Prof. Powershell

Active Directory, The PS Way

To manage your environment, use the AD PowerShell provider that comes with Windows Server 2008 R2, or the Active Directory Management Gateway for any down-level DC.

• By Jeffery Hicks
• 04/19/2011

A terrific benefit of learning Windows PowerShell is that once you've mastered the basics, learning other PowerShell-enabled tools is much easier. All you have to do is learn what the new cmdlets do and that is pretty easy if they ship with complete help.

If you try out a PowerShell-based product and cmdlet help is minimal to non-existent, complain to the vendor. This also holds true if they bend a lot of the rules, like using odd-naming conventions or poor use of the pipeline. It's up to the community to hold vendors accountable.

That said, over the next few lessons I want to point out some other ways you can use PowerShell to manage your environment. You might be aware the Microsoft released an Active Directory PowerShell provider with Windows Server 2008 R2. You don't need an R2 DC; instead, you can download the free Active Directory Management Gateway service and install on any down-level domain controller.

What you'll need to manage Active Directory on the client side is Windows 7 and the free Remote Server Administration Tools (RSAT) from Microsoft. Once installed, configure RSAT under Control Panel ! Programs ! Turn Windows Features On or Off. Select the Active Directory management feature to install the Active Directory provider on your desktop. Open PowerShell and import the module:

PS C:\> Import-Module ActiveDirectory

This will load a lot of cmdlets:

PS C:\> Get-Command -module ActiveDirectory

It will also create a PSDrive rooted to Active Directory:

PS C:\> dir AD:

The cmdlets make it easy to work with users, groups and computers. Find out about yourself:

PS C:\> Get-ADUser $env:username -Properties *

Find all users in the Sales department:

PS C:\> Get-ADUser -Filter "department -eq 'sales'" | select distinguishedname

Or suppose all these users are moving to Omaha. Update their AD account with a single command:

PS C:\> Get-ADUser -Filter "department -eq 'sales'"| Set-ADUser -City "Omaha" -State "NE"

Now let's make sure all Omaha users are in the right group:

PS C:\> Add-ADGroupMember "Omaha Staff" -members (Get-ADUser -Filter "City -eq 'Omaha'")

You can verify group membership like this:

PS C:\> Get-ADGroupMember "Omaha Staff"

Or what about checking who belongs to the Domain Admins group?

PS C:\> Get-ADGroupMember "Domain Admins" | Select Name

Are you beginning to see some value here? The Microsoft Active Directory cmdlets have complete help and examples. If you understand basic PowerShell concepts you can begin working with these cmdlets immediately. Look at help to get started at PS C:\> help about_activedirectory.