The ActiveDirectory - PowerPoint Presentation

The ActiveDirectory Module2008R2 and 2012 Written and Delivered by: Gary Siepser

AD Module PrerequisitesServer Side (We need AD Web Services) At least one 2008 R2 or 2012 DC in the targeted domain, OR A 2003 or 2008 DC running the Active Directory Management Gateway Service Client Side (We need the AD PowerShell Module) OS Requirement: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012 Windows 7 and 8: Install current Remote Server Administration Tools On Server versions, RSAT already present, just add feature Add the ActiveDirectory Module either through the Add/Remove Features GUI or using PowerShell: Install- WindowsFeature RSAT -AD- Powershell To actually use the cmdlets the module must be imported On PowerShell v2: Import-Module ActiveDirectory PowerShell v3: you can import manually, but v2 will automatically import modules the first time you attempt to use a command from one

New AD Cmdlets The current set of AD Powershell cmdlets can be classified into categories: Account Management Topology management Directory object management Provider cmdlets New with Server 2012 Active Directory Replication and Topology Management Using Windows PowerShell Installing AD DS Using Windows PowerShell Removing AD DS Using Windows PowerShell

New AD CmdletsIn the account management set we have cmdlets that – Create, delete, write and read users, groups, computers, managed service accounts and Organizational units (OUs). Manage account settings such as: expiration date, password etc. Manage group membership, get account token groups. Manage fine grained password policy and default domain password policy.

New AD CmdletsIn the topology management set we have cmdlets that – Discover DCs, manage FSMOs, move DCs across site and get DC info. Manage password replication policy of RODCs. Manage domain and forest, set forest and domain functional level. Manage optional features.

New AD CmdletsIn the directory object management set we have cmdlets that – Create, delete, write and read all types of AD object. Move, rename and restore AD objects. In the Provider cmdlets set we have cmdlets that enables file-system like browsing capabilities in Active Directory PSDrive .

New AD Cmdlets (new for 2012) In the Active Directory Replication and Topology Management cmdlets that- Manage Replication Sites SiteLinks Similar functionality as RepAdmin.exe In addition, the cmdlets are compatible with the existing Windows PowerShell for Active Directory cmdlets , thus creating a streamlined experience and allowing customers to easily create automation scripts.

New AD Cmdlets (new for 2012) Installing AD DS Using Windows PowerShell Beginning with Windows Server 2012, you can install AD DS using Windows PowerShell. Dcpromo.exe is deprecated beginning with Windows Server 2012 Removing AD DS Using Windows PowerShell Uninstall- ADDomainController for removal of Domain Controller Deployment (install and uninstall) cmdlets are in ADDSDeployment Module

Getting Help with the ModulePSv3 Introduces Updatable HelpNo Help included with cmdlets , needs to be updates from internet Tricky with no direct internet connection Can be done offline (Save-Help and target Update-Help) Internet connection machine will only save-help for modules it has Deployment Module only runs on DC Likely internet connected machine wont have module, thus no “off-line” help update (copying the module manifest can make this work)

Connecting the Cmdlets to AD You don’t need to do anything to connect to AD with default settings PSDrives do add some convienence : When you load the AD PowerShell module (import-module activedirectory ), a default basic AD drive is created: AD: Additional PS drives can be created for different flavors of AD connection, like DC vs GC, serverless vs explicit, alternate credentials to AD Simply change the current working directory to the drive (or AD connection) you want to use, and then run the cmdlets Example Default GC Connection Drive: New- PSDrive -Name GC - PSProvider ActiveDirectory -Root "" -Description "Global Catalog Connection" -Server " contoso.com:3268“ On a cmdlet -by- cmdlet basis you can also control these same connection related settings

Key Concept: Object Ouput from the Cmdlets Cmdlets return objects with limited properties by default Using the –Properties param to specify additional properties to bring back (i.e. ‘–properties office’ or ‘–properties *’) Many Account Management Most ADObjects have default formatting of a listTables tend to be nicer looking so often times you must pipe to a format-table to get nice looking results (i.e. Get- ADUser –Filter * | Format-Table Name,givenname – Autosize )

Key Concept: The -Identity ParameterThe identity param is the default param , and position 1 Param used to target a single object The eligible attributes vary by object type Example for ADUser Object: Distinguished Name GUID ( objectGUID ) Security Identifier ( objectSid ) SAM User Name ( sAMUserName ) More Details in : Get-Help about_ActiveDirectory_Identity This help topic is only viewable while module loaded

Key Concept: The -LDAPFilter Parameter This paramter allows for native LDAP Filters Can use filter created from other tools LDAP filters use an odd syntax if you aren't already familiar with it Must use actual attribute names from AD Unless you are re-using old filters, or already are familiar with this syntax, I recommend using the –filter param instead of - LDAPFilter Ex: Get- ADUser – LDAPFilter “( givenname =g*)” Get- ADUser – LDAPFilter “(|( givenname =g *)( givenname =s*))” Get- ADUser – LDAPFilter “(&(|( givenname =g *)( givenname =s *))(office=mason))”

Key Concept: The –Filter ParameterThis is a more PowerShell-like syntax that resembles the syntax of a Where-Object Details can be found in the help topic: about_ActiveDirectory_Filter We have more user friendly names for attributes that can be used, though actual AD Attributes name can also be used (to see all the friendly and AD names see: about_ActiveDirectory_ObjectModel ) Limited operators supported Ex: Get- ADUser -Filter {surname - eq "Siepser"}

AD ProviderAD Provider is available once AD Module is imported: Use common Provider cmdlets to manage AD drive: Get- PSProvider PS C:\> Set-location ad : PS AD:\> dir Name ObjectClass DistinguishedName ---- ----------- ----------------- contoso domainDNS DC= contoso,DC =com Configuration configuration CN = Configuration,DC = contoso,DC =com Schema dMD CN=Schema,CN=Configuration,DC=contoso,DC=comDomainDnsZones domainDNS DC=DomainDnsZones,DC=contoso,DC=comForestDnsZones domainDNS DC=ForestDnsZones,DC=contoso,DC=comPS AD:\> cd "DC=contoso,DC=com“PS AD:\DC=contoso,DC=com\> dir | ft pschildnamePS AD:\DC=contoso,DC=com\> md “OU=Test“PS AD:\DC=contoso,DC=com\> cd “OU=Test“PS AD:\OU=Test,DC=contoso,DC=com\> Name Capabilities Drives-------- ---------------- --------ActiveDirectory Include... {AD}

User Account Management Examples Create User New- ADUser –name jpublic - SamAccountName “ jpublic “ ` - GivenName “John" - Surname “ Public" - DisplayName “John Public“ Import- Csv c:\pristine.csv | New- ADUser –Office Miami Modify User Set- ADUser -Identity “jpublic" –Title “Engineer“Get-ADUser –Filter {office –eq ‘Miami’} | Set-ADUser –Office MIADelete UserRemove-ADUser jpublicGet-ADUser –Filter {office –eq ‘Miami’} | Remove-ADUserTargets Single AD Object Only!Query UsersGet-ADUser -Filter * -Properties *Get-ADUser -Filter * -Properties *,msDS-ReplAttributeMetaDataGet-ADUser –Filter {office –eq ‘Los Angeles’}

Computer Account Management Examples Find Stale Computer Accounts $ OneYearAgo = (Get-Date). AddYears (-1) Get- ADComputer -Filter { LastLogonTimeStamp – lt$OneYearAgo } | Disable- ADAccount Computer Information Get- ADComputer -Filter * - property name,OperatingSystem ,` OperatingSystemServicePack,OperatingSystemVersion | Out- GridView Search-ADAccount –ComputersOnly –AccountInactive –TimeSpan 180OR

Group Management Examples Populate Group $ ITUsers = Get- ADUser -filter {Department - eq "IT"} Add- ADGroupMember -Identity ITCommunications -Members $ ITUsers OR $ ITUsers | Add- ADPrincipalGroupMembership - MemberOf ITCommunications Create Group New- ADGroup –name “Sales” - Path “OU= Groups,DC=Contoso,DC=com” ` -GroupScope “Global” -GroupCategory “Security”Enumerate GroupGet-ADGroupMember ITGet-ADGroupMember IT -RecursiveUsers in nested groups as wellOnly members in group (includes groups)

Group Management (continued) Remove From Group $ ITUsers | Remove- ADPrincipalGroupMembership - MemberOf "IT “ OR Remove- ADGroupMember -Identity "IT" -members $ ITUsers $ OrignalConfirmPreference = $ ConfirmPreference $ ConfirmPreference = "none" Remove- ADGroupMember -Identity "IT" -members $ itusers $ ConfirmPreference = $ OrignalConfirmPreference ORRemove-ADGroupMember -Identity "IT" -members $itusers –Confirm:$FalseTIP: There will be a prompt to confirm. Consider setting $ConfirmPreference automatic variable in scripts. To suppress all confirmations or the –Comfirm:$false on any action cmdlet to suppress just that one time

Multi-Valued AttributesExample: OtherTelephone Multi-valued attribute can contain a single or multiple values Each value must be unique Use Hash Table (Key/Value pair) i.e. @{} User Telephone Numbers New- ADUser - Path " ou = sales,ou = departments,dc = contoso,dc =com" ` - name "Sales1" - SamAccountName "Sales1" ` - UsePrincipalName "Sales1@contoso.com" ` - department " sales“ - OtherAttributes ` @{otherTelephone="555-555-5555","123-456-7890"} New-ADUser –Identity jpublic ` –Add @{otherTelephone="555-555-5555","123-456-7890"}

New Site Management (2012 Module)To create a new site New- ADReplicationSite BRANCH1 This command creates the new branch office site, branch1 . To create a new site link New- ADReplicationSiteLink 'CORPORATE-BRANCH1' - SitesIncluded CORPORATE,BRANCH1 - OtherAttributes @{'options'=1} This command created the site link to BRANCH1 and turned on the change notification process. To set the site link cost and replication frequency Set- ADReplicationSiteLink CORPORATE-BRANCH1 -Cost 100 - ReplicationFrequencyInMinutes 15 This command sets the site link cost to BRANCH1 at 100 and set the replication frequency with the site to 15 minutes . To move a domain controller to a different site Get- ADDomainController DC2 | Move- ADDirectoryServer -Site BRANCH1 This command moves the domain controller, DC2 to the BRANCH1 site.

Checking Replication Status (2012 Module) Get- ADReplicationUpToDatenessVectorTable Look at “High Water Mark”…highest USN per server and replication partner Example below has great variance: DC3 not up to date, its missing many new user accounts: PS > Get- ADReplicationUpToDatenessVectorTable * | sort Partner,Server | ft Server,UsnFilter,partner - AutoSize Server UsnFilter partner ------ --------- ------- 2012DC1.contoso.com 20796 CN = NTDS Settings,CN =2012DC1,CN= Servers,CN = HQ,CN=Sites,CN=Configuration,DC=contos...2012DC2.child.contoso.com 22459 CN=NTDS Settings,CN=2012DC2,CN=Servers,CN=HQ,CN=Sites,CN=Configuration,DC=contos...2012DC3.child.contoso.com 17039 CN=NTDS Settings,CN=2012DC2,CN=Servers,CN=HQ,CN=Sites,CN=Configuration,DC=contos...2012DC2.child.contoso.com 12777 CN=NTDS Settings,CN=2012DC3,CN=Servers,CN=Branch-Office1,CN=Sites,CN=Configurati...2012DC3.child.contoso.com 13260 CN=NTDS Settings,CN=2012DC3,CN=Servers,CN=Branch-Office1,CN=Sites,CN=Configurati...Replication Behind Replication Caught UpPS C:\> (Get-ADUser -Filter * -server 2012dc2).Count804PS C:\> (Get- ADUser -Filter * -server 2012dc3).Count 4 PS C:\> (Get- ADUser -Filter * -server 2012dc2).Count 804 PS C:\> (Get- ADUser -Filter * -server 2012dc3).Count 804 The numbers are too far apart

Domain Controller Deployment (2012 Server)Separate PS Module – ADDSDeployment PS C:\> Get-Command -Module ADDSDeployment CommandType Name ModuleName ----------- ---- ---------- Cmdlet Add- ADDSReadOnlyDomainControllerAccount ADDSDeployment Cmdlet Install- ADDSDomain ADDSDeployment Cmdlet Install- ADDSDomainController ADDSDeployment Cmdlet Install- ADDSForest ADDSDeployment Cmdlet Test- ADDSDomainControllerInstallation ADDSDeploymentCmdlet Test-ADDSDomainControllerUninstallation ADDSDeploymentCmdlet Test-ADDSDomainInstallation ADDSDeploymentCmdlet Test-ADDSForestInstallation ADDSDeploymentCmdlet Test-ADDSReadOnlyDomainControllerAccountCreation ADDSDeploymentCmdlet Uninstall-ADDSDomainController ADDSDeploymentInstall-ADDSDomainController -DomainName child.contoso.com -Credential (get-credential)In this example, you would be prompted for the safe mode password, and credentials to actually join the domain as a DC. All prompts can be answered ahead and thus suppressed

Thank YouGo out there and deal with the pre-reqs now Get the module ready to roll even if don’t use it much Once you get hooked on the “PowerShell” way, you’ll probably start hating the GUI That doesn’t mean to avoid the GUI, you’ll just find that language based administration can really rock sometimes Play, Play, Play and discover all the other great nuggets I haven’t found yet. This stuff is brand new

ResourcesActive Directory Administration with Windows PowerShell: http://technet.microsoft.com/en-us/library/dd378937(v=WS.10).aspx Active Directory PowerShell blog: http://blogs.msdn.com/b/adpowershell/ Active Directory Replication and Topology Management Using Windows PowerShell Installing AD DS Using Windows PowerShell Removing AD DS Using Windows PowerShell In the Dynamic Access Control deployment documentation , look for any sections that are labeled Windows PowerShell equivalent commands In the Active Directory Domain Services (AD DS) Virtualization documentation , see the steps for deploying a virtualized domain controller.