Executing PowerShell Commands with Connect to AD

Connect to AD does not natively support executing PowerShell commands during synchronization. However, it can be configured to generate PowerShell commands that an external script, running independently of Connect to AD, can retrieve and execute.

To illustrate this implementation, we will walk through two use cases:

  1. Deleting an AD user account when an employee is terminated in UKG.
  2. Creating an Exchange Online mailbox for a new user in UKG.

Scenario 1: Deleting an AD User Account When an Employee Is Terminated in UKG

Goal

When an employee is terminated in UKG, their corresponding AD user account should be deleted immediately.

Solution

Since Connect to AD cannot execute PowerShell commands directly, we will use C# expressions to inject the necessary PowerShell command into a user attribute. After the sync, a separate PowerShell script will process and execute it.

The standard PowerShell command to delete a user account is:

Remove-ADUser -Identity <insert userPrincipalName here> -Confirm:$False"

Step 1: Inject the PowerShell Command into an AD Attribute

Add a field mapping in Connect to AD for the attribute that will store the PowerShell command. In this case, we’ll use extensionAttribute1.

Enable conditional expressions and apply the following conditions:

WHEN
Employment.EmployeeStatusCode == "T"
THEN
$"Remove-ADUser -Identity {User.userPrincipalName} -Confirm:$False"

and

WHEN
Default
THEN
Ignore

This ensures that when an employee is terminated in UKG, the deletion command is stored in extensionAttribute1.

Step 2: Execute the Stored Command via PowerShell

Create and schedule a PowerShell script that will:

  • Read all user records containing a stored PowerShell command.
  • Execute the stored PowerShell command.
  • Log responses and errors (optional).
  • Clear the command after execution to prevent repeated deletions.
  • Ensure Connect to AD does not continuously inject the command into the user record.

Scenario 2: Creating an Exchange Online Mailbox

Goal

When a new user is created in AD, an Exchange Online mailbox should be provisioned automatically.

Solution

As before, since Connect to AD cannot directly call external systems, we will store the necessary command in an AD attribute and use an external PowerShell script to execute it.

The standard PowerShell command to create an Exchange Online mailbox is:

New-Mailbox -Alias john.doe -Name john.doe -FirstName John -LastName Doe -DisplayName "John Doe" -MicrosoftOnlineServicesID john.doe@example.com -Password xxxxxxxxxx -ResetPasswordOnNextLogon $true

Please refer to this article for the correct parameters to use with the New-Mailbox command.

Step 1: Store the PowerShell Command in an AD Attribute

Add a field mapping in Connect to AD for the attribute that will store the PowerShell command. We’ll use extensionAttribute1.

Enable conditional expressions and apply the following logic:

WHEN
IsInsert

THEN  
$"New-Mailbox -Alias {Person.PreferredName}.{Person.LastName} -Name {Person.PreferredName}.{Person.LastName} -FirstName {Person.PreferredName} -LastName {Person.LastName} -DisplayName '{Person.PreferredName} {Person.LastName}' -MicrosoftOnlineServicesID {Person.PreferredName}.{Person.LastName}@example.com -Password {User.password} -ResetPasswordOnNextLogon $true" 

and

WHEN
IsUpdate
THEN
Ignore

This ensures that when a new user is added to AD, the appropriate PowerShell command is stored in extensionAttribute1.

Step 2: Execute the Stored Command via PowerShell

Create and schedule a PowerShell script that will:

  • Read all user records containing a stored PowerShell command.
  • Execute the stored PowerShell command.
  • Log responses and errors (optional).
  • Clear the command after execution to prevent repeated deletions.
  • Ensure Connect to AD does not continuously inject the command into the user record.

PowerShell Script Template (Example Only)

Use the following PowerShell script as a template to build upon:

# get all users that have a powershell to execute
$users = Get-ADUser -properties extensionAttribute1 -Filter {extensionattribute1 -ne '$null'} -SearchBase "OU=ONB,DC=pizza,DC=com" | select userPrincipalName, sAMAccountName, extensionAttribute1, extensionAttribute2

# for each user that has a powershell to execute 
foreach ($user in $users) {

    Write-Host $user.userPrincipalName
    Write-Host $user.sAMAccountName
    Write-Host $user.extensionAttribute1

    try 
    {
        # execute the powershell script (as is) stored in the attrbutre
        Invoke-Expression $user.extensionAttribute1

        # the powershell was executed correctly - clear the attrbute so that it does get executed again and again
        Write-Host $user.sAMAccountName
        Set-ADUser –Identity $user.sAMAccountName -Clear "extensionAttribute1"

    } 
    catch 
    {
        # there was an issue with the execution of the powershell script, do something with the error 
        Write-Host 'Error while executing script for' $user.sAMAccountName '-' $_
        Set-ADUser –Identity $user.sAMAccountName -Replace @{extensionAttribute2=$($_.Exception.Message)} 
    }

    Write-Host
}

 

Please note that the PowerShell script template above is shown for informational purposes only and that we cannot assist with any requests related to the PowerShell script building or functionality.

References

How to Create a PowerShell Scheduled Task

Related to

Was this article helpful?

Comments

0 comments

Article is closed for comments.