Document

Download Report

Transcript Document 

Active Directory
Administration (cmdlets)
Microsoft Confidential
1
AD (cmdlets)
AD Module | Overview
• AD PowerShell Module named ActiveDirectory
• Self-contained package
• Consolidates a group of cmdlets
• Cmdlets used to manage one or multiple AD forests and domains
2
Microsoft Confidential
AD (cmdlets)
AD Module | Purpose
• Account
• User
• Computer
• Group
• OU
• Password Policy
• Default domain password policy
• Fine-grained password policy
• Forest & Domain
• DC & FSMO
• Optional Features
3
Microsoft Confidential
AD (cmdlets)
Cmdlets
4
Microsoft Confidential
AD (cmdlets)
AD Module Prerequisites
• At least one 2008 R2 DC in the targeted domain
OR
• A 2003 or 2008 DC running the Active Directory Management Gateway
Service
• Client: Windows 7 or Windows Server 2008 R2
• Windows 7: Remote Server Administration Tools + AD Module Feature
• Windows 2008 R2: AD Module via Add Features Wizard
• Import and use the AD module in a PowerShell session via the ImportModule cmdlet
5
Microsoft Confidential
AD (cmdlets)
Active Directory Web Services
ADWS
Windows 7
RSAT
AD Module
Windows 2008 R2
6
Microsoft Confidential
AD (cmdlets)
Connecting To AD
• Binding to AD DN is required to work with AD objects
• Cmdlets connect to local domain using current user credentials by default
• All 76 cmdlets have credential & server parameters
• To target other domains & specific servers
• Global Catalog connection possible using Port #
Get-ADUser –filter * -server contoso.com:3268
TIP:
7
Do not hardcode DC names in scripts!
(Use Domain FQDN to discover DC)
Microsoft Confidential
AD (cmdlets)
User Account Management | AD Cmdlets
Create User
New-ADUser –name benp -SamAccountName “benp"
-GivenName “ben" -Surname “Pearce"
-DisplayName “Ben Pearce"
Enumerate
User
Get-ADUser -Filter * -Properties *
Get-ADUser -Filter * `
-Properties *,msDS-ReplAttributeMetaData
Modify User
Set-ADUser -Identity “benp" –Title “Engineer"
Target Single AD Object Only!
Delete User
8
Remove-ADUser benp
Microsoft Confidential
AD (cmdlets)
Computer Account Management | AD Cmdlets
Computer
Information
Find Stale
Computer
Accounts
9
Get-ADComputer -Filter * `
-property name,OperatingSystem,`
OperatingSystemServicePack,OperatingSystemVersion `
| Out-GridView
$OneYearAgo = (Get-Date).AddYears(-1)
Get-ADComputer -Filter {LastLogonTimeStamp –lt`
$OneYearAgo} | Disable-ADAccount
Microsoft Confidential
AD (cmdlets)
Group Management | AD Cmdlets
Enumerate
Group
Create
Group
Nested group
membership
Get-ADGroupMember IT -Recursive
New-ADGroup –name “Sales” `
-Path “OU=Groups,DC=Contoso,DC=com” `
-GroupScope “Global” `
-GroupCategory “Security”
To return group
object
$newGroup = New-ADGroup -name "IT" `
-Path "OU=Groups,DC=Contoso,DC=com" `
-GroupScope "Global" –passthru
Populate
Group
10
$ITUsers = Get-ADUser -filter {Department -eq "IT"}
Add-ADGroupMember -Identity $newGroup -Members $ITUsers
OR
$ITUsers | Add-ADPrincipalGroupMembership -MemberOf "IT"
Microsoft Confidential
DEMO