Bulk Update Users Info in Active Directory Challenges

Posted by QuestionFreak@reddit | sysadmin | View on Reddit | 18 comments

I have a task to update user information in Active Directory (AD) for approximately 50,000 user objects, including details like title, phone number, first name, and last name. I'm planning to run a PowerShell (PS) script to update all these details based on data from an HR spreadsheet (CSV). Could someone advise on potential issues and challenges I might encounter?"

[-]

caffeine-junkie@reddit

Done this for about 5-6k objects to standardize the info in the properties and to fill in any missing info. First, make heavy use of -whatif first. Also consider implementing error handling depending on the output of the whatif.

Most important though. HR is the one who has to validate the data before they give it to you. If there is any incorrect info after the fact, can almost guarantee there will be, the change request has to go through them for approval.

[-]

QuestionFreak@reddit (OP)

Yes, thanks! I will thoroughly validate the data before updating it.

[-]

caffeine-junkie@reddit

Thats what I mean though, HR is the one who should be validating it, not you.

[-]

QuestionFreak@reddit (OP)

Gotcha Sorry

[-]

disclosure5@reddit

If it's coming from HR, it's almost certainly full of errors so getting as much sign off as possible will be the pathway.

[-]

Vectan@reddit

First off I’d suggest making sure you PowerShell does logging of what gets changed that way if there is any issues you have solid info to figure it out.

Beyond that some I can think of are: 1) Data from HR doesn’t match AD (ex: HR has user.name1 and it is actually username1, that record doesn’t get updated correctly). 2) Check all your variables match between CSV and AD. 3) Test, preferably in a lab setup. 4) Make sure to test with a few smaller sets of accounts to make sure PowerShell is fully working correctly before running a big job. 5) PowerShell doing that many objects and details may take a while to run; having logging on case it errors out to know where to pick up helps and making sure the system/DC running it has enough resources to handle it to less the chances. 6) Make sure to run in an Administrator PowerShell/ISE window so you don’t have any permissions issues.

If any more come to mind, I will edit.

[-]

BlackV@reddit

6 only applies if they are running directly on the DC, they shouldn't be

Generally you should never elevate unless you need to

[-]

Vectan@reddit

Excellent point.

[-]

QuestionFreak@reddit (OP)

Thank you for all the useful information and detailed steps. I hadn’t thought about logging before, but I’ll be sure to include it in my script.

[-]

BlackV@reddit

no should be pretty painless, depending on what you're changing (in no particular order, but makes replies easier)

test how much memory is being used when you import the csv
be aware you are making 50k write calls to AD so may trip alerting if you have security reporting
with the ad cmdlets, generally you want to make all the changes on one domain controller and there is a -server parameter for that, for 50k changes, I dunno if you want that or not
remember some values are not setable with a parameter, so you might have to use the -add/-replace/-clear parameter for those values instead
do some tests on a small list of users, have good backups
dont run this directly on a domain controller, use your management server
logging to a file (or event log) use it, you are technically performing a destructive action, so log the before/after changes
error handle your errors try/catch/if/else/etc

dunno that's about all I can think of

[-]

QuestionFreak@reddit (OP)

Thanks a lot for all the points. Could you please clarify what you mean in step 4 by 'some values are not settable with a parameter'? What are examples of those parameters?

[-]

BlackV@reddit

Have a look at

get-help set-aduser

you'll see there are like 30 parameters you can use (fullname, given name, office and so on) but its not all properties of an aduser, so for those properties that dont have parameters you'd need to use -add/-replace instead of a parameter (i mean technically any property can be set using -add)

[-]

QuestionFreak@reddit (OP)

Thanks a lot; this is very useful information.

[-]

BlackV@reddit

Ya, good luck

[-]

Murhawk013@reddit

Export the current AD info into a csv first and have that as your backup just in case

[-]

QuestionFreak@reddit (OP)

Thanks, good point. I'll take the backup in case things get messy and a rollback is needed—it will be useful.

[-]

SmallBusinessITGuru@reddit

First, and I cannot stress this enough, do not update user attributes without a sign off from someone that the information in your sheet (CSV) is correct.

The biggest hurdle here isn't technical, it is that the data you're provided may(will) be incorrect.

An option to approach this in a non-technical solution would be to ask users to check their details and submit a ticket if the information is incorrect. The person that's going to care the most about their name or phone being incorrect is the end user.

[-]

QuestionFreak@reddit (OP)

Yes, I agree with what you said; the real challenge is obtaining the correct source data.