Josh Nutt

Josh Nutt

IT professional with 5+ years of experience, mostly building automation with PowerShell.

Currently studying Infrastructure as Code, Cyber Security, and Azure. Also working on CRTO and CRTP certifications.

When Im not studying Im probably hiking or playing Age of Empires 2.

Splatting Custom Attributes with Active Directory

2 minute read

Using splatted values can help better organize your code for managing AD Objects.


Splatting Basics

Splatting is a method of passing a collection of parameter values to a command as a unit.

They are simply hash tables that contain value pairs consisting of parameter name and value. With the main difference is that when referenced you use @ instead of $.

$splat = @{
	Identity="josh"
}

Get-ADUser @splat

This example probably won’t sell you on splatting so lets look at some slightly longer examples.

Compare these two:

Set-ADUser -Identity Josh -DisplayName "Joshua" -EmailAddress "Josh@Company.com" -Department "IT" -Country "US"

$Arguments = @{
	Identity = "Josh"
	DisplayName = "Joshua"
	EmailAddress = "Josh@company.com"
	Department = "IT"
	Country = "US"
}

Set-ADUser @Arguments


Which values can I splat?

Easiest way to tell is to use Intellisense.

If the parameter is suggested when starting to type it into the console, then it can be splatted.

Can splat Email Address:
PowerShell Console Image

$Arguments = @{
	EmailAddress = "Josh@corp.com"
}

Set-ADUser test.josh @Arguments


Can not splat extension attributes:
PowerShell Console Image

$Arguments = @{
	ExtensionAttribute1 = "This will not work."
}

Set-ADUser test.josh @Arguments


Ok, So What About the Other Attributes?

How do we splat parameters that cannot be modified using a cmdlet parameter (like -Country for Set-ADUser)? Nested Hash Tables!

-Add and -OtherAttributes are just parameters, so treat them the same. Since they take a hash table as a value just pass them valid parameter/value pairs and you’re good to go.


New-ADUser Example

$OtherAttributes = @{
    Title = "Title";
    Description = "Description"
    Department = "Department"
    C = "US"
    GivenName = "Josh"
    SN = "Nutt"
    extensionAttribute1 = "value"
    myCustomAttribute = "SomeValue"
}

$UserSettings = @{
    Name = "Josh Nutt"
    SamAccountName = "Josh"
    DisplayName = "Joshua Nutt"
    UserPrincipalName = "Josh@corp.com"
    Path   = "OU=People Named Josh,DC=corp,DC=lan"
    Server = "DomainServer02"

    OtherAttributes = $OtherAttributes
}

new-aduser @UserSettings -ErrorAction Stop

$UserSettings contains a value “OtherAttributes” which contains another hashtable of attributes

If you did this without splatting it would get out of hand pretty quickly!

New-ADUser -Name "Josh Nutt" -SamAccountName "Josh" -DisplayName "Joshua Nutt" -OtherAttributes @{Title="Title";Department="Department";C = "US";SN = "Nutt";extensionAttribute1 = "value"}


Set-ADUser Example:

$CustomProperties = @{
	extensionAttribute1  = "Value1"
	extensionAttribute2  = "Value2"
}

$UserSettings = @{
	Identity="Josh"
	DisplayName="Joshua Nutt"

	# Or you can use Replace
	Add=$CustomProperties
}

Set-ADUser @UserSettings

Same concept with New-ADUser except Microsoft chose to use -Add instead of -OtherAttributes.


Conclusion

Using splatting has cleaned up my code and made it easier to maintain, I hope it helps somebody else.

Additional information can be found here:
Set-ADUser Documentation
Splatting Documentation
Microsoft Dev Blog - Splatting

You may also enjoy

AS-REP Roast: PowerShell

less than 1 minute read

If a user’s UserAccountControl settings have Do Not Require Kerberos preauthentication enabled it is possible to grab user’s crackable AS-REP and brute-force...