Powershell Jump Start
Download
Report
Transcript Powershell Jump Start
The ActiveDirectory Module
2008R2 and 2012
Written and Delivered by:
Gary Siepser
Premier Field Engineering
A Customer Service and Support Organization
AD Module Prerequisites
Server Side (We need AD Web Services)
At least one 2008 R2 or 2012 DC in the targeted domain, OR
A 2003 or 2008 DC running the Active Directory Management Gateway Service
Client Side (We need the AD PowerShell Module)
OS Requirement: Windows 7, Windows 8, Windows Server 2008 R2, Windows
Server 2012
Windows 7 and 8: Install current Remote Server Administration Tools
On Server versions, RSAT already present, just add feature
Add the ActiveDirectory Module either through the Add/Remove Features GUI or
using PowerShell:
Install-WindowsFeature RSAT-AD-Powershell
To actually use the cmdlets the module must be imported
On PowerShell v2: Import-Module ActiveDirectory
PowerShell v3: you can import manually, but v2 will automatically import modules
the first time you attempt to use a command from one
Microsoft Confidential
New AD Cmdlets
The current set of AD Powershell cmdlets can be
classified into categories:
Account Management
Topology management
Directory object management
Provider cmdlets
New with Server 2012
Active Directory Replication and Topology Management
Using Windows PowerShell
Installing AD DS Using Windows PowerShell
Removing AD DS Using Windows PowerShell
Microsoft Confidential
New AD Cmdlets
In the account management set we have cmdlets that –
Create, delete, write and read users, groups,
computers, managed service accounts and
Organizational units (OUs).
Manage account settings such as: expiration date,
password etc.
Manage group membership, get account token groups.
Manage fine grained password policy and default
domain password policy.
Microsoft Confidential
New AD Cmdlets
In the topology management set we have cmdlets that –
Discover DCs, manage FSMOs, move DCs across site
and get DC info.
Manage password replication policy of RODCs.
Manage domain and forest, set forest and domain
functional level.
Manage optional features.
Microsoft Confidential
New AD Cmdlets
In the directory object management set we have cmdlets
that –
Create, delete, write and read all types of AD object.
Move, rename and restore AD objects.
In the Provider cmdlets set we have cmdlets that enables
file-system like browsing capabilities in Active Directory
PSDrive.
Microsoft Confidential
New AD Cmdlets (new for 2012)
In the Active Directory Replication and Topology
Management cmdlets that Manage
Replication
Sites
SiteLinks
Similar functionality as RepAdmin.exe
In addition, the cmdlets are compatible with the
existing Windows PowerShell for Active Directory
cmdlets, thus creating a streamlined experience and
allowing customers to easily create automation scripts.
Microsoft Confidential
New AD Cmdlets (new for 2012)
Installing AD DS Using Windows PowerShell
Beginning with Windows Server 2012, you can install
AD DS using Windows PowerShell. Dcpromo.exe is
deprecated beginning with Windows Server 2012
Removing AD DS Using Windows PowerShell
Uninstall-ADDomainController for removal of Domain
Controller
Deployment (install and uninstall) cmdlets are in
ADDSDeployment Module
Microsoft Confidential
Getting Help with the Module
PSv3 Introduces Updatable Help
No Help included with cmdlets, needs to be updates from
internet
Tricky with no direct internet connection
Can be done offline (Save-Help and target Update-Help)
Internet connection machine will only save-help for
modules it has
Deployment Module only runs on DC
Likely internet connected machine wont have module,
thus no “off-line” help update (copying the module
manifest can make this work)
Microsoft Confidential
Connecting the Cmdlets to AD
You don’t need to do anything to connect to AD with default settings
PSDrives do add some convienence:
When you load the AD PowerShell module (import-module
activedirectory), a default basic AD drive is created: AD:
Additional PS drives can be created for different flavors of AD
connection, like DC vs GC, serverless vs explicit, alternate
credentials to AD
Simply change the current working directory to the drive (or AD
connection) you want to use, and then run the cmdlets
Example Default GC Connection Drive:
New-PSDrive -Name GC -PSProvider ActiveDirectory -Root "" -Description "Global Catalog
Connection" -Server "contoso.com:3268“
On a cmdlet-by-cmdlet basis you can also control these same
connection related settings
Microsoft Confidential
Key Concept: Object Ouput from the Cmdlets
Cmdlets return objects with limited properties by default
Using the –Properties param to specify additional
properties to bring back
(i.e. ‘–properties office’ or ‘–properties *’)
Many Account Management Most ADObjects have default
formatting of a listTables tend to be nicer looking so often
times you must pipe to a format-table to get nice looking
results
(i.e. Get-ADUser –Filter * | Format-Table Name,givenname –Autosize)
Microsoft Confidential
Key Concept: The -Identity Parameter
The identity param is the default param, and position 1
Param used to target a single object
The eligible attributes vary by object type
Example for ADUser Object:
Distinguished Name
GUID (objectGUID)
Security Identifier (objectSid)
SAM User Name (sAMUserName)
More Details in: Get-Help about_ActiveDirectory_Identity
This help topic is only viewable while module loaded
Microsoft Confidential
Key Concept: The -LDAPFilter Parameter
This paramter allows for native LDAP Filters
Can use filter created from other tools
LDAP filters use an odd syntax if you aren't already
familiar with it
Must use actual attribute names from AD
Unless you are re-using old filters, or already are familiar
with this syntax, I recommend using the –filter param
instead of -LDAPFilter
Ex:
Get-ADUser –LDAPFilter “(givenname=g*)”
Get-ADUser –LDAPFilter “(|(givenname=g*)(givenname=s*))”
Get-ADUser –LDAPFilter “(&(|(givenname=g*)(givenname=s*))(office=mason))”
Microsoft Confidential
Key Concept: The –Filter Parameter
This is a more PowerShell-like syntax that resembles the
syntax of a Where-Object
Details can be found in the help topic:
about_ActiveDirectory_Filter
We have more user friendly names for attributes that can
be used, though actual AD Attributes name can also be
used
(to see all the friendly and AD names see:
about_ActiveDirectory_ObjectModel)
Limited operators supported
Ex:
Get-ADUser -Filter {surname -eq "Siepser"}
Microsoft Confidential
AD Provider
AD Provider is available once AD Module is imported:
Name
-------ActiveDirectory
Get-PSProvider
Capabilities
---------------Include...
Drives
-------{AD}
Use common Provider cmdlets to manage AD drive:
PS C:\> Set-location ad:
PS AD:\> dir
Name
---contoso
Configuration
Schema
DomainDnsZones
ForestDnsZones
PS
PS
PS
PS
PS
ObjectClass
----------domainDNS
configuration
dMD
domainDNS
domainDNS
DistinguishedName
----------------DC=contoso,DC=com
CN=Configuration,DC=contoso,DC=com
CN=Schema,CN=Configuration,DC=contoso,DC=com
DC=DomainDnsZones,DC=contoso,DC=com
DC=ForestDnsZones,DC=contoso,DC=com
AD:\> cd "DC=contoso,DC=com“
AD:\DC=contoso,DC=com\> dir | ft pschildname
AD:\DC=contoso,DC=com\> md “OU=Test“
AD:\DC=contoso,DC=com\> cd “OU=Test“
AD:\OU=Test,DC=contoso,DC=com\>
Microsoft Confidential
User Account Management Examples
Create User
Query
Users
New-ADUser –name jpublic -SamAccountName “jpublic“ `
-GivenName “John" -Surname “Public" -DisplayName “John Public“
Import-Csv c:\pristine.csv | New-ADUser –Office Miami
Get-ADUser -Filter * -Properties *
Get-ADUser -Filter * -Properties *,msDS-ReplAttributeMetaData
Get-ADUser –Filter {office –eq ‘Los Angeles’}
Targets Single AD Object Only!
Modify User
Set-ADUser -Identity “jpublic" –Title “Engineer“
Get-ADUser –Filter {office –eq ‘Miami’} | Set-ADUser –Office MIA
Delete User
Remove-ADUser jpublic
Get-ADUser –Filter {office –eq ‘Miami’} | Remove-ADUser
Microsoft Confidential
Computer Account Management Examples
Computer
Information
Find Stale
Computer
Accounts
Get-ADComputer -Filter * -property name,OperatingSystem,`
OperatingSystemServicePack,OperatingSystemVersion | Out-GridView
$OneYearAgo = (Get-Date).AddYears(-1)
Get-ADComputer -Filter {LastLogonTimeStamp –lt$OneYearAgo} |
Disable-ADAccount
OR
Search-ADAccount –ComputersOnly –AccountInactive –TimeSpan 180
Microsoft Confidential
Group Management Examples
Enumerate
Group
Create
Group
Populate
Group
Get-ADGroupMember IT
Get-ADGroupMember IT -Recursive
Only members
in group
(includes
groups)
Users in
nested groups
as well
New-ADGroup –name “Sales” -Path “OU=Groups,DC=Contoso,DC=com” `
-GroupScope “Global” -GroupCategory “Security”
$ITUsers = Get-ADUser -filter {Department -eq "IT"}
Add-ADGroupMember -Identity ITCommunications -Members $ITUsers
OR
$ITUsers | Add-ADPrincipalGroupMembership -MemberOf ITCommunications
Microsoft Confidential
Group Management (continued)
Remove
From
Group
TIP:
$ITUsers | Remove-ADPrincipalGroupMembership -MemberOf "IT“
OR
Remove-ADGroupMember -Identity "IT" -members $ITUsers
There will be a prompt to confirm.
Consider setting $ConfirmPreference automatic variable in scripts. To suppress all
confirmations or the –Comfirm:$false on any action cmdlet to suppress just that one time
$OrignalConfirmPreference = $ConfirmPreference
$ConfirmPreference = "none"
Remove-ADGroupMember -Identity "IT" -members $itusers
$ConfirmPreference = $OrignalConfirmPreference
OR
Remove-ADGroupMember -Identity "IT" -members $itusers –Confirm:$False
Microsoft Confidential
Multi-Valued Attributes
Example:
OtherTelephone
Multi-valued attribute can contain a single or multiple
values
Each value must be unique
Use Hash Table (Key/Value pair) i.e. @{}
User
Telephone
Numbers
New-ADUser -Path "ou=sales,ou=departments,dc=contoso,dc=com" `
-name "Sales1" -SamAccountName "Sales1" `
-UsePrincipalName "[email protected]" `
-department "sales“ -OtherAttributes `
@{otherTelephone="555-555-5555","123-456-7890"}
New-ADUser –Identity jpublic `
–Add @{otherTelephone="555-555-5555","123-456-7890"}
Microsoft Confidential
New Site Management (2012 Module)
To create a new site
New-ADReplicationSite BRANCH1
This command creates the new branch office site, branch1.
To create a new site link
New-ADReplicationSiteLink 'CORPORATE-BRANCH1' -SitesIncluded
CORPORATE,BRANCH1 -OtherAttributes @{'options'=1}
This command created the site link to BRANCH1 and turned on the change
notification process.
To set the site link cost and replication frequency
Set-ADReplicationSiteLink CORPORATE-BRANCH1 -Cost 100 ReplicationFrequencyInMinutes 15
This command sets the site link cost to BRANCH1 at 100 and set the replication
frequency with the site to 15 minutes.
To move a domain controller to a different site
Get-ADDomainController DC2 | Move-ADDirectoryServer -Site BRANCH1
This command moves the domain controller, DC2 to the BRANCH1 site.
Microsoft Confidential
Checking Replication Status (2012 Module)
Get-ADReplicationUpToDatenessVectorTable
Look at “High Water Mark”…highest USN per server and
replication partner
Example below has great variance:
PS > Get-ADReplicationUpToDatenessVectorTable * | sort Partner,Server | ft Server,UsnFilter,partner -AutoSize
The numbers
are too far apart
Server
UsnFilter partner
-------------- ------2012DC1.contoso.com
20796 CN=NTDS Settings,CN=2012DC1,CN=Servers,CN=HQ,CN=Sites,CN=Configuration,DC=contos...
2012DC2.child.contoso.com
22459 CN=NTDS Settings,CN=2012DC2,CN=Servers,CN=HQ,CN=Sites,CN=Configuration,DC=contos...
2012DC3.child.contoso.com
17039 CN=NTDS Settings,CN=2012DC2,CN=Servers,CN=HQ,CN=Sites,CN=Configuration,DC=contos...
2012DC2.child.contoso.com
12777 CN=NTDS Settings,CN=2012DC3,CN=Servers,CN=Branch-Office1,CN=Sites,CN=Configurati...
2012DC3.child.contoso.com
13260 CN=NTDS Settings,CN=2012DC3,CN=Servers,CN=Branch-Office1,CN=Sites,CN=Configurati...
DC3 not up to date, its missing many new user accounts:
Replication Behind
Replication Caught Up
PS C:\> (Get-ADUser -Filter * -server 2012dc2).Count
804
PS C:\> (Get-ADUser -Filter * -server 2012dc2).Count
804
PS C:\> (Get-ADUser -Filter * -server 2012dc3).Count
4
PS C:\> (Get-ADUser -Filter * -server 2012dc3).Count
804
Microsoft Confidential
Domain Controller Deployment (2012 Server)
Separate PS Module – ADDSDeployment
PS C:\> Get-Command -Module ADDSDeployment
CommandType
----------Cmdlet
Cmdlet
Cmdlet
Cmdlet
Cmdlet
Cmdlet
Cmdlet
Cmdlet
Cmdlet
Cmdlet
Name
---Add-ADDSReadOnlyDomainControllerAccount
Install-ADDSDomain
Install-ADDSDomainController
Install-ADDSForest
Test-ADDSDomainControllerInstallation
Test-ADDSDomainControllerUninstallation
Test-ADDSDomainInstallation
Test-ADDSForestInstallation
Test-ADDSReadOnlyDomainControllerAccountCreation
Uninstall-ADDSDomainController
ModuleName
---------ADDSDeployment
ADDSDeployment
ADDSDeployment
ADDSDeployment
ADDSDeployment
ADDSDeployment
ADDSDeployment
ADDSDeployment
ADDSDeployment
ADDSDeployment
Install-ADDSDomainController -DomainName child.contoso.com -Credential (get-credential)
In this example, you would be prompted for the safe mode password, and
credentials to actually join the domain as a DC. All prompts can be answered
ahead and thus suppressed
Microsoft Confidential
Thank You
Go out there and deal with the pre-reqs now
Get the module ready to roll even if don’t use it much
Once you get hooked on the “PowerShell” way, you’ll
probably start hating the GUI
That doesn’t mean to avoid the GUI, you’ll just find that
language based administration can really rock sometimes
Play, Play, Play and discover all the other great nuggets I
haven’t found yet. This stuff is brand new
Microsoft Confidential
Resources
Active Directory Administration with Windows PowerShell:
http://technet.microsoft.com/en-us/library/dd378937(v=WS.10).aspx
http://blogs.msdn.com/b/adpowershell/
Active Directory Replication and Topology Management Using Windows
PowerShell
Installing AD DS Using Windows PowerShell
Removing AD DS Using Windows PowerShell
In the Dynamic Access Control deployment documentation, look for any
sections that are labeled Windows PowerShell equivalent commands
In the Active Directory Domain Services (AD DS) Virtualization
documentation, see the steps for deploying a virtualized domain controller.
Microsoft Confidential