Does anyone know of a way to query this UNIX attribute msSFU30MaxUidNumber in Active Directory with Powershell? I'm working on a script that will assign Unix attribute to users as needed. I also have the Quest AD Powershell module available.
3 Answers
I borrowed this to set UNIX attributes (NISdomain, GID, loginshell, UIDnumber, UID) http://danieltromp.com/2014/06/09/powershell-ad-enable-unix-attributes/.
I updated it so it also updates the stored msSFU30MaxUidNumber. All scripts I've seen forget this. Prevents issues with duplicate UIDnumbers if you use ADUC to set UNIX attributes in the future (or even if you run the script again against another OU):
Remove-Variable -Name * -Force -ErrorAction SilentlyContinue
Import-Module ActiveDirectory
$NIS = Get-ADObject "CN=DOMAIN,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=Domain,DC=com" -Properties:* #Get NIS server information
$maxUid = $NIS.msSFU30MaxUidNumber #Get the last used User ID
$usuarios = Get-ADUser -Filter * -SearchBase "OU=NAME,OU=NAME,OU=NAME,DC=Domain,DC=com" -Properties:* #Get all users
foreach($usr in $usuarios)
{
if ($usr.mssfu30nisdomain -eq $null){
Set-ADUser -Identity "$($usr.SamAccountName)" -Replace @{mssfu30nisdomain="Domain"} #Enable NIS
Set-ADUser -Identity "$($usr.SamAccountName)" -Replace @{gidnumber="10005"} #Set Group ID
Set-ADUser -Identity "$($usr.SamAccountName)" -Replace @{loginShell="/bin/bash"} #Set Login Shell
$maxUid++ #Raise the User ID number
Set-ADUser -Identity "$($usr.SamAccountName)" -Replace @{uidnumber=$maxUid} #Set User ID number
Set-ADUser -Identity "$($usr.SamAccountName)" -Replace @{uid=$usr.SamAccountName} #Set UID
Write-Host -Backgroundcolor Green -Foregroundcolor Black $usr.SamAccountName changed #Write Changed Username to console
}
else{Write-Host -Backgroundcolor Yellow -Foregroundcolor Black $usr.SamAccountName unchanged} #Write Unchanged Username to console with a yellow background
}
$NIS | Set-ADObject -Replace @{msSFU30MaxUidNumber = $maxuid++}
$NIS | Set-ADObject -Replace @{msSFU30MaxUidNumber = $maxuid++}
It seems that you can find the highest value assigned so far stored in msSFU30MaxUidNumber
attribute on cn=yourYPDomain,cn=ypservers,cn=ypserv30,cn=RpcServices,cn=system,dc=dom,dc=fr
.
Here is a script given as is : I'am not able to test it in my configuration now, I just write a short translation to powershell from the VBscript found in a Microsoft Consulting France document(page 17).
# Get the Yellow page domain and his attribute msSFU30MaxUidNumber
# dom.fr (dc=dom,dc=fr)is my domain
# myYPDomain is the name of my yellow Page domain
$ypDomain = New-Object System.DirectoryServices.DirectoryEntry ("LDAP://societe.fr:389/cn=myYPDomain,cn=ypservers,cn=ypserv30,cn=RpcServices,cn=system,dc=dom,dc=fr","[email protected]","admin")
#$msSFU30MaxUidNumber = $ypDomain.Properties["msSFU30MaxUidNumber"]
$msSFU30MaxUidNumber = $ypDomain.msSFU30MaxUidNumber
# Find a given user
$dn = New-Object System.DirectoryServices.DirectoryEntry ("LDAP://societe.fr:389/dc=dom,dc=fr","[email protected]","admin")
$dsLookFor = new-object System.DirectoryServices.DirectorySearcher($dn)
$dsLookFor.Filter = "(&(samAccountName=user1)(objectCategory=user))";
$dsLookFor.SearchScope = "subtree";
$n = $dsLookFor.PropertiesToLoad.Add("cn");
$n = $dsLookFor.PropertiesToLoad.Add("distinguishedName");
$Usr = $dsLookFor.findOne()
# Assign new value
$Usr.msSFU30MaxUidNumber = $msSFU30MaxUidNumber + 1
$Usr.SetInfo()
# Save the new Value
$ypDomain.msSFU30MaxUidNumber = $msSFU30MaxUidNumber + 1
$ypDomain.SetInfo()
Since you have the Quest AD cmdlets available, here's something quick based on JPBlanc's answer. It assumes that you are running your script with an account that already has privileges on the relevant AD attributes:
# The -IncludedProperties parameter is needed because msSFU30MaxUidNumber is not part of Get-QADObject's default attribute set
$ypDomain = Get-QADObject -Identity "cn=myYPDomain,cn=ypservers,cn=ypserv30,cn=RpcServices,cn=system,dc=dom,dc=fr" -IncludedProperties msSFU30MaxUidNumber
$maxUidNumber = $ypDomain.msSFU30MaxUidNumber
$newMaxUidNumber = $maxUidNumber + 1
# Sets the msSFU30UidNumber attribute for User1
Get-QADUser -samAccountName User1 | Set-QADUser -objectAttributes @{msSFU30UidNumber = $newMaxUidNumber}
# Increments the msSFU30MaxUidNumber for the YP domain.
$ypDomain | Set-QADObject -objectAttributes @{msSFU30MaxUidNumber = $newMaxUidNumber}