Archive for the ‘Active Directory’ Category

Update AD EmployeeNumber Attribute From CSV File

Wednesday, June 4th, 2014

2014-06-04 Initial Post

The other month I needed to update the EmployeeNumber attribute of all Active Directory user accounts based on a CSV file generated from Oracle HRMS. You may modify this script to update a different attribute, such as EmployeeID.

#Script updated 2014-03-31, created 2014-03-06, by
#PURPOSE: Takes a CSV input file that contains "E-mailAddress,EmployeeNumber" on each line (DO NOT include header in CSV file).
# Searches AD for user account that has the e-mail address as its primary address.
# If found, update that respective AD account with the corresponding EmployeeNumber.
#There is some limited error checking and a status file is generated after script completion.
#I was not able to get the Import-Csv command to work correctly so I used Get-Content to grab data from the input file.
#Tested against Windows Server 2008 R2 SP1 AD.
$strFilePathInput = "X:\TempPowerShell\setAD-EmployeeNumberINPUT.csv"
$strFilePathOutput = "X:\TempPowerShell\setAD-EmployeeNumberOUTPUT.csv"
Get-Content $strFilePathInput | ForEach-Object{
$strUserInfoLineFromFile = $_
$strUserEmailAddress = $strUserInfoLineFromFile.Split(",")[0]
$strUserEmployeeNumber = $strUserInfoLineFromFile.Split(",")[1]
If($objADuser = Get-ADUser -Filter {mail -eq $strUserEmailAddress }) #The mail attribute is the primary/reply e-mail address.
Set-ADUser $objADuser -EmployeeNumber $strUserEmployeeNumber
If($?) #If True, which means previous command (set EmployeeNumber) was successful. Invalid e-mail address or insufficient AD permissions will make this False.
"OK - Updated," + $strUserInfoLineFromFile | Out-File -Append $strFilePathOutput
"ERROR - Could not update," + $strUserInfoLineFromFile | Out-File -Append $strFilePathOutput
"E-mail address has no primary match," + $strUserInfoLineFromFile | Out-File -Append $strFilePathOutput

Microsoft ADCS – How to Redirect the HTTP URLs for CDP and AIA from old CA to new CA

Friday, March 1st, 2013

2013-03-01 Initial Post

Microsoft's Active Directory Certificate Services (ADCS) is a type of certification authority (CA) (a lot of people misspell that as "certificate" authority). A CA issues x.509 (a standard for digital certificates) formatted certificates for computer security purposes. When an organization sets up its own Certificate Services infrastructure, that essentially becomes its public key infrastructure (PKI). ADCS functions as a CA in a PKI and the CA and all its supporting systems are the PKI. You might see all three terms used interchangeably, and many documents just refer to a server running ADCS as "the CA." (more…)

OCS – List All AD Enabled User Accounts That Are Also OCS Enabled

Monday, February 6th, 2012

2012-02-06 Initial Post
Windows Server 2003 SP2
Office Communications Server 2007 (non-R2)

csvde -f getOCSUsersListCSVDE-Output.csv -r "(&(objectCategory=user)(msRTCSIP-UserEnabled=TRUE)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" -s dc001 -l "displayName" -j .

See for explanation of userAccountControl and using bitwise filters with LDAP.

Active Directory LDAP Authentication and Security

Thursday, February 2nd, 2012

2012-02-02 Updated

2012-01-23 Initial post

One of our application administrators asked me to help him troubleshoot why LDAP user authentication didn't work correctly in his application, Oracle Agile PLM (Product Lifecycle Management) 9.3.1. I decided to look into LDAP authentication a little more and here are some notes I made. I wasn't able to find a nice simple article that answers this question: How is LDAP user authentication handled in AD? (more…)

Configuring Active Directory for LDAPS (LDAP over SSL)

Thursday, September 1st, 2011

2011-10-01 Reformatted for clarity

2009-01-13 Initial post


By default, Kerberos will encrypt the LDAP authentication only, but not the actual LDAP traffic. You can enable LDAPS (LDAP over SSL) to encrypt the entire LDAP session in Windows AD. (more…)