Reputation: 882756
Powershell set-aduser isn't updating AD?
I'm using Powershell to play around with Active Directory and, though I can get stuff out, I'm having troubles making changes.
I don't think it's a permissions problem since I'm not actually seeing an error with the test entry that was set up for me, something I do see if I try to change a different entry.
I'm using psexec (since runas has no command-line password parameter) to run Powershell as a different domain user, since my own account doesn't have rights to change AD. Executing whoami within Powershell confirms I'm running as the correct user.
What I'm doing basically boils down to:
PS C:\Temp> get-aduser -identity Xyzzy.Test -properties surname
DistinguishedName : CN=Xyzzy Test,OU=Users,DC=company,DC=com
Enabled : True
GivenName : Xyzzy
Name : Xyzzy Test
ObjectClass : user
ObjectGUID : b1d2a3ff-3ee4-56b7-bc89-12ad345678a9
SamAccountName : Xyzzy.Test
SID : S-1-5-21-9999999999-888888888-77777777-66666
Surname : Test
UserPrincipalName : [email protected]
PS C:\Temp> set-aduser -identity Xyzzy.Test -surname "xyzzy"
Then, when I again run the same get-aduser, I find the surname hasn't changed at all.
It seems to be failing silently since there is no error produced by the set-aduser.
What could cause this to not work yet not report an error?
Upvotes: 4
Views: 2664
Answers (1)
Reputation: 47872
This might not be the cause of your specific issue, but it has been an issue for me in the past so it may help someone else at least.
The AD cmdlets automatically determine which domain controller to use. They don't necessarily use the same DC from one command to another. That means you might update a DC, then make a query that hits another DC which hasn't yet had the changes replicated to it.
For this reason I suggest that when working on an operation you want to be somewhat atomic, typically all of the interaction you'll do with AD in a single function or script, you make sure to explicitly use the same DC.
The way to do this is with the -Server parameter.
Since it's annoying to keep specifying -Server on every call, you can use $PSDefaultParameterValues for this purpose.
$PSDefaultParameterValues = @{
"*-AD*:Server" = "MyDC"
}
Possibly even better, find a DC at runtime:
$PSDefaultParameterValues = @{
"*-AD*:Server" = Get-ADDomainController -Writable -Discover -Service ADWS -ForceDiscover | Select-Object -ExpandProperty Name
}
Don't use a script block (like I had before my edit) because it will re-run that block on every call, which will give you a different DC every time (just what you're trying to avoid).
Upvotes: 4
Related Questions
- set-aduser attributes different than AD properties?
- Updating Active Directory via PowerShell
- Set-ADUser does not handle empty or null variables
- Powershell Pipeline Argument not gettings passed to Set-ADUser
- Trying to modify Active Directory with PowerShell
- Why can't I update this attribute using the Set-ADUser PowerShell cmdlet?
- Unable to update AD fields with Set-ADUser
- Get-ADUser returns nothing
- Domain controller not updating Get-ADUser in powershell
- Updating Active Directory user properties in Active Directory using Powershell