This blog post is a quick reminder for a question i'm often asked by customers.
They usually want to associate a user to a device, leverage user device affinity, ease the managment etc...
So when deploying a new device, a custom GUI is usually used to ask for a user name like in the screenshot bellow:
That username then need to be verified against Active Directory.
This is where things can get tricky depending on the technology you've choosen. The most recommanded scenario is to use a web service, on the geek side of thing you can also choose to load the Active directory Powershell to the windows PE image (very unsupported but works like a charm).
Both solution involve additional work and moreover, need to be maintened....
Can't we get something lighter ? Yes we can !!!
the easy way to use the Active Directory WMI provider. The tool is deprecated since server 2012 but surprisingly still works !
User query can be done in Powershell like this:
$LDAPQuery = Get-WmiObject -Namespace "root\directory\ldap" -Class"ds_user"
-Filter"ds_samaccountname='$UserName'" -ComputerName $DomainControlerFQDN -Credential $creds
where $UserName is the your the active directory account you are seeking for.
Notice that you also need to provide the FQND name of a domain controler in the $DomainControlerFQDN variable.
there is finaly a requierement to send credential using the $creds variable.
to pass credential to your script you can use the set dynamic variables step in your task sequence. The step allow to hide the value of a variables which is exactly what we need:
On your Powershell script you simply need to grab the QueryADUser and QueryADPassword variables and change them to credential object like this:
# Register SCCM/MDT com object
$Script:TSEnv = New-Object -COMObject Microsoft.SMS.TSEnvironment
# Convert to SecureString
[securestring]$secStringPassword = ConvertTo-SecureString $TSEnv.Value("QueryADPassword")
-AsPlainText -Force
# Convert to object
[pscredential]$creds = New-Object System.Management.Automation.PSCredential
($TSEnv.Value("QueryADUser"), $secStringPassword)
$TSEnv.Value("QueryADUser") = ""
$TSEnv.Value("QueryADPassword") = ""
At this point we are almost done. If you need something a bit different you can also query AD user by:
UserPrincipal
Get-WmiObject -Namespace "root\directory\ldap" -Class"ds_user" -Filter
"DS_userPrincipalName ='Diagg@rOSD-Couture.com'" -ComputerName $DomainControlerFQDN -Credential $creds
Familly Name
Get-WmiObject -Namespace "root\directory\ldap" -Class"ds_user" -Filter"DS_sn ='OSDCFamilly'"
-ComputerName $DomainControlerFQDN -Credential $creds
Full Name
Get-WmiObject -Namespace "root\directory\ldap" -Class"ds_user" -Filter
"DS_name ='Diagg OSDCFamilly'"-ComputerName $DomainControlerFQDN -Credential $creds
Not forgetting that in some cases, you also need to query computer name.
Get-WmiObject -Namespace "root\directory\ldap" -Class"ds_computer" -Filter
"DS_name='$ComputerName'"-ComputerName $DomainControlerFQDN -Credential $creds
See you Next time.
Note: Sorry for the localised screenshot i didn't found time to re capture in English !