Powershell Scripting and Disasters!

Active Directory | November 13, 2014 | 3 min read

So I am at a conference recently in Arizona and an attendee says to me that they used Powershell to update the email address for 100 existing Active Directory users. This is quite simple using Powershell, according to the attendee. After looking this up, I think I could even do this using Powershell, so it must be easy. However, in this situation, there is one potential, very serious potential problem. What is that problem?  What if the email addresses are input incorrectly!

Well, in the  case of this attendee, all emails were wrong. The phone started to ring and all 100 users had no email. This was only the tip of the iceberg! The Powershell script queried certain users, which was nearly impossible to find in Active Directory! The Powershell script did not do any reporting or tracking of which emails were changed. So, the manual labor to find all 100 users took over 8 hours.

I bring this example to you not as a warning not to use Powershell. I think Powershell can be a very useful tool for tasks that are performed regularly, not as a one time event. So, if I don’t recommend Powershell, what do I recommend?

Well, I have heard, from only a rare few, over the past years how awesome Powershell is from Microsoft. I am paraphrasing, but something like “this technology allows any admin to automate nearly any task related to Active Directory”.

In theory, I can see the point. Powershell is very powerful and can be scripted to do nearly anything that the GUI can do. In some cases it is able to do more than the GUI. However, based on my real-world example above, maybe, just maybe, Powershell has a specific use and is not the solve-all that it is made out to be?

Create, modify, move and delete AD objects easily with purely UI-based actions using ADManager Plus; Stop struggling with PowerShell scripts.
Bulk create, and modify AD objects instantly, using a CSV file, and configurable account provisioning / re-provisioning templates with ADManager Plus.

Solving Problems Using the Correct Tool

I suggest you get a tool that meets the needs of how you administer Active Directory. I think my example above poses two different “needs”. One need is a tool that can do bulk modification of users. I think that this should include new users and existing users. For changes to existing users you need a tool that can allow you to multi-select users and then be able to modify nearly any of the user properties in bulk. Ideally a tool like ADManager Plus provides this form of bulk user, group, and computer creation and modification as a basic task.

Second, based on the fact that most administrators don’t have time to regression test scripts or other “manual” ways of modifying Active Directory, there really needs to be some way of monitoring what changes in Active Directory. A tool like ADAudit Plus can do this simply and easily. The reporting that you have in ADAudit Plus out of the box provides reports that can show you “All AD Changes” or “All user modifications” with just a single click.

If you want to go one step further and have the ability to recover with just a few simple clicks from a disaster like this (without having to manually modify the email addresses), you can get RecoveryManager Plus. RecoveryManager Plus tracks all changes to Active Directory objects and gives you the ability to rollback the entire object or even down to the property level, where in this case it would be just the email address.

In The End

As you can see, there are tools that can make your administration, management, and recovery of Active Directory easier and simpler. The attendee downloaded all three tools mentioned here to see how they work in his environment. I suggest you take action before you have a disaster, and have the correct tools in place so you don’t spend hours fixing issues, rather you spend a few seconds.

Related posts :

  1. sherrie haught

    Having. Issues. With dell inspirion 3521.

  2. Externetworks

    he Powershell script queried certain users, which was nearly impossible to find in Active Directory! The Powershell script did not do any reporting or tracking of which emails were changed. ​So, the manual labor to find all 100 users took over 8 hours
    http://www.externetworks.com/services/managed-service.html