In this post, I’ll go over steps on how to update users’ primary email address in bulk.
I had to update the custom domain name address for one of the tenants I manage. When the O365 tenant was setup, I didn’t have my domain name ready for various reasons and the users were setup with @{tenantname}.onmicrosoft.com addresses. Once I added the necessary DNS records for O365 and made sure my new domain name is listed as default in the domain tab(Microsoft 365 admin center -> Settings -> Domains) in the list of , I was ready to update the user accounts with the new domain name.
Before proceeding further make sure you are connected to Exchange Online,
Note: csv file has User,Emailaddress as column headers. Enter the users’ email address with new domain in the csv file. It is strongly recommended to leave the onmicrosoft.com address in the users’ proxy addresses and specifying the new address as PrimarySmtpAddress with SMTP.
Note: This below script will change all accounts in the tenant from whatever your enter for the $oldDomain to the $newDomain. So, proceed with caution and comply with your change management process and steps.
In Active Directory, When we open properties of an user account, click the Account tab, and then either check or uncheck boxes in the Account options dialog box, numerical values are assigned to the UserAccountControl attribute. This UserAccountControl attribute determines the state of an account in the AD domain: active or locked, Password change at the next logon is enabled or not, if users can change their passwords and other options.
UserAccountControl Attribute in AD
To view user accounts,
Click Start –> Programs
Open Administrative Tools
Click Active Directory Users and Computers
Or run dsa.msc from run window
Search for a user and right-click and select Properties
Click on Account tab
The Account Options section has the following options,
User must change password at next logon
User cannot change password
Password never expires
Store password using reversible encryption
Account is disabled
Smart card is required for interactive logon
Account is sensitive and cannot be delegated
User Kerberos DES encryption types for this account
This account supports Kerberos AES 128 bit encryption
This account supports Kerberos AES 256 bit encryption
Do not require Kerberos preauthentication
Each of these user account options is 1 (True) or 0 (False) and are not stored as separate AD attributes, instead the UserAccountControl attribute is used. The flags are cumulative. The total value of all options are stored in the value of UserAccountControl attribute.
Search for a user and right-click and select Properties
Click on Attribute Editor tab
If you are missing this tab, Click View in the Active Directory Users and Computers window and select Advanced Features
In this example, the value of the attribute is 0x200 (decimal value is 512).
The following table lists possible flags that can be assigned to an account. Each flag corresponds to a certain UserAccountControl bit, and UserAccountControl value equals the sum of all flags.
If you don’t have an AD user provisioning tool implemented in your environment, I’m sure most of your user provisioning and de-provisioning is done using PowerShell scripts which helps in reducing the amount of time consumed in this process.
You probably are bombarded with requests from various departments in your organization to provide them with a list of new users who were created for various reasons.
This script can be automated by securely storing the credentials and running a scheduled task that runs on a specific day. Don’t store your admin or any credentials in any of your scripts.
You can use ConvertFrom-SecureString command to get an encrypted standard string and ConvertTo-SecureString to simply reverse the process by importing the data from your file and then create a PSCredential object.
In this above method, the point of converting password to a SecureString and storing it in a file is to keep it out of plain text in PS scripts so that it’s not as easily discovered. This can be easily decrypted and not recommended.
You can use the Microsoft.PowerShell.SecretManagement and Microsoft.PowerShell.SecretStore PS modules which I’ve covered in a later post.
$Days = -7
$Maxdate = (Get-Date).addDays($Days)
$CurrentWeekNumber = Get-Date -UFormat %V
$dateformat = "dddd MM/dd/yyyy"
$subjDate = Get-Date $Maxdate -Format $dateformat
$NewUsers = Get-ADUser -filter { whencreated -ge $Maxdate} -Properties EmailAddress, co, Description | Select-Object -Property GivenName, SurName, DisplayName, Description, co, EmailAddress # Gathering recent New AD Users
if ($NewUsers) # If there are more than one new user created in last $Days, prepare to send a mail
{
$MailBody = $NewUsers | ConvertTo-Html -Fragment
$MailParams = @{Body = $mailBody | Out-String
BodyAsHtml = $true
From = "AD-Admin@acme.com"
To = "jsmith@acme.com" # separate with comma for multiple users. "jdoe@acme.com", "jroe@acme.com"
SmtpServer = "smtp.acme.com"
Subject = "New users for the week : $CurrentWeekNumber | Week Starting - $subjDate"
Encoding = "UTF8"
Priority = "Normal" # Accepted values: Normal, High, Low
#Port = xxxx #If not 25
Credential = $(Get-Credential)
}
Send-MailMessage @MailParams
}
Hope this script was useful is generating weekly reports of newly created AD users.
I recently faced an issue where users are provisioned to AD using an user system/tool that applies the Country value to the user while creating the account but it doesn’t have the ability to update the countryCode and co attributes. And I had few thousand users with no value set in the co and countryCode attributes.
In this post, I’ll cover the details on how came up with a workaround for this issue.
The AD attributes we are dealing with here are,
c (Country-Name): ISO-3166 2-digit string value
countryCode (Country-Code): ISO-3166 Integer value
co (Text-Country): Open string value
When we pick a country name from the drop-down in the Active Directory users and computers GUI, the c, co and countryCode attributes are automatically assigned.
With PowerShell, we can use the Set-ADUser to assign the c attribute to the user,
In this method, no values are assigned to the co and countryCode attributes automatically like how it happened while updating in the GUI. Below are the screenshots of the user properties after running the above cmdlet.
We can use this method to assign all three values for the user,
In my scenario, the users provisioned by the tool already had the c attribute value set. I exported all users from the AD domain, determined the countries and then used the below script to update the co and countryCode attributes.
This table at the end of this post provides all countries in the AD address tab Country/region drop-down list. You can use this to update the above script according to your needs. I also made this script to be run as a scheduled task to run once a week to update the new users created throughout the week. Not a perfect solution but replacing the user provisioning tool wasn’t an option in my case, hence I stuck with this method.
Hope this post helped you in better understanding the c, co and countryCode attributes in AD and an easier method to update it.
Organizational hierarchy is vital to run everyday activities smoothly in any enterprise. With Azure AD, user’s manager information can be updated easily and this information can be used in other features like Teams and apps that require workflow.
In this post, I’ll go over steps on how to update manager information for a specific user, for a list of users based on information from a csv file and to determine users’ manager information
