So, a regular support call we get is a user’s account is changed in AD (name change, department move etc) making their LDAP string change.
I finally reached a point of annoyance and a free morning in alignment, and came up with this.
It reads from the ALM database the active non-system users
Then feeds this list to get-aduser to pull their current LDAP string
Crafts that into a big SQL update, then updates.
It’s not perfect, but it works.
In our main environment, with about 3,000 active users, this script takes about 2 minutes to pull then update all users, which is faster than updating 1-2 users within ALM site admin.
This script assumes that your site admin dab/schema is the default qcsiteadmin_db.
No warranty etc, use at your own risk.
Hit the kudos button if you can add this to your repitoire ;)
#################################################
# Production ALM LDAP updater v1
# 07/16/2015 -WEH
# LAST EDIT
# 07/17/2015 -WEH chaned output of get-aduser to unicode (handes special charaters in names)
#
#
# must have AD module from add/remove programs installed to use
#
# execute from powershell as .\sams.ps1 –DBU USER/Password@DATABASE 2>error.log
# execute from cmdline as powershell.exe -file "sams.ps1"
###############################################################
#below line captures the database user and password in 'user/password format'
param([string]$DBU)
#$DBU = '/'
#create the sql file
$File = ".\AUsers.sql"
Add-Content $File "set wrap off`r"
Add-Content $File "set pagesize 0`r"
Add-Content $File "SELECT USER_NAME from QCSITEADMIN_DB.users where US_IS_ACTIVE = 'Y' and US_IS_SYSTEM = 'N' order by USER_NAME asc;`r"
Add-Content $File "quit;`r"
#load the AD extenstions for PowerShell
import-module activedirectory
clear
#launch the qry to get all activated, nonsystem accounts from ALM, dump to csv file
#define the user for Oracle
& 'sqlplus.exe' $DBU'@.\ausers.sql' >users.csv
#clean up the first 10 rows in the csv to remove header from sql operation
(gc users.csv | select -Skip 10) | sc users.csv
#create a temp file, add the first row "user" as header for later operation. Then pump users into that file and back. there's probably a quicker/cleaner method... holdover from DOS batch file
Echo "user" > temp.csv
Type users.csv >> temp.csv
Type temp.csv > users.csv
Del temp.csv
#this cmd will read each line in the user column (happens to be the only column at the moment) and return the definitive LDAP and user account name, output to sams.csv
import-csv .\Users.csv |Foreach-Object {Get-ADUser -Identity $_.user -properties whenChanged} | Select distinguishedName, sAMAccountName | Export-CSV .\Sams.csv -encoding "unicode" -NoTypeInformation -force
#following lines will convert sams.csv into the sams.sql file, which is a ready to run sql job for ech user found in AD to update them to the current ldap string.
(gc .\sams.csv) | Foreach-Object {$_ -replace '"CN=', "update qcsiteadmin_db.users set US_DOM_AUTH = 'CN="} | sc .\sams.txt
(gc .\sams.txt) | Foreach-Object {$_ -replace , 'm","', "m' where LOWER (user_name) = LOWER ('"} | sc .\sams.sql
(gc .\sams.sql) | Foreach-Object {$_ -replace , '"', "');"} | sc .\sams.sql
(gc .\sams.sql | select -Skip 1) | sc .\sams.sql
Add-Content .\sams.sql "`r`nquit;"
#cmd to run the newly created slq file
& 'sqlplus.exe' $DBU'@.\sams.sql'
#cleanup
del .\AUsers.sql
del .\sams.txt
#and we're done
exit