Logging Changes Made by PowerShell Script to Change History Database

If you are using the Quest cmdlets, you can add a -Control @{'OperationReason'="Reason text"}

So for example:

Set-QADUser -proxy -identity JSmith -Description "My new description" -Control @{'OperationReason'="A script changed this"}

Thank you for the prompt response.

One of the operations my scripts perform is to set the "User cannot change password" attribute to True.  From my research, setting this attribute cannot be done using Set-QADUser.  I'm using Add-QADPermission -Identity DN -Account SELF,Everyone -ExtendedRight "User-Change-Password" -Deny -ApplyTo ThisObjectOnly to change that attribute.

Is there a method I can use to log that change as well?

You can actually set that flag as follows:

set-qaduser -proxy -identity jsmith -objectattributes @{edsausercannotchangepassword=$true} -Control @{'OperationReason'="Set by script"}

BTW, the -Control switch I have used in the above examples is usable with any of the Quest cmdlets assuming that you are also using the '-proxy' switch (which means that the cmdlet is being executed via the Active Roles server).  You can implement -proxy right in each cmdlet OR (better), once at the top of your script:

Connect-QADService -proxy

Thank you very much for the prompt and thorough explanations.  I've completed my testing and your recommendations give me exactly what I need.

Thank you very much for the prompt and thorough explanations.  I've completed my testing and your recommendations give me exactly what I need.