PowerShell Active Directory Objects Writable Properties
get ad account status powershell
ad extended attributes powershell
get-aduser
powershell export active directory users attributes
computer attributes active directory
active directory user extended attributes
powershell extended properties
I'm working on a script to synchronize two Active Directory forests (Production and QA, if you don't understand why, it doesn't matter, I need to do it). The problem I've run into is filtering properties to only writable and only those that are normally writable. From the MMC "Active Directory Users and Computers" I can look at the Attribute Editor tab and filter the attributes to "Show only writable attributes". This displays a completely different list than what I get viewing the same object with a PowerShell command.
I don't want to synchronize or attempt to modify attributes like nTSecurityDescriptor, ObjectClass, ObjectGUID, etc. I also don't want to try developing and maintaining a static list for each object class (OU, User, Group).
Is there a better way to retrieve the properties that are writable for a given AD object?
Here is an example of the problem with an OU object:
PS E:\Powershell> $ou | Get-Member | Where-Object {$_.Definition.Contains("set;")}
TypeName: Microsoft.ActiveDirectory.Management.ADOrganizationalUnit
Name MemberType Definition
---- ---------- ----------
City Property System.String City {get;set;}
Country Property System.String Country {get;set;}
Description Property System.String Description {get;set;}
DisplayName Property System.String DisplayName {get;set;}
DistinguishedName Property System.String DistinguishedName {get;set;}
l Property System.String l {get;set;}
ManagedBy Property System.String ManagedBy {get;set;}
nTSecurityDescriptor Property System.DirectoryServices.ActiveDirectorySecurity nTSecurityDescriptor {get...
ObjectClass Property System.String ObjectClass {get;set;}
ObjectGUID Property System.Nullable`1[[System.Guid, mscorlib, Version=4.0.0.0, Culture=neutral...
ou Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection ou {get;set;}
PostalCode Property System.String PostalCode {get;set;}
ProtectedFromAccidentalDeletion Property System.Boolean ProtectedFromAccidentalDeletion {get;set;}
PSShowComputerName Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection PSShowCompu...
State Property System.String State {get;set;}
StreetAddress Property System.String StreetAddress {get;set;}
WriteDebugStream Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection WriteDebugS...
WriteErrorStream Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection WriteErrorS...
WriteInformationStream Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection WriteInform...
WriteVerboseStream Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection WriteVerbos...
WriteWarningStream Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection WriteWarnin...
To answer your first question, your example code, plus @tommymaynard's code essentially will give you a raw list of settable properties.
The "better" way to get the list of settable properties is to refer to the Set-ADUser documentation, which lists everything you can set and more importantly how to set them. Some properties need Hashtables and other parameters (-Add, -Clear, etc.) to set them properly.
Unfortunately, you will end up having 3 different lists for OU, User, and Groups simply because of the fact that they are 3 different object types, and they each have different properties and different cmdlets for setting properties.
If this sounds like a lot of manual work, and lists... yes it is. If the end goal is to synchronize between two domains, use Microsoft's Active Directory Migration Tool. It is designed to synchronize two different domains with one way sync, two way sync, password sync, SID history, etc. Way easier than doing it manually.
Active Directory: PowerShell AD Module Properties, For example, if the first object retrieved has no value for the pager attribute, then none of the objects will include this attribute, even if the attribute The Get-ADUser cmdlet gets a user object or performs a search to retrieve multiple user objects. The Identity parameter specifies the Active Directory user to get. You can identify a user by its distinguished name (DN), GUID, security identifier (SID), Security Accounts Manager (SAM) account name or name.
Try this...
Do yourself a favor and after you've run the below command once, remove the final Select-Object. After that, remove the Where-Object. Really take some time to understand what's happening here as you back yourself though these commands. You might even start at the beginning too and run just the Get-ADOrganizationalUnit command, then add the Select-Object, then add the ForEach-Object, etc. This should get you what you need.
PS> Get-ADOrganizationalUnit -Filter * -Properties * | Select-Object -First 1 | ForEach-Object {$_.psobject.properties} | Where-Object {$_.IsSettable -eq $true} | Select-Object -Property Name,IsSettable
Note: In my example, I only returned the first Organizational Unit. Keep that in mind if you move this into your own code.
Get-ADDomainController, Gets one or more Active Directory domain controllers based on discoverable services criteria, You can also identify a domain controller by the name of the server object that Windows PowerShell Expression Language syntax provides rich type The Name and HostName properties of the ADDomainController objects Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk).
For all that you are after, you'd want to use a different cmdlet with a slight twist on it.
For example:
(Get-ADOrganizationalUnit -Filter *)[0] | Get-Member | Where-Object {$_.Definition.Contains("set;")} | Format-Table -AutoSize
TypeName: Microsoft.ActiveDirectory.Management.ADOrganizationalUnit
Name MemberType Definition
---- ---------- ----------
City Property System.String City {get;set;}
Country Property System.String Country {get;set;}
DistinguishedName Property System.String DistinguishedName {get;set;}
ManagedBy Property System.String ManagedBy {get;set;}
ObjectClass Property System.String ObjectClass {get;set;}
ObjectGUID Property System.Nullable`1[[System.Guid, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]] ObjectGUID {get;set;}
PostalCode Property System.String PostalCode {get;set;}
State Property System.String State {get;set;}
StreetAddress Property System.String StreetAddress {get;set;}
((Get-ADOrganizationalUnit -Filter *)[0] | Get-Member | Where-Object {$_.Definition.Contains("set;")}).Count
9
(Get-ADOrganizationalUnit -Filter * -Properties *)[0] | Get-Member | Where-Object {$_.Definition.Contains("set;")} | Format-Table -AutoSize
TypeName: Microsoft.ActiveDirectory.Management.ADOrganizationalUnit
Name MemberType Definition
---- ---------- ----------
City Property System.String City {get;set;}
Country Property System.String Country {get;set;}
Description Property System.String Description {get;set;}
DisplayName Property System.String DisplayName {get;set;}
DistinguishedName Property System.String DistinguishedName {get;set;}
gPLink Property System.String gPLink {get;set;}
isCriticalSystemObject Property System.Boolean isCriticalSystemObject {get;set;}
ManagedBy Property System.String ManagedBy {get;set;}
nTSecurityDescriptor Property System.DirectoryServices.ActiveDirectorySecurity nTSecurityDescriptor {get;set;}
ObjectClass Property System.String ObjectClass {get;set;}
ObjectGUID Property System.Nullable`1[[System.Guid, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]] ObjectGUID...
ou Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection ou {get;set;}
PostalCode Property System.String PostalCode {get;set;}
ProtectedFromAccidentalDeletion Property System.Boolean ProtectedFromAccidentalDeletion {get;set;}
showInAdvancedViewOnly Property System.Boolean showInAdvancedViewOnly {get;set;}
State Property System.String State {get;set;}
StreetAddress Property System.String StreetAddress {get;set;}
((Get-ADOrganizationalUnit -Filter * -Properties *)[0] | Get-Member | Where-Object {$_.Definition.Contains("set;")}).Count
17
Playing with the AD: Drive for Fun and Profit
Push-Location -Path 'ad:\' Get-ChildItem Get-ChildItem -Path (Get-ADOrganizationalUnit -Filter *)[0] -Properties *
Get-ChildItem -Path (Get-ADOrganizationalUnit -Filter *)[0] -Properties * | Get-Member | Format-Table -AutoSize
(Get-ChildItem -Path (Get-ADOrganizationalUnit -Filter *)[0] -Properties * | Get-Member | Format-Table -AutoSize).Count
62
TypeName: Microsoft.ActiveDirectory.Management.ADObject
Name MemberType Definition
---- ---------- ----------
Contains Method bool Contains(string propertyName)
Equals Method bool Equals(System.Object obj)
GetEnumerator Method System.Collections.IDictionaryEnumerator GetEnumerator()
GetHashCode Method int GetHashCode()
GetType Method type GetType()
ToString Method string ToString()
PSChildName NoteProperty System.String PSChildName=CN=SATLDC01
PSDrive NoteProperty Microsoft.ActiveDirectory.Management.Provider.ADDriveInfo PSDrive=AD
PSIsContainer NoteProperty System.Boolean PSIsContainer=True
PSParentPath NoteProperty System.String PSParentPath=Microsoft.ActiveDirectory.Management\ActiveDirectory:://RootDSE/OU=Domain Controller...
PSPath NoteProperty System.String PSPath=Microsoft.ActiveDirectory.Management\ActiveDirectory:://RootDSE/CN=SATLDC01,OU=Domain Cont...
PSProvider NoteProperty System.Management.Automation.ProviderInfo PSProvider=Microsoft.ActiveDirectory.Management\ActiveDirectory
Item ParameterizedProperty Microsoft.ActiveDirectory.Management.ADPropertyValueCollection Item(string propertyName) {get;}
accountExpires Property System.Int64 accountExpires {get;set;}
AddedProperties Property System.Collections.Generic.ICollection[string] AddedProperties {get;}
badPasswordTime Property System.Int64 badPasswordTime {get;set;}
badPwdCount Property System.Int32 badPwdCount {get;set;}
cn Property System.String cn {get;}
codePage Property System.Int32 codePage {get;set;}
countryCode Property System.Int32 countryCode {get;set;}
distinguishedName Property System.String distinguishedName {get;set;}
dNSHostName Property System.String dNSHostName {get;set;}
dSCorePropagationData Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection dSCorePropagationData {get;}
instanceType Property System.Int32 instanceType {get;}
isCriticalSystemObject Property System.Boolean isCriticalSystemObject {get;set;}
lastLogoff Property System.Int64 lastLogoff {get;set;}
lastLogon Property System.Int64 lastLogon {get;set;}
lastLogonTimestamp Property System.Int64 lastLogonTimestamp {get;set;}
localPolicyFlags Property System.Int32 localPolicyFlags {get;set;}
logonCount Property System.Int32 logonCount {get;set;}
memberOf Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection memberOf {get;}
ModifiedProperties Property System.Collections.Generic.ICollection[string] ModifiedProperties {get;}
msDFSR-ComputerReferenceBL Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection msDFSR-ComputerReferenceBL {get;}
msDS-SupportedEncryptionTypes Property System.Int32 msDS-SupportedEncryptionTypes {get;set;}
name Property System.String name {get;}
nTSecurityDescriptor Property System.DirectoryServices.ActiveDirectorySecurity nTSecurityDescriptor {get;set;}
objectCategory Property System.String objectCategory {get;}
objectClass Property System.String objectClass {get;set;}
objectGUID Property System.Nullable`1[[System.Guid, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]] o...
objectSid Property System.Security.Principal.SecurityIdentifier objectSid {get;}
operatingSystem Property System.String operatingSystem {get;set;}
operatingSystemVersion Property System.String operatingSystemVersion {get;set;}
primaryGroupID Property System.Int32 primaryGroupID {get;set;}
PropertyCount Property int PropertyCount {get;}
PropertyNames Property System.Collections.ICollection PropertyNames {get;}
pwdLastSet Property System.Int64 pwdLastSet {get;set;}
RemovedProperties Property System.Collections.Generic.ICollection[string] RemovedProperties {get;}
rIDSetReferences Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection rIDSetReferences {get;}
sAMAccountName Property System.String sAMAccountName {get;set;}
sAMAccountType Property System.Int32 sAMAccountType {get;set;}
serverReferenceBL Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection serverReferenceBL {get;}
servicePrincipalName Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection servicePrincipalName {get;set;}
userAccountControl Property System.Int32 userAccountControl {get;set;}
userCertificate Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection userCertificate {get;set;}
uSNChanged Property System.Int64 uSNChanged {get;}
uSNCreated Property System.Int64 uSNCreated {get;}
whenChanged Property System.DateTime whenChanged {get;}
whenCreated Property System.DateTime whenCreated {get;}
Get-ChildItem -Path (Get-ADOrganizationalUnit -Filter *)[0] -Properties * | Get-Member | Where {$_.Definition.Contains("set;")} | Format-Table -AutoSize
(Get-ChildItem -Path (Get-ADOrganizationalUnit -Filter *)[0] -Properties * | Get-Member | Where {$_.Definition.Contains("set;")} | Format-Table -AutoSize).Count
30
TypeName: Microsoft.ActiveDirectory.Management.ADObject
Name MemberType Definition
---- ---------- ----------
accountExpires Property System.Int64 accountExpires {get;set;}
badPasswordTime Property System.Int64 badPasswordTime {get;set;}
badPwdCount Property System.Int32 badPwdCount {get;set;}
codePage Property System.Int32 codePage {get;set;}
countryCode Property System.Int32 countryCode {get;set;}
distinguishedName Property System.String distinguishedName {get;set;}
dNSHostName Property System.String dNSHostName {get;set;}
isCriticalSystemObject Property System.Boolean isCriticalSystemObject {get;set;}
lastLogoff Property System.Int64 lastLogoff {get;set;}
lastLogon Property System.Int64 lastLogon {get;set;}
lastLogonTimestamp Property System.Int64 lastLogonTimestamp {get;set;}
localPolicyFlags Property System.Int32 localPolicyFlags {get;set;}
logonCount Property System.Int32 logonCount {get;set;}
msDS-SupportedEncryptionTypes Property System.Int32 msDS-SupportedEncryptionTypes {get;set;}
nTSecurityDescriptor Property System.DirectoryServices.ActiveDirectorySecurity nTSecurityDescriptor {get;set;}
objectClass Property System.String objectClass {get;set;}
objectGUID Property System.Nullable`1[[System.Guid, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]] objectGUID {...
operatingSystem Property System.String operatingSystem {get;set;}
operatingSystemVersion Property System.String operatingSystemVersion {get;set;}
primaryGroupID Property System.Int32 primaryGroupID {get;set;}
pwdLastSet Property System.Int64 pwdLastSet {get;set;}
sAMAccountName Property System.String sAMAccountName {get;set;}
sAMAccountType Property System.Int32 sAMAccountType {get;set;}
servicePrincipalName Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection servicePrincipalName {get;set;}
userAccountControl Property System.Int32 userAccountControl {get;set;}
userCertificate Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection userCertificate {get;set;}
powershell: PowerShell Active Directory Objects Writable Properties, I'm working on a script to synchronize two Active Directory forests (Production and QA, if you don't understand why, it doesn't matter, I need to Active Directory Classes and Attribute Inheritance. In the Active Directory schema you will find all definitions of classes and attributes. A class can be of three types: Structural – you can create an actual object from this type of class; Abstract – you can inherit from this class but not create an object
Set-ADUser: PowerShell Way to Change Active Directory Users, In addition, we're using the Select-Object cmdlet to limit the output of the AD properties retrieved from The metadata is contained in the following two directory objects: single-value attribute: msDS-ReplAttributeMetaData multi-value attribute: msDS-ReplValueMetaData The cmdlet parses the byte array (s) and returns the data in a readable format.
Hiding Active Directory Objects and Attributes, If a user isn't authorized to view an object or attribute, AD won't display the "Managing Active Directory Permissions via Windows PowerShell. Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set. Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify *
Command and Control Using Active Directory – harmj0y, In a default domain setup, there is a set of ACLs for user objects that apply to This is what's known as a property set in AD, which were created to group domain schema, but not all of these properties are self-writable for a user. Path of a PowerShell .ps1 script to store in the mSMQSignCertificates field -By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive. -By using the domain of the computer running Windows PowerShell. The following example shows how to specify a full qualified domain name as the parameter value.
Comments
- Because our schema has custom attributes and classes, and we need to synchronize OUs, it didn't look like the AD migration tool would work. I agree that this is simply going to be a lot of static management, I'll probably use CSV files to control which attributes get synced for which object type. Thanks.
- Unfortunately this gives me the same list as above, albeit in a different format. It isn't that I can't get the IsSettable properties, There are settable properties that normally wouldn't be seen, like 'nTsecurityDescriptor'. Somehow these properties are filtered out using MMC, I'm guessing there is a flag or something hidden. I'm thinking that I'm simply going to have to do this in a static manner, which I really don't want to do.