Sunday, May 30, 2010

Inside the new PowerShell 2.0 commands for Active Directory

http://searchwindowsserver.techtarget.com/tip/0,289483,sid68_gci1513245,00.html?ShortReg=1&mboxConv=searchWindowsServer_RegActivate_Submit&



In this two-part article we will look at the different vendors that provide AD cmdlets and how they work.

Microsoft Active Directory is one of those things that almost every admin has to work with to some degree, ranging from full AD management to simple consumption of Active Directory. Whatever your experience is with AD, there is a PowerShell cmdlet for you. These cmdlets are provided by two major vendors: Microsoft and Quest Software.

The different scopes of
AD management

Object management

Objects are the foundation and purpose of Active Directory and are where AD stores the data you provide. There are different types of objects, but the three basic objects most admins deal with are:

· User - an object that stores information about a user
· Computer - an object that stores information about a computer
· Group - an object that stores a relationship between groups of objects

Some examples of object management include searching Active Directory for an object, adding users, setting passwords, deleting computers, and adding a member to a group.

Infrastructure

Infrastructure refers to the things that make Active Directory work. Below is a list of some of the components of AD that comprise its infrastructure:

· Forest - A collection of trees (a group of one or more domains). These domains must maintain a single configuration and schema.
· Domain - A collection of objects that share a common namespace and authentication realm.
· Site - A collection of computers that share a common subnet defined by an Active Directory object.
· Domain controller (DC) - The principle authority for the domain, responsible for authentication and access to domain resources.
· Partitions - A logical segmentation of a group of objects. The three main partitions in Active Directory are domain, configuration and schema.

Some examples of Active Directory management include finding a DC, setting an operation master role, creating a site, forcing replication, and checking replication.

Before we start down the rabbit hole of Active Directory PowerShell cmdlets, it's important to understand the different scopes of management that admins often encounter when it comes to AD. These can be broken into two basic categories: object management and infrastructure (see the sidebar to the right for a detailed explanation of each).

With those fundamentals of AD management understood, we can take a detailed look at the Microsoft Active Directory cmdlets that ship with Windows 7 and Server 2008 R2, including what is required to run them, how they work, and some examples to get you on your way.

Before we dive directly into the cmdlets, it is important to know the initial requirements that must be met in order to manage Active Directory with Windows PowerShell. First, you need to have at least one domain controller with Active Directory Web Service (AD WS) or Active Directory Management Gateway Services (AD MGS). Both of these services do basically the same thing, with the only difference being that AD Web Services ships with Windows Server 2008 R2, while AD MGS is an update for Windows 2003 and 2008 domain controllers. This is very important because the Active Directory cmdlets use AD WS/AD MGS to communicate with the domain.

Second, you must have a Windows 7 or Windows Server 2008 R2 client because the DC Locator process was updated to discover AD Web Services and has not been back-ported to older clients.

Here is the process flow for Active Directory PowerShell cmdlet queries:

[Client] cmdlet -> AD WS -> Query
DC -> AD WS -> cmdlet.

The cmdlet/client sends the query to AD Web Services, which does a domain query using its own protocol. The DC formulates the response and sends it back to the "client" via AD Web Services and this is all wrapped up in a Web Services protocol.

While we don't have the time or space to cover all of the cmdlets offered by Microsoft (we are talking a small book's worth of material here), we can take a look at a few of the key ones for both Active Directory management categories.

Object management cmdlets for Active Directory

Get-ADUser - gets a specific user object or does a search for user objects that match the query

Examples:
# Get the user account for a user with sAMAccountName of bsonposh
Get-ADUser bsonposh

# Get all the users that have the last name Shell using friendly filter
Get-ADUser -Filter "sn -eq 'shell'"

# Get all the users that have the last name Shell using LDAP filter
Get-ADUser -LDAPFilter "(sn=shell)"

For more examples:
Get-help Get-ADUser –example

Get-ADComputer - gets a specific computer object or does a search for computer objects that match the query

Examples:
# Get all the computers in a given OU
Get-ADComputer -SearchBase "OU=XenDesktop,DC=Dev,DC=Lab"
-filter *

# Get all the computers without a given DNS suffix
Get-ADComputer -filter "dnsHostName -notlike
'*.dev.lab'"

# Find computers logged in over the last 30 days
$lastLogon = (get-date).adddays(-30).ToFileTime()
Get-ADComputer -filter {lastLogonTimestamp -gt
$lastLogon}

For more examples:
Get-help Get-ADComputer -example

Get-ADGroup - gets a specific group object or does a search for group objects that match the query

Examples:
# List all the Universal Groups
Get-ADGroup -Filter {GroupScope -eq 'Universal'}

# Get the group members
Get-ADGroup "domain Admins" -Properties member | select
-ExpandProperty member
# This is even easier if you use Get-ADGroupMember
Get-ADGroupMember "Domain Admins"

# Find empty groups
Get-ADGroup -Filter {Member -notlike '*'}

For more examples:
Get-help Get-ADGroup -example

Infrastructure cmdlets for Active Directory

Get-ADForest - returns the current forest

Examples:
# Get the current forest
Get-ADForest

# Get the forest for the current user
Get-ADForest -Current LoggedOnUser

# Get the forest for the current computer
Get-ADForest -Current LocalComputer

For more examples:
Get-help Get-ADForest -example

Get-ADDomain - returns the current domain

Examples:
# Get the current domain
Get-ADDomain

# Get a specific domain
Get-ADDomain dev.lab

# Get the user domain
Get-ADDomain –Current LoggedOnUser

For more examples:
Get-help Get-ADDomain -example

Get-ADDomainController - returns a domain controller object that matches the parameters passed

Examples:
# Get the current domain controller for the user session
Get-ADDomainController

# Get the read-only domain controllers
Get-ADDomainController -Filter {isReadOnly -eq $true}

# Find DCs hosting Active Directory Web Services
Get-ADDomainController -Service ADWS –Discover

Note: The following parameters require the –discover parameter as
well: Service, SiteName, DomainName, NextClosestSite, AvoidSelf,
and ForceDiscover

For more examples:
Get-help Get-ADDomainController-example

Get-ADRootDSE - This returns the RootDSE by discovery or by defined server. You can think of the RootDSE as an entry point into the directory that provides cursory information regarding the directory that resides on the target or discovered server.

Examples:
# Discover the RootDSE
Get-ADRootDSE

# Get the RootDSE on a specific Server (DC)
Get-ADRootDSE –server Core.Dev.Lab

For more examples:
Get-help Get-ADRootDSE -example

Here is a list of all the PowerShell cmdlets provided with the Active Directory module:

  • Add-ADComputerServiceAccount

  • Add-ADDomainControllerPasswordReplicationPolicy

  • Add-ADFineGrainedPasswordPolicySubject

  • Add-ADGroupMember

  • Add-ADPrincipalGroupMembership

  • Clear-ADAccountExpiration

  • Disable-ADAccount

  • Disable-ADOptionalFeature

  • Enable-ADAccount

  • Enable-ADOptionalFeature

  • Get-ADAccountAuthorizationGroup

  • Get-ADAccountResultantPasswordReplicationPolicy

  • Get-ADComputer

  • Get-ADComputerServiceAccount

  • Get-ADDefaultDomainPasswordPolicy

  • Get-ADDomain

  • Get-ADDomainController

  • Get-ADDomainControllerPasswordReplicationPolicy

  • Get-ADDomainControllerPasswordReplicationPolicyUsage

  • Get-ADFineGrainedPasswordPolicy

  • Get-ADFineGrainedPasswordPolicySubject

  • Get-ADForest

  • Get-ADGroup

  • Get-ADGroupMember

  • Get-ADObject

  • Get-ADOptionalFeature

  • Get-ADOrganizationalUnit

  • Get-ADPrincipalGroupMembership

  • Get-ADRootDSE

  • Get-ADServiceAccount

  • Get-ADUser

  • Get-ADUserResultantPasswordPolicy

  • Install-ADServiceAccount

  • Move-ADDirectoryServer

  • Move-ADDirectoryServerOperationMasterRole

  • Move-ADObject

  • New-ADComputer

  • New-ADFineGrainedPasswordPolicy

  • New-ADGroup

  • New-ADObject

  • New-ADOrganizationalUnit

  • New-ADServiceAccount

  • New-ADUser

  • Remove-ADComputer

  • Remove-ADComputerServiceAccount

  • Remove-ADDomainControllerPasswordReplicationPolicy

  • Remove-ADFineGrainedPasswordPolicy

  • Remove-ADFineGrainedPasswordPolicySubject

  • Remove-ADGroup

  • Remove-ADGroupMember

  • Remove-ADObject

  • Remove-ADOrganizationalUnit

  • Remove-ADPrincipalGroupMembership

  • Remove-ADServiceAccount

  • Remove-ADUser

  • Rename-ADObject

  • Reset-ADServiceAccountPassword

  • Restore-ADObject

  • Search-ADAccount

  • Set-ADAccountControl

  • Set-ADAccountExpiration

  • Set-ADAccountPassword

  • Set-ADComputer

  • Set-ADDefaultDomainPasswordPolicy

  • Set-ADDomain

  • Set-ADDomainMode

  • Set-ADFineGrainedPasswordPolicy

  • Set-ADForest

  • Set-ADForestMode

  • Set-ADGroup

  • Set-ADObject

  • Set-ADOrganizationalUnit

  • Set-ADServiceAccount

  • Set-ADUser

  • Uninstall-ADServiceAccount

  • Unlock-ADAccount
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)