Wednesday, September 15, 2010

PowerShell & User Certificates

I was recently asked if I could generate a report of user certificates. I recalled doing this with a .NET class a while back, here is that function:
function Get-Certificate {      

Begin {
Add-PSSnapin `
-Name Quest.ActiveRoles.ADManagement `
-ErrorAction SilentlyContinue }

Process {
Get-QADUser -Identity $user | `
Foreach { $_.DirectoryEntry.userCertificate } | `
Foreach {[System.Security.Cryptography.X509Certificates.X509Certificate2]$_} | `
Select Issuer, Subject, NotBefore,NotAfter
However, assuming you have the most recent version of the Quest Active Directory cmdlets (1.4.0), this becomes a trivial task.
Get-QADUser -Identity FatBeard | Get-QADCertificate
IssuedBy                 IssuedTo   ValidFrom  ValidTo
-------- -------- --------- -------
OSUMC EnterpriseRoot CA Fat Beard 6/3/2010 6/3/2011
OSUMC EnterpriseRoot CA Fat Beard 11/9/2009 11/9/2010

Wednesday, September 1, 2010

Where's my attribute?

I am often asked why certain Active Directory attributes do not show up when using Get-QADUser (ActiveRoles Management Shell for Active Directory). An example:
(Get-QADUser -Identity FatBeard).employeeID
One might expect this to return the employeeID for Mr. FatBeard.  It doesn't and this is a desired behavior.  In order to maximize performance, the Quest cmdlets return a default list of attributes.  To see non-default attributes you have a few options:
- Use the -IncludeAllProperties parameter.  This will store ALL the attributes in the memory cache.
- Use the -IncludedProperties parameter.  For ad-hoc reporting, when all that is needed are a few attributes, this is the recommended way.
Get-QADUser -Identity FatBeard -IncludedProperties employeeID,logonCount | Select employeeID, logoncount
- Lastly, you can modify the default attributes that are returned.
$attributes = Get-QADPSSnapinSettings -DefaultOutputPropertiesForUserObject
$attributes += 'employeeID'
Set-QADPSSnapinSettings -DefaultOutputPropertiesForUserObject $attributes
(Get-QADUser -Identity FatBeard).employeeID #Success!

Modifying the Snapin settings is only good for the current session. If you want the settings to persist, you will need to add the modification to your profile.