Standard

Posted by

Posted on

March 26, 2013

Posted under

ActiveRoles

Comments

Leave a comment

How to Change the Attributes Get-QADUser Returns

Get-QADUser | where {$_.edsaAccountIsDisabled -eq $false} will usually result in disappointment. Why? edsaAccountIsDisabled is a calculated ActiveRoles Server attribute derived from userAccountControl and is not part of the default return set, along with most of the other AD and ARS attributes.

FatBeard wrote a great explanation of this a few years ago in his article, “Where’s my attribute?” He then shows you how to add a single attribute to the default return set. FatBeard’s blog is full of all sorts of PowerShell goodness; unfortunately, he’s not updated it in quite awhile. Go there and tell him to write more posts 🙂

If you want to add more than one attribute, here’s how:


# please note that employeeNumber and homeMDB
# might not be present in your environment.
# edsaAccountIsDisabled is ARS-only.

$attributes = Get-QADPSSnapinSettings -DefaultOutputPropertiesForUserObject
$attributes += @("edsaAccountIsDisabled","employeeNumber","homeMDB","homeDirectory","homeDrive","msRTCSIP-PrimaryUserAddress")
Set-QADPSSnapinSettings -DefaultOutputPropertiesForUserObject $attributes

As FatBeard mentions, this change will only be in effect for the rest of your current session, and if this is an attribute set you want to usually have around, you need to add those limes to your PowerShell profile, after Get-PSSnapIn quest.activeroles.admanagement.

So why not add a whole ton of attributes to the default return set, just so they’re handy? Each attribute you want to pull increases the amount of time it takes AD or ARS to return your results and increases the size of the result set.

Another caveat: once you change the default return set within a session, you cannot go back to the original default return set without opening up a new PowerShell session – unless you saved the “default” default return set before changing it.

Idea: have several return sets available in your profile, oriented around various tasks. For mail, pull more of the Exchange attributes, both msExch-* and edsva-MsExch*. For Lync, the msrtcsip-* attributes. For tracking down a Deprovision/Undeprovision issue, the edsvadepro* and edsvaundepro* sets.

Because I don’t like having to restart PowerGUI in the middle of things, here are the Set-QADPSSnapInSettings related lines from my PowerShell profile:


# Making sure the PSSnapIn for QADMS is loaded

if ( (Get-PSSnapin -Name quest.activeroles.admanagement -ErrorAction SilentlyContinue) -eq $null )
{
    Add-PsSnapin quest.activeroles.admanagement
}

# Connect to ARS; if connecting to native AD domain,
# Connect-QADService -Service my.domain.com

Connect-QADService -Proxy

$defaultQADuserattributes = Get-QADPSSnapInSettings -DefaultOutputPropertiesForUserObject

#Extra attributes I ALWAYS want to load -
#please note that employeeNumber and homeMDB
# might not be present in your environment.
# edsaAccountIsDisabled is ARS-only.
$defaultQADuserattributes += @("edsaAccountIsDisabled","employeeNumber","homeMDB","homeDirectory","homeDrive")
Set-QADPSSnapinSettings -DefaultOutputPropertiesForUserObject $defaultQADuserattributes

# edsva = ARS-only
function Use-QADExchangeUserAttributes {
$attributes = Get-QADPSSnapinSettings -DefaultOutputPropertiesForUserObject
$attributes += @("edsva-msexch-mailboxtypedescription","edsva-msexch-mailboxtypedescription","edsva-msexch-protocolsettings-activesync-enable")
Set-QADPSSnapinSettings -DefaultOutputPropertiesForUserObject $attributes
}

function Use-QADLyncUserAttributes {
$attributes = Get-QADPSSnapinSettings -DefaultOutputPropertiesForUserObject
$attributes += @("msrtcsip-line","msrtcsip-internetaccessenabled","msrtcsip-federationenabled","msRTCSIP-UserPolicy")
Set-QADPSSnapinSettings -DefaultOutputPropertiesForUserObject $attributes
}

# ARS-only
function Use-QADDeprovisionUserAttributes {
$attributes = Get-QADPSSnapinSettings -DefaultOutputPropertiesForUserObject
$attributes += @("edsvaDeprovisionCommands","edsvaDeprovisionDeletionDate","edsvaDeprovisionReportXML","edsvaDeprovisionStatus","edsvaUnDeprovisionCommand","edsvaUnDeprovisionReportXML","edsvaUnDeprovisionStatus")
Set-QADPSSnapinSettings -DefaultOutputPropertiesForUserObject $attributes
}

function Use-QADDefaultUserAttributes {
Set-QADPSSnapInSettings -DefaultOutputPropertiesForUserObject $defaultQADuserattributes
}

Note that if I do Use-QADExchangeUserAttributes and then Use-QADLyncUserAttributes without a Use-QADDefaultUserAttributes in between, I’ll get both extra sets of attributes added to the return set.

Have a nice attribute set you’d like to share? Done something clever for working with groups? Post it, or a link to your blog, in the comments!

Advertisement

Write your own memo:

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.