Prof. Powershell

Like, Totally Modular, Dude!

Active Directory cmdlets come as modules, not PS snapins. Managing AD is easy with this new PowerShell goodie.

When Windows Server 2008 R2 hit the streets, it also brought with it some terrific PowerShell functionality such as the ability to manage Active Directory from the command line. Windows 2008 R2 also brought a new Web service interface for Active Directory. You can download this service (the Active Directory Gateway Management Service) from Microsoft and install on your Windows 2003 and 2008 domain controllers.

Once enabled, you can remotely manage Active Directory from PowerShell using the Active Directory cmdlets. The best approach, which avoids domain controller logons, is to install the Remote Server Administration Tools from Microsoft on your Windows 7 desktop. Configure the tools to include Active Directory management. This will load all the necessary PowerShell bits.

Once loaded, open up a PowerShell prompt and import the Active Directory module:

Import-Module ActiveDirectory

Not only will this load a number of cmdlets, but it should also create a new PSDrive rooted to Active Directory. I'll talk about that in a future lesson. For now, let's see what we have to work with:

Get-command -module ActiveDirectory

You should see a long list of cmdlets. Fortunately, they follow the standard Windows PowerShell naming convention and include complete help documentation:

PS C:\> help get-addomain -full

The Microsoft cmdlets are behave a little differently than you might be used to, especially if you've ever used the free Active Directory cmdlets from Quest Software. So be sure to look at the cmdlet help and examples:

PS C:\scripts> Get-ADDomain -Server "mycompany-dc01

AllowedDNSSuffixes         : {}
ChildDomains               : {RESEARCH.MYCOMPANY.LOCAL}
ComputersContainer         : CN=Computers,DC=MYCOMPANY,DC=LOCAL
DeletedObjectsContainer    : CN=Deleted Objects,DC=MYCOMPANY,DC=LOCAL
DistinguishedName          : DC=MYCOMPANY,DC=LOCAL
DNSRoot                    : MYCOMPANY.LOCAL
DomainControllersContainer : OU=Domain Controllers,DC=MYCOMPANY,DC=LOCAL
DomainMode                 : Windows2003Domain
DomainSID                  : S-1-5-21-2550226150-4167290512-4275125679
ForeignSecurityPrincipalsContainer
                           : CN=ForeignSecurityPrincipals,DC=MYCOMPANY,D
Forest                     : MYCOMPANY.LOCAL
InfrastructureMaster       : MYCOMPANY-DC01.MYCOMPANY.LOCAL
LastLogonReplicationInterval :
LinkedGroupPolicyObjects   : {cn={C009E271-6ECC-4828-9B35-C05194B801C2},
                             cn={466CB7A0-DD41-48CE-AE0E-CAF854D40A55},
                             CN={5BFECE71-61F5-42FE-9C60-C9C79AEE8060},
                             cn={D97AE135-4370-4E33-BF18-79898A0183FA},
                             ..}
LostAndFoundContainer      : CN=LostAndFound,DC=MYCOMPANY,DC=LOCAL
ManagedBy                  :
Name                       : MYCOMPANY
NetBIOSName                : MYCOMPANY
ObjectClass                : domainDNS
ObjectGUID                 : 2132219a-da45-49b9-88a3-5c0dbb7d51c3
ParentDomain               :
PDCEmulator                : MYCOMPANY-DC01.MYCOMPANY.LOCAL
QuotasContainer            : CN=NTDS Quotas,DC=MYCOMPANY,DC=LOCAL
ReadOnlyReplicaDirectoryServers : {}
ReplicaDirectoryServers    : {MYCOMPANY-DC01.MYCOMPANY.LOCAL}
RIDMaster                  : MYCOMPANY-DC01.MYCOMPANY.LOCAL
SubordinateReferences      : {DC=RESEARCH,DC=MYCOMPANY,DC=LOCAL,
                             DC=ForensZones,DC=MYCOMPANY,DC=LOCAL,
                             CN=Configura
SystemsContainer           : CN=System,DC=MYCOMPANY,DC=LOCAL
UsersContainer             : CN=Users,DC=MYCOMPANY,DC=LOCAL

Getting user accounts isn't much more difficult, but again I encourage you to read the help file:

PS C:\scripts> get-aduser -filter "name -eq 'Jack Frost'"

DistinguishedName : CN=Jack Frost,OU=Employees,DC=MYCOMPANY,DC=LOCAL
Enabled           : True
GivenName         : Jack
Name              : Jack Frost
ObjectClass       : user
ObjectGUID        : a5be252a-9fcc-406a-b647-f0bab87f3528
SamAccountName    : jfrost
SID               : S-1-5-21-2550226150-4167290512-4275125679-2438
Surname           : Frost
UserPrincipalName : [email protected]

The important thing to remember is that the Active Directory cmdlets are stored in a module, not a PSSnapin, so you you need to have Windows PowerShell 2.0. You can manage any Windows 2003 and newer domain, provided it has the AD gateway service, which also requires PowerShell 2.0. But as an added bonus you'll now be able to manage the domain controller like all your other member servers -- directly from Windows PowerShell.

I'll try to cover some of the AD cmdlets in future lessons. If you are interested in learning more, I post regular features at TheExpertsCommunity.com that focus on managing Active Directory with Windows PowerShell.

About the Author

Jeffery Hicks is an IT veteran with over 25 years of experience, much of it spent as an IT infrastructure consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He is a multi-year recipient of the Microsoft MVP Award in Windows PowerShell. He works today as an independent author, trainer and consultant. Jeff has written for numerous online sites and print publications, is a contributing editor at Petri.com, and a frequent speaker at technology conferences and user groups.

comments powered by Disqus
Most   Popular