Active Directory
A set of directory-based technologies included in Windows Server.
6,453 questions
Add -SearchScope OneLevel to the Get-ADUser.
Change Attributes for users in OU but restrict only to parent OU
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 90%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESC%3C/text%3E%3C/svg%3E)
Stefanos Constantinou
61
Reputation points
I'm using the following command to replace the attributes of all AD users in the specified OU
Get-ADUser -SearchBase 'OU=Test OU,OU=Users and Computers,OU=Company HQ,DC=DOMAIN,DC=com' -filter * | Set-ADUser -Replace @{c="IT";co="Italy";countryCode="380"}
However, the command will change users' attributes which are in Sub-OUs
is there any parameter to restrict the command to change the attributes only in the specified OU?
3 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
Rich Matheisen 46,556 Reputation points2020-12-20T19:38:48.67+00:00 -
Stefanos Constantinou 61 Reputation points
2020-12-21T18:51:57.307+00:00 thank you for the answer, may I get an example on how it should be on my command?
it seems it won't work for me
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Thameur-BOURBITA 32,831 Reputation points2020-12-20T21:14:00.873+00:00 Hi,
You can add
-SearchScope Baseif you want modify only object in the parent OU.A SearchScope with a Base value searches only for the given user. If an OU is specified in the SearchBase parameter, no user will be returned by, for example, a specified Filter statement. A OneLevel query searches the immediate children of that path or object. This option only works when an OU is given as the SearchBase. If a user is given, no results are returned. A Subtree query searches the current path or object and all children of that path or object.
Please don't forget to mark this reply as answer if it help you to fix your issue
-
Stefanos Constantinou 61 Reputation points
2020-12-21T18:51:45.503+00:00 thank you for the answer, may I get an example on how it should be on my command?
it seems it won't work for me
Sign in to comment -
-
Andreas Baumgarten 108K Reputation points MVP2020-12-21T18:55:44.237+00:00 There you go:
Get-ADUser -SearchBase 'OU=Test OU,OU=Users and Computers,OU=Company HQ,DC=DOMAIN,DC=com' -SearchScope OneLevel -filter * | Set-ADUser -Replace @{c="IT";co="Italy";countryCode="380"}or
Get-ADUser -SearchBase 'OU=Test OU,OU=Users and Computers,OU=Company HQ,DC=DOMAIN,DC=com' -SearchScope Base -filter * | Set-ADUser -Replace @{c="IT";co="Italy";countryCode="380"}
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Regards
Andreas Baumgarten-
Stefanos Constantinou 61 Reputation points
2020-12-21T19:30:59.53+00:00 thank you!
it works with the "-SearchScope -OneLevel" to change only users within the parent-OU however the Base does nothing for either parent or sub-OU users.
-
Andreas Baumgarten 108K Reputation points MVP
2020-12-21T19:34:48.457+00:00 But at least your question is answered?
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Regards
Andreas Baumgarten -
Rich Matheisen 46,556 Reputation points
2020-12-21T19:55:29.963+00:00 The search scope "Base" is useful in LDAP queries (e.g. where you need to retrieve an individual object and process any of it's sub-containers), but in the case of retrieving an individual user it's not very practical as you'd have to provide the complete distinguished name of the user as the search base. If you simply used the DN as the value to the -Identity parameter the results would be the same without the need to provide the -SearchBase or -SearchScope.
Sign in to comment -