-1

My situation:

I work at a help desk and have access to the server active directory is on. I do not have edit privileges. I am in control of inventory and need to have a way to get employee information more efficiently then navigating through the AD GUI.

I am here asking because I may or may not be able to utilize the information in the manner that I want. I do not want to waste my system admins time asking him to do queries or csv exports for me.

I want to use the csv to create an "employee table" in sql so that I only have to put in an employee name when issuing equipment and the name can be linked to this table with information from active directory. This would save a lot of trouble manually putting in information like office codes, addresses , ect.

My question:

Could I use queries in power shell in a read only capacity to get the information I need in my database?

Is there any risk of actually altering the data without admin privileges?

Am I free to experiment and learn how to do queries against the data without fear of messing up with the wrong command? Am I explicitly protected against messing up since I don't have elevated privileges or is there any way I could mess something up?

user370480
  • 13
  • 2
  • 2
    In general creating a copy of AD to query it in a different way is a probably the wrong solution. Why not (use powershell to) query AD directly to retrieve the info you need on demand? - And yes as a regular user you should be able to see other users but you can only modify attributes associated with your own account. – HBruijn Aug 14 '16 at 19:42
  • Do you use Microsoft Excel by any chance? – Anubioz Aug 14 '16 at 22:46
  • @HBruijn 1. The database is currently test and does not reside on same server as AD and I do not have access from outside IP – user370480 Aug 20 '16 at 02:30
  • @HBruijn Yes I do use excel. – user370480 Aug 20 '16 at 02:31
  • @HBruijn I could query AD directly but I do not want to use server resources and also I want to maintain a record of equipment issues even for terminated users. – user370480 Aug 20 '16 at 02:32

1 Answers1

1

One of the neat things about PowerShell is the standardization of verbs. The verb "Get" only retrieves information, and "Set" is used to make changes. This holds true in the ActiveDirectory module. As long as you stick with the "Get-" commands, you should be fine. For a list, run this from a PowerShell prompt:

Import-Module -Name ActiveDirectory
Get-Command -Module ActiveDirectory -Verb Get

All the "Set-" commands have "-Confirm" and "-WhatIf" parameters to help protect you as well; use them if you're trying to make changes to check before actually running them.

And as HBruijn says, importing the data into SQL might not be the best way, depending on where you're going with all this. It may be better to query both AD and your SQL inventory and match them up on the fly, rather than relying on copies of data that's pretty easily gotten directly from AD.

DarkMoon
  • 1,039
  • 15
  • 30
  • Thank you for the information. Our company had half of a database but it was a pet project for the programmer. The database was left half done and I am in charge of making it look pretty so that it looks like everything was more or less kept in shape when we hand it over to a professional database company and to a different department. I want to wipe my hands of this and also use it as an opportunity to learn more about databases. It may be sometime before we hand over so I want to make sure that all new entries are efficient, accurate, and up to spec while it has my name on it. – user370480 Aug 20 '16 at 02:35
  • Ok, then did I answer all of your questions? Or did you need more info? – DarkMoon Aug 20 '16 at 03:04
  • Thank you and sorry for the late reply. Yes that helped tremendously. – user370480 Sep 30 '16 at 00:50