Home / server / Questions / 841118
In Process
Matt
Asked: 2017-03-29 11:24:31 +0800 CST

Understanding exactly why the timestamp was not affected of ad objects

  • 772

I made a script that takes data from an HR database and populates correlating attributes in AD e.g department, title, manager, location.

Since people change titles, departements and/or locations on occasion it is important to keep AD up to date since we have processes that depend on the validity of this information e.g. location based dynamic distribution groups. To try and keep the process fast I just run Set-ADuser for each users regardless if something changed or not.

I had worried that I would be changing the modified timestamps needlessly since it is faster to just make these changes constantly then it is to verify that no changes would be needed.

To my surprise it seems that AD is doing something like this for me as most of the user modified timestamps are not matching subsequent script execution times. This seems like a positive for me as AD is doing this for me under the hood. FYI I have 2 DC's that I could be talking to for this and I have checked both times to ensure that I am not just drawing a horrible conclusion.

I cannot find an authoritative source that explains this and I am not sure if this is PowerShell doing the job for me or something Active Directory is doing.

There are two sections of the script that make updates to Active Directory. First updates their employeeID

foreach($currentUser in $idlessUsers){
    Write-Progress @progressParameters -CurrentOperation $currentUser.Name -PercentComplete ($userIndex / $idlessUsers.count * 100)
    $matchuser = $hrUsers | Where-Object{$_.givenname -eq $currentUser.givenname -and $_.surname -eq $currentUser.surname}
    if($matchuser){
        $currentUser | Set-ADUser -EmployeeID $matchuser.employeeid
        Write-Host ("{0} employeeid updated to {1}" -f $currentUser.Name, $matchuser.employeeid) -ForegroundColor Green
    }
    $userIndex++
}

The second changes more information using splatting

foreach($singleADUser in $usersToUpdate){
    Write-Progress @progressParameters -CurrentOperation $singleADUser.Name -PercentComplete ($userIndex / $usersToUpdate.count * 100)
    # Try and find a match in the $hrUsers
    $matchingHRUser = $hrUsers | Where-Object{$_.EmployeeID -eq $singleADUser.EmployeeID}

    if($matchingHRUser){
        # Get the AD object of this users supervisor
        $mathingUserSupervisor = $ADSupervisors | Where-Object{$_.employeeid.trim() -eq $matchingHRUser.supervisorid}

        if(!$mathingUserSupervisor){
            Write-Host ("Could not find supervisor for {0} using supervisor id: {1}" -f $matchingHRUser.name, $matchingHRUser.supervisorid) -ForegroundColor Red
        }

        $parameters = @{
            Replace = @{l=$matchingHRUser.Location}
            Title = $matchingHRUser.title
            Department = $matchingHRUser.Department
            Manager = $mathingUserSupervisor
        }
        $singleADUser | Set-ADUser @parameters
    } else {
        write-host "Cannot find a HR user with ID: '$($singleADUser.EmployeeID)' and Name: $($singleADUser.Name)" -ForegroundColor Red
    }

    $userIndex++
}
active-directory

0 Answers