If you’ve been following my discussion about automating Active Directory (AD) with PowerShell—see "A More Flexible Active Directory One-Liner" and "Going Further with ForEach"—congratulations! You’re pretty far along in using PowerShell as a great timesaving tool with one-liners like this one from last month:

get-aduser -filter * -properties * | foreach { set-aduser $_ -displayname ($_.givenname + " " + $_.sn)}

That little beauty lets you clean up your AD accounts by constructing a user’s name out of his or her first name (givenname in AD-ese) and last name (sn in AD-ese), then putting that newly created name into the user account’s Display Name field. For some of you, this is a trivial result, but for others, it’s a way to make your AD implementation consistent.

Although that one-liner works, a user coming across it and trying to figure out what it does or how it works might be at a loss. One-liners can be terrific power tools, but they can also be seen as a sort of “write-only language” because some of it honestly looks like random typing. This month, we’ll start rebuilding the one-liner into something more readable (which is important) and something more easily modified and improved (which is even more important) by converting it into a PowerShell “script.”

Now, most people in my PowerShell classes tense up when I say “script,” because it sounds like programming. Everyone knows programming is hard! But it really isn't terribly difficult, as I think you’ll see.

To get ready, start by creating a folder on your computer where you’ll save scripts. I just call mine C:\scripts. Open an elevated command prompt, and use the CD command to make your script folder the default folder (cd C:\scripts, in my case). Launch PowerShell if you haven't done that yet.

PowerShell scripts are simple: Essentially, you type one or more PowerShell commands into a text file and save that text file with the extension .ps1. Then, whenever you want to run that set of PowerShell commands, you open a PowerShell prompt and type the name of the text file that you saved. (I'll provide a step-by-step example in a moment.) PowerShell then reads the commands and executes them, saving you the trouble of having to retype something as lengthy as our one-liner. In fact, let’s start with our one-liner.

First, open Notepad. Copy the one-liner right into the text file with no changes. Second, save that file as fixDNs.ps1 into your scripts folder. Remember, this one-liner modifies AD by rewriting the DisplayName attribute of every account. So, either perform this experiment in a test AD environment (preferably one with at least a few accounts’ givenname and sn attributes populated) or change the one-liner so that it doesn’t actually modify anything. To do this, add the -whatif parameter to set-aduser, like this:

get-aduser -filter * -properties * | foreach { set-aduser $_ –displayname ($_.givenname + " " + $_.sn) -whatif}

Once you’re either running in a test AD environment or have modified fixDNs.ps1 to de-fang it, you might have to tell your system that it’s OK to run PowerShell scripts, because Windows blocks running scripts by default. You can do that by typing

set-executionpolicy RemoteSigned

Once you’ve run that command, you need never do it again on that computer. It’s time to run your first script by typing


Notice the period and backslash? PowerShell requires it in order to be 100 percent sure that you’re running the script that you mean to, rather than a hypothetical one somewhere else on your path that also has the name fixdn.ps1.

After you press Enter, you’ll either get a whole bunch of red text (which either means your system couldn’t contact a domain controller—DC—to run the get-aduser or set-aduser commands, you weren’t logged in with domain admin credentials, you mistyped the set-executionpolicy command, or an administrator on your domain created a Group Policy that blocks you from running the set-executionpolicy command), or you'll get nothing (which makes sense if you ran the original AD-modifying version of the one-liner), or—if you ran the version with the -whatif parameter added to the set-aduser cmdlet—you’ll get a bunch of lines that look like

What if: Performing operation "Set" on Target "CN=mark,CN=Users,DC=bigfirm,DC=com".

At this point, notice the first benefit of a PowerShell script: It saves you a lot of typing! Typing .\fixDNs is a whole lot easier than typing those huge one-liners. But that’s small potatoes compared with next month’s topic. We’ll break that long, somewhat cryptic one-liner into a bunch of shorter, cleared lines. See you then!