Active Directory Account Management Using PowerShell
Extending Active Directory Account Management using PowerShell
The Active Directory Account Management component can make use of PowerShell to carry out a task on initial user/group provisioning and on subsequent changes to Users or Groups.
Active Directory Account Management PowerShell Location
By default the service is installed in the following locaiton of
“C:\Program Files (x86)...\ADAM\Provisioning\ActiveDirectory.Provisioning”
Post installation the location used for running Group and User associated PowerShells can amended by editing the file called “ActiveDirectory.Core.config” You need to alter the following values
<add key="UserScriptsFolder" value=".\Scripts\Users" />
equates to
C:\Program Files (x86)...\ADAM\Provisioning\ActiveDirectory.Provisioning\Scripts\Users
and
<add key="GroupScriptsFolder" value=".\Scripts\Groups" />
equates to
C:\Program Files (x86)...\ADAM\Provisioning\ActiveDirectory.Provisioning\Scripts\Groups
Any PowerShell scripts (*.ps1) inside the target folder(s) will be will be executed in ASCII order when a user is modified (Content of file “00 Read Me.txt” installed into each folder)
Running scripts in a specified order
When a changed user is processed any PowerShell scripts (*.ps1) located in the folder specified by UserScriptsFolder are run in alphabetical order. You are able to run additional scripts by referencing them from within a script. An example script is included below.
Working with User Specific Scripts.
Example PowerShell Script 1.
# Declare parameter(s)
param([string]$User)
Write-Output "PowerShell Script #1 for User $($User)"
$vars = Get-ChildItem env:ADAM-*
foreach($var in $vars)
{
Write-Output " $($var.Name) = $($var.Value)"
}
Using Active Directory Account Management variables within your scripts.
Like any PowerShell, you can call AD variable in the normal way. In addition to this, you are able to call ADAM variable to be used in your scripts Example PoweShell Script 1 shows an example of this.
The $User parameter for the script is set to the user’s sAMAccountName. The following environment variables are available for use within each script.
The following environment variables are available for use within each script.
| Environment Variable | Meaning |
|---|---|
| ADAM-action | U = User |
| ADAM-change | A = Add U = Update D = Delete |
| ADAM-homeDrive | Letter for user’s Home Drive |
| ADAM-homeDirectory | Path of user’s Home Drive |
| ADAM-profilePath | Path of user’s Profile |
| ADAM-userPrincipalName | User’s UPN |
| ADAM-* | Each mapped attribute (set in SIMS ID) is prefixed with ADAM- so that they are available to any scripts |
Example output from Example Powershell 1, which is logged in the system event log.
PowerShell Script #1 for User Snt.Demo ADAM-employeeNumber = 21452 ADAM-employeeType = Staff ADAM-userPrincipalName = Snt.Demo@adp-mike.sch.uk ADAM-Sn = Demo ADAM-company = ADAM [Mike] ADAM-profilePath = \\Server2\Folder2\Staff\%UserName% ADAM-action = A ADAM-GivenName = Snt ADAM-homeDirectory = \\Server1\Folder1\Staff\%UserName% ADAM-department = ADP-MIKE|Staff ADAM-displayName = Snt Demo ADAM-homeDrive = H ADAM-EmployeeID = ADAM-21452 ADAM-change = U
Working with Group-Specific Scripts.
When a changed group is processed any PowerShell scripts (*.ps1) located in the folder specified by GroupScriptsFolder are run in alphabetical order. See Example PowerShell Script 2.
Example PowerShell Script 2.
# Declare parameter(s)
param([string]$Group)
Write-Output " PowerShell Script #1 for Group $($Group)"
$vars = Get-ChildItem env:ADAM-*
foreach($var in $vars)
{
Write-Output " $($var.Name) = $($var.Value)"
}
The $Group parameter for the script is set to the group’s name. The following environment variables are available for use within each script.
| Environment Variable | Meaning |
|---|---|
| ADAM-action | G = Group GM = Group Membership |
| ADAM-change | A = Add U = Update D = Delete |
| ADAM-company | The site name |