I’ve been doing some work recently with C# querying AD for locked out users. One of the requirements for this was to only show users that can be altered by the user running the program.
Fortunately there is a computed AD attribute available for this to do the job, called allowedAttributesEffective. Here is some sample code to check a user for attributes you can write to:
I’m making more of an effort to post useful snippets of PowerShell and other stuff, like custom ADMX templates to either my GitHub Gists, or to a GitHub repository I’ve set up for miscellaneous bits and bobs.
As I’ve improved with PowerShell, it’s become easier to write generalised scripts, rather than highly targeted ones, so that I can solve similar problems, or share pieces of scripts around more easily.
If you’d like to learn more about Windows PowerShell check out PowerShell.org and the PowerScripting Podcast, they are nice friendly places that are easy to navigate and full to the brim with good content.