Powershell set-aduser isn't updating AD?

4
votes

I'm using Powershell to play around with Active Directory and, though I can get stuff out, I'm having troubles making changes.

I don't think it's a permissions problem since I'm not actually seeing an error with the test entry that was set up for me, something I do see if I try to change a different entry.

I'm using psexec (since runas has no command-line password parameter) to run Powershell as a different domain user, since my own account doesn't have rights to change AD. Executing whoami within Powershell confirms I'm running as the correct user.

What I'm doing basically boils down to:

PS C:\Temp> get-aduser -identity Xyzzy.Test -properties surname
    DistinguishedName : CN=Xyzzy Test,OU=Users,DC=company,DC=com
    Enabled           : True
    GivenName         : Xyzzy
    Name              : Xyzzy Test
    ObjectClass       : user
    ObjectGUID        : b1d2a3ff-3ee4-56b7-bc89-12ad345678a9
    SamAccountName    : Xyzzy.Test
    SID               : S-1-5-21-9999999999-888888888-77777777-66666
    Surname           : Test
    UserPrincipalName : [email protected]

PS C:\Temp> set-aduser -identity Xyzzy.Test -surname "xyzzy"

Then, when I again run the same get-aduser, I find the surname hasn't changed at all.

It seems to be failing silently since there is no error produced by the set-aduser.

What could cause this to not work yet not report an error?

1
powershellactive-directory
Maybe try: get-aduser -identity Xyzzy.Test | set-aduser -surname "xyzzy" - Martin Brandl
Could not reproduce it as it working fine in my system, does it make any change if you pipeline the Set-Aduser? like Get-ADUser Xyzzy.Test | Set-ADUser -Surname "xyzzy" - Avshalom
you dont need psexec, you can do something like $cred=get-credential; Start-Process powershell.exe -Credential $cred -ArgumentList "-file c:\temp\script.ps1" - Loïc MICHEL
Do you get any extra information if you use the -verbose parameter? - Arcass
maybe try force casting as a string -surname [string]"xyzzy" - ATek

1 Answers

4
votes

This might not be the cause of your specific issue, but it has been an issue for me in the past so it may help someone else at least.

The AD cmdlets automatically determine which domain controller to use. They don't necessarily use the same DC from one command to another. That means you might update a DC, then make a query that hits another DC which hasn't yet had the changes replicated to it.

For this reason I suggest that when working on an operation you want to be somewhat atomic, typically all of the interaction you'll do with AD in a single function or script, you make sure to explicitly use the same DC.

The way to do this is with the -Server parameter.

Since it's annoying to keep specifying -Server on every call, you can use $PSDefaultParameterValues for this purpose.

$PSDefaultParameterValues = @{
    "*-AD*:Server" = "MyDC"
}

Possibly even better, find a DC at runtime:

$PSDefaultParameterValues = @{
    "*-AD*:Server" = Get-ADDomainController -Writable -Discover -Service ADWS -ForceDiscover | Select-Object -ExpandProperty Name
}

Don't use a script block (like I had before my edit) because it will re-run that block on every call, which will give you a different DC every time (just what you're trying to avoid).