8/10/2019 10325A_05

1/22

Module 5

Automating

Active DirectoryAdministration

8/10/2019 10325A_05

2/22

Module Overview

Use the AD: drive in Windows PowerShell

Identify Active Directory cmdlets in Windows PowerShell

Perform key Active Directory management tasks related tousers, groups, computers, and organizational units, bymeans of Windows PowerShell cmdlets

8/10/2019 10325A_05

3/22

Lesson 1: Active Directory Automation Overview

Identify prerequisites for using the Microsoft ActiveDirectory cmdlets in a domain

Explain the purpose and use of the AD: drive

List the cmdlets included in the ActiveDirectory module

8/10/2019 10325A_05

4/22

Active Directory Administration

Nearly all Active Directory administration in PowerShell isaccomplished using the ActiveDirectory module.

This module is installed on all Domain Controllers. It is alsoincluded as part of the Remote Server Administration Tools(RSAT) for Windows 7.

The ActiveDirectory module includes cmdlets that facilitate

virtually every activity in Active Directory administration. Its cmdlets provide the functionality that powers the graphical

Active Directory Administrative Center console.

Its cmdlets communicate with a web service that is a part ofActive Directory in Windows Server 2008 R2.

This same web service can be added to Windows Server 2003and Windows Server 2008 by downloading and installing theActive Directory Management Gateway Service.

The web service needs to be installed to only a singleDomain Controller in your local site.

8/10/2019 10325A_05

5/22

Adding a Module

The Import-Module cmdlet

Can be used to load any external module into PowerShell.

Uses the following syntax to add the ActiveDirectory module:

Using this cmdlet imports the module into only the currently-running session. You will need to import it in each session.

After it is loaded, the module adds a set of commands foradministering Active Directory. You can retrieve the list ofcommands using:

The Remove-Module cmdlet will unload the module fromthe current session.

Import-Module ActiveDirectory

Get-Command module ActiveDirectory

8/10/2019 10325A_05

6/22

The AD: Drive

Adding the ActiveDirectory module also adds a PSDriveprovider.

This provider maps the AD: drive to your logon domain.

The main purpose of this drive is to provide a security contextfor executing cmdlets.

When you run an Active Directory cmdlet, it will

automatically use the credentials and domain of thecurrent AD: drive.

This eliminates the need to supply credentials for eachcommand.

You can map other drives to other domains and credentials.Cmdlets will run using the credentials associated with thecurrent drive.

To use a different domain or set of credentials, change to thecorrect mapped drive, and then begin running cmdlets.

8/10/2019 10325A_05

7/22

Demonstration: The AD: Drive

Learn how to import the ActiveDirectory module and usethe AD: drive

8/10/2019 10325A_05

8/22

Tip for Earlier Versions of Windows

Be Aware: The Active Directory cmdlets are designed to beused on Windows Server 2008 R2 and Windows 7 only

This means that other operating systems cannot directlyinstall and use the cmdlets

However, these older operating systems can indirectlyusethe cmdlets of another host

The process to use another hosts cmdlets is called implicitremoting, and will be covered later in this course

8/10/2019 10325A_05

9/22

Lesson 2: Managing Users and Groups

Use Windows PowerShell cmdlets to retrieve, create,enable, disable, modify, move, and remove Active

Directory users and groups

Use Windows PowerShell cmdlets to reset Active Directoryuser account passwords

8/10/2019 10325A_05

10/22

Discussion: User and Group Cmdlets

Which cmdlets are available to manage users and groups?

Which parameters accept pipeline input when you arecreating a new user? Adding a member to a group?

8/10/2019 10325A_05

11/22

Filtering

It is generally a bad idea to query every object in ActiveDirectory at once

Doing so is computationally expensive

Doing so can impact your Domain Controllers performance

Most Active Directory cmdlets have defined a mandatoryparameter called filter

This filter parameter limits the number of records that thecmdlet will work with

It can accept wildcards and PowerShell-style criteria:

Get-ADUser -Filter 'Name -like "*SvcAccount"'Get-ADUser -Filter {Name -eq "GlenJohn"}

8/10/2019 10325A_05

12/22

Demonstration: Managing Users and Groups

Review how to manage users and groups from within theshell

8/10/2019 10325A_05

13/22

Lab A: Managing Users and Groups

Exercise 1: Retrieving a Filtered List of Users from ActiveDirectory

Exercise 2: Resetting User Passwords and AddressInformation

Exercise 3: Disabling Users That Belong to a SpecificGroup

Estimated time: 30 minutes

Logon information

Virtual machine LON-DC1

Logon user name Contoso\Administrator

Password Pa$$w0rd

8/10/2019 10325A_05

14/22

Lab Scenario

You are an Active Directory administrator and want tomanage your users and groups via PowerShell.

You recently upgraded your domain controller to WindowsServer 2008 R2 and want to try the new PowerShell ActiveDirectory cmdlets that came with it.

In order to handle internal tasks more quickly and be

prepared to automate them, you want to learn how to findinformation in Active Directory. You also want toaccomplish basic tasks such as resetting users' passwords,disabling users, and moving objects in Active Directory.

8/10/2019 10325A_05

15/22

Lab Review

Which common Active Directory cmdlet parameter is usedto limit search results to matches based on attributes?

Which common Active Directory cmdlet parameter is usedto specify the attributes that you want in your queryresults?

How do you add the Active Directory functionality to your

PowerShell session?

L 3 M i C t d Oth

8/10/2019 10325A_05

16/22

Lesson 3: Managing Computers and OtherDirectory Objects

Use Windows PowerShell cmdlets to retrieve and modifyActive Directory computer accounts

Use Windows PowerShell cmdlets to retrieve and viewActive Directory fine-grained password policies

Use Windows PowerShell cmdlets to retrieve computeraccount information, including operating system version,

service pack version, and last logon timestamp

8/10/2019 10325A_05

17/22

Computer and Other Objects

The ActiveDirectory cmdlet can also interact with objectsother than users, such as:

Computer objects

Groups

Fine-grained password policies

The cmdlets Get-ADComputer, New-ADFineGrainedPasswordPolicy, and many others interactwith these objects in ways that are similar to working withusers

Remember to pipe objects to Get-Member or Format-List * to

see which objects are available

Spend time with the help for the ActiveDirectorymodules cmdlets to see which administrative

actions are exposed

8/10/2019 10325A_05

18/22

Demonstration: Computer and Other Objects

Learn how to manage computer and other directoryobjects from within the shell

L b B M i C t d Oth Di t

8/10/2019 10325A_05

19/22

Lab B: Managing Computers and Other DirectoryObjects

Exercise 1: Listing All Computers That Appear to BeRunning a Specific Operating System According to Active

Directory Information

Exercise 2: Creating a Report Showing All Windows Server2008 R2 Servers

Exercise 3: Discovering Any Organizational Units That

Arent Protected Against Accidental Deletion

Estimated time: 20 minutes

Logon information

Virtual machine LON-DC1

Logon user name Contoso\Administrator

Password Pa$$w0rd

8/10/2019 10325A_05

20/22

Lab Scenario

As an Active Directory administrator, in addition tomanaging users and groups you also need to monitor the

servers in your organization.

Active Directory contains details identifying servers, andyou want to be able to use those details to discoverservers and generate reports.

To meet new security policies, your company has decidedto put more stringent password policies in place. You needto create fine-grained password policies for yourorganization and heard that PowerShell is the only way todo so.

As a senior IT administrator responsible for a team, youwant to make sure that your team members dontaccidentally delete important information in ActiveDirectory. You want to use a new feature for OUs thatprevents them from accidental deletion.

8/10/2019 10325A_05

21/22

Lab Review

How can you see a list of all attributes that are availablefor an Active Directory object?

Which parameter can be used to limit the total number ofobjects returned in an Active Directory query?

8/10/2019 10325A_05

22/22

Module Review and Takeaways

On which operating systems are the Active Directorycmdlets available?

Which module contains the Active Directory cmdlets?

What is the purpose of an Active Directory PSDrive?

Which drive must be active in order to use New-PSDrive to

map a new drive to Active Directory?

Class Discussion

Common issues related to Active Directory