra\scripts\ad
cd c:\cimitra\scripts\ad
Run: ./cimitra_active_directory_and_exchange.ps1
Edit the settings.cfg file to specify the Exclude Group. See more about the Exclude Group below.
[SCRIPT PURPOSE]
This script allows for dozens of modifications you can make to Active Directory and Exchange User accounts. For example, you can create a user in Active Directory or Exchange, and set several of their attributes at the time of the user creation event.
Or you can modify only one or some attributes of an existing Active Directory or Exchange User account.
Here is how you could create a user in Active Directory, and add several attributes to that user.
.\cimitra_active_directory_and_exchange.ps1 -AddToActiveDirectory -FirstName "Bob" -LastName "Jones" -ContextIn "OU=ADMINISTRATION,OU=DEMOUSERS,DC=cimitrademo,DC=com" -SamAccountName "bjones" -Title "Controller" -DefaultPassword "abc_4242" -ManagerFirstName "Steve" -ManagerLastName "McQueen" -ManagerContext "OU=ADMINISTRATION,OU=DEMOUSERS,DC=cimitrademo,DC=com" -Description "Accounting Department Employee" -OfficePhone "801-111-2222" -MobilePhone "801-333-3333" -ExpirationDate "02/20/2035"
Tested and developed on a Windows 2016 and Windows 2019 Server Initially released on April 28th, 2021
Here are the actions you can take with this script.
- Add User to Active Directory
- Add User to Exchange
- Rename Active Directory User's SamAccountName
- Change Exchange User's First Name
- Change Exchange User's Last Name
- Change Active Directory User's First Name
- Change Active Directory User's Last Name
- Modify Active Directory User's Mobile Phone Number
- Modify Active Directory User's Office Phone Number
- Modify Active Directory User's Title
- Modify Active Directory User's Description
- Modify Active Directory User's Manager
- Modify Active Directory User's Department
- Add an Active Directory User to an Active Directory Group by the Group GUID
- Add an expiration date to an Active Directory User account
- Remove the expiration date from an Active Directory User account
- Enable an Active Directory User account
- Disable an Active Directory User account
- Unlock an Active Directory User account
- Determine which Active Directory User accounts are in a locked state
- Change the Password on an Active Directory User account
- Check the Password change date on an Active Directory User account
- Get account access info on an Active Directory User account
- Get a report of several attributes on an Active Directory User account
- Find all information about an Active Directory Group
- List all users in an Active Directory tree
- List all Users in a certain context in an Active Directory tree
- List all Disabled Users in an Active Directory tree
- List all Disabled Users in an Active Directory tree context
- List all Expired Users in an Active Directory tree
- List all Expired Users in an Active Directory tree context
- List all Users in an Active Directory tree who have not logged in
- List all Users in an Active Directory tree context who have not logged in
- List all Users in an Active Directory tree who are locked out
- Remove an Active Directory User from an Active Directory Group by Group GUID
- Remove an Active Directory User from a comma-separted list of Active Directory Groups by Group GUID
- Add an Active Directory User to a comma-separated list of Active Directory Groups by Group GUID
- Remove an Active Directory user
- Search for a user object, choosing attributes of the user, for example, their phone number with the full phone number specified: 801-555-1212
- Wildcard Search for a user object, choosing partial attributes of the user, for example, search for their their phone number with: 801-555
ADDITIONAL FUNCTIONALITY
[USER SEARCH]
When you specify a user by their First and Last name, but don't specify the user's context, this script will search for users with the First and Last names specified. If only one user is found with that First and Last name, then that user is modified.
If there are two users with the same First and Last name, then the script will list both users and will not proceed.
[DEFAULT CONTEXT]
The "Default Context" can be specified in a configuration file called "settings.cfg". The Default Context setting in the settings.cfg file looks like this:
AD_USER_CONTEXT=OU=DEMOUSERS,OU=DEMO,DC=cimitrademo,DC=com
[EXCLUDE GROUP]
Users defined in a group designated as the "Exclude Group" cannot be modified by this script. The "Exclude Group" can be specified in a configuration file called "settings.cfg". The Exclude Group setting in the settings.cfg file looks like this:
AD_EXCLUDE_GROUP=35eddbe6-234f-4f94-af4c-efb0198e4247
DEPENDENCIES
The cimitra_active_directory_and_exchange.ps1 script has a dependency upon two other scripts:
config_reader.ps1 SearchForUser.ps1
These scripts should be located in the same directory as the cimitra_ad_exchange.ps1 script.
EXCHANGE ACCOUNT CREATION AND CHANGES
In order to create an Exchange Session this script requires several different inputs. For example, an encrypted password file is required. Or the Exchange domain URI. Here are examples for the required switches in order to create a user in Exchange:
.\cimitra_active_directory_and_exchange.ps1 -AddToExchange -ExchangeSecurePasswordFileIn "C:\Cimitra\Scripts\CimAgentPwd.txt" -ExchangeConnectionURIIn "http://ACME-EXCH16.acme.internal/PowerShell/" -ExchangeDomainNameIn "acme.biz" -CimitraAgentLogonAccountIn "CimitraAgent@acme.biz" -FirstName "John" -LastName "Doe" -ContextIn "OU=ADMINISTRATION,OU=DEMOUSERS,DC=cimitrademo,DC=com"
In order to encrypt the password file needed for the -ExchangeSecurePasswordFileIn switch, see this article by Adam Bertram: https://4sysops.com/archives/encrypt-a-password-with-powershell/
The ExchangePowerShell module from Microsoft must be installed in order to add and change Exchange User accounts.