Using PowerShell for active directory management


Published on

Slides used at Bangalore IT Pro BarCamp on 18th December 2010

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • $users = [ADSI]"LDAP://cn=users,dc=barcamp,dc=in“[ADSI] can get quite verbose as we start doing advanced tasks
  • Get-ADForest BarCamp.inGet-ADForest –Current LoggedOnUserGet-ADForest –Current LocalComputerSet-ADForest can be used to change Authentication Type, UPNSuffixes and SPNSuffixe (Default is negotiate. Basic requires SSL)Set-ADForestMode changes the forest functional mode.Set-ADForestMode -Identity -ForestMode Windows2008R2ForestPossible values for this parameter are: Windows2000Forest or 0 Windows2003InterimForest or 1 Windows2003Forest or 2 Windows2008Forest or 3 Windows2008R2Forest or 4Get-ADDomain –DomainMode Windows2008R2DomainWindows2000Domain or 0Windows2003InterimDomain or 1Windows2003Domain or 2Windows2008Domain or 3Windows2008R2Domain or 4
  • #To Get specific user detailsGet-ADUser –Identity “Ravikanth”#To filter by UserNameGet-ADUser –Filter ‘Name –like ‘Ravi*’”#To filter from a selected OUGet-ADUser -Filter * -SearchBase "CN=Users,DC=BarCamp,DC=in“#To see additional properties than the default setGet-ADUser –Filter ‘Name –like ‘Admin*’” –Properties Description#To see all propertiesGet-AdUser "Ravikanth" -Properties *New-ADUser-Name “Bill Gates" -SamAccountName“BillG" -GivenName“Bill" -Surname “Gates" -DisplayName“Bill Gates" -Path ‘CN=Users,DC=BarCamp,DC=in' -OtherAttributes@{'Title'=“God at Microsoft"} -AccountPassword (Read-Host -AsSecureString"AccountPassword") -Enabled $true#Change user propertiesSet-ADUser Ravikanth -City Bangalore -Replace @{title="PowerShell MVP";Description="Is a part of Domain Users"}Set-ADUser Ravikanth -Clear Description#Remove UserAccountRemove-ADUser "Rchaganti”#Disable AccountDisable-ADAccount -Identity Ravikanth#Enable AccountEnable-ADAccount -Identity Ravikanth#Set account Expiry dateSet-ADAccountExpiration -Identity Ravikanth -DateTime "12/31/2010"#Clear Account ExpiryClear-ADAccountExpiration -Identity Ravikanth#Set Account PasswordSet-ADAccountPassword -Identity Ravikanth ` -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "Warri0r@" -Force)#Unlock AccountUnlock-ADAccount Ravikanth
  • #Get AD GroupGet-ADGroupDomainUsersGet-ADGroup -Filter *#New AD GroupNew-ADGroup -Name "Bitpro" -SamAccountName "Bitpro" -GroupScope Global -Path "DC=BarCamp,DC=in“#Remove-ADGroupRemove-ADGroup -Identity BITPro -Confirm#Get AD Group memberGet-ADGroupMember -Identity Administrators#Add a user to groupAdd-ADGroupMember -Identity DemoUsers -Members Ravikanth#Remove group membersRemove-ADGroupMember -Identity DemoUsers -Members Ravikanth
  • #OUGet-ADOrganizationalUnit -Filter *Get-ADOrganizationalUnit -Filter * -Properties *#Create OUNew-ADOrganizationalUnit -DisplayName "DemoOU" -Name "DEMOOU" -Path "DC=BarCamp,DC=in"
  • #Get-ADServiceAccountGet-ADServiceAccount -Filter *#New AD Service AccountNew-ADServiceAccount -Name DemoService -DisplayName "Demo Service Account" ` -Path "OU=DEMOOU,DC=BarCamp,DC=in" ` -AccountPassword (ConvertTo-SecureString -AsPlainText "Warri0r@" -Force)#remove AD Service AccountRemove-ADServiceAccountDemoService#Install AD Service AccountInstall-ADServiceAccountDemoService#UnInstall AD Service AccountUnInstall-ADServiceAccountDemoService#Reset AD Service AccountPasswordReset-ADServiceAccountPassword -Identity DemoService
  • #Enable Recycle BinEnable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target ''#Restore AD Object from recycle binGet-ADObject -Filter 'samaccountname -eq "rchaganti"' -IncludeDeletedObjectsGet-ADObject -Filter 'samaccountname -eq "rchaganti"' -IncludeDeletedObjects | Restore-ADObject
  • $user=Get-ADObject -Filter "SamAccountName -eq 'RChaganti'"$user | Move-ADObject -TargetPath "CN=Users,DC=BarCamp,DC=in"
  • Using PowerShell for active directory management

    1. 1. PowerShell for Managing Active Directory<br />Ravikanth C<br />
    2. 2. About me<br />Lead Engineer at Dell<br />Windows PowerShell MVP<br />Developer on several PowerShell projects on Codeplex<br />Author of<br />Free eBook: Layman’s guide to PowerShell 2.0 remoting<br />Co-author on Quest’s SharePoint 2010 & PowerShell cheat sheet<br />Blog at<br />Founder & editor of PowerShellFromIndia<br />More details on this soon <br />
    3. 3. Giving away..<br />Two copies (eBook) of <br />Managing Active Directory with Windows PowerShell: TFM<br />Thanks to Sapien Press<br />One copy (eBook) of <br />Windows PowerShell Cookbook<br />Thanks to O'Reilly Media <br />
    4. 4. PowerShell for Active Directory<br />[ADSI] adapter<br />In-box<br />Windows Server 2008 R2 includes a PowerShell module<br />In-box<br />Quest Software ActiveRoles Management Shell<br />Free download<br />Softerra Adaxes 2010.2<br />Commercial product<br />Idera Scripts for Active Directory<br />Free; uses [ADSI]<br />
    5. 5. PowerShell for Active Directory<br />Microsoft cmdlets<br />Quest cmdlets<br />PowerShell 2.0 only<br />Require AD Management Gateway for managing pre-Windows 2008 R2 DC<br />Cannot manage local LDS on Windows 7<br />Cannot manage terminal services attributes<br />Version Independent<br />Support Windows 2003, 2008, and 2008 R2 DC management<br />Can manage Windows 7 local LDS <br />Can manage terminal services attributes<br />
    6. 6. Microsoft cmdlets for Active Directory<br />In-box from Windows Server 2008 R2 onwards<br />Get enabled by<br />Installing AD DS or LDS server roles or<br />Running DCPromo.exe or<br />Installing RSAT on Windows Server 2008 R2 or Windows 7<br />To access AD cmdlets<br />Start->Administrative Tools->Active Directory Module for Windows PowerShell or <br />Import-Module ActiveDirectory<br />To list AD cmdlets<br />Get-Command -noun AD* or<br />Get-Command –Module ActiveDirectory<br />
    7. 7. Managing down level servers<br /><ul><li>Requires AD Management Gateway Services
    8. 8. AD PowerShell cmdlets & ADAC use AD web servicesto administer directory
    9. 9. Available for Windows2003 R2 with SP22003 SP220082008 SP2 </li></li></ul><li>Microsoft cmdlets for Active Directory<br />Cmdlets can be grouped under<br />Forests & Domains<br />User & Computer accounts<br />Groups<br />Password Policies<br />OU tasks<br />Service Accounts<br />Schema Tasks<br />
    10. 10. Forest & Domains<br />Get-ADForest<br />Set-ADForest<br />Set-ADForestMode<br />Get-ADDomain<br />Set-ADDomainMode<br />
    11. 11. User Accounts<br />Get-ADUser<br />New-ADUser<br />Set-ADUser<br />Remove-ADUser<br />Disable-ADAccount<br />Enable-ADAccount<br />Set-ADAccountExpiration<br />Clear-ADAccountExpiration<br />Set-ADAccountPassword<br />Unlock-ADAccount<br />
    12. 12. Groups<br />Get-ADGroup<br />New-ADGroup<br />Set-ADGroup<br />Remove-ADGroup<br />Get-ADGroupMember<br />Add-ADGroupMember<br />Remove-ADGroupMember<br />
    13. 13. OU tasks<br />Get-ADOrganizationalUnit<br />New- ADOrganizationalUnit<br />
    14. 14. Service Accounts<br />Get-ADServiceAccount<br />New-ADServiceAccount<br />Set-ADServiceAccount<br /> Install-ADServiceAccount<br /> Uninstall-ADServiceAccount<br /> Reset-ADServiceAccountPassword<br />
    15. 15. AD Recycle Bin<br />Enable AD Optional Feature: “Recycle Bin Feature”<br />This is an irreversible action<br />Restore-ADObject to restore deleted objects<br />
    16. 16. Moving an AD Object<br />Use Get-ADObject to get an instance<br />Pipe it to Move-ADObject and specify new location as a value to -TargetPath<br />
    17. 17. Learning Resources – PowerShell for AD<br />Cmdlet reference<br />Book: Managing Active Directory with PowerShell: TFM<br />AD cmdlets quick reference guide<br />Adaxes Cmdlets<br />Quest Cmdlets<br />Idera PowerShell Scripts<br />ADMGS for down level servers<br />
    18. 18. Learning resources - PowerShell<br />Getting started guide<br />PowerShell Learning center<br />The scripting Guys blog<br />PowerScripting Podcast<br /> free online eBook<br />
    19. 19. Q & A<br />Thanks<br />