Presentation is loading. Please wait.

Presentation is loading. Please wait.

The ActiveDirectory Module 2008R2 and 2012 Written and Delivered by: Gary Siepser.

Similar presentations


Presentation on theme: "The ActiveDirectory Module 2008R2 and 2012 Written and Delivered by: Gary Siepser."— Presentation transcript:

1 The ActiveDirectory Module 2008R2 and 2012 Written and Delivered by: Gary Siepser

2 Microsoft Confidential AD Module Prerequisites  Server Side (We need AD Web Services)  At least one 2008 R2 or 2012 DC in the targeted domain, OR  A 2003 or 2008 DC running the Active Directory Management Gateway Service  Client Side (We need the AD PowerShell Module)  OS Requirement: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012  Windows 7 and 8: Install current Remote Server Administration Tools  On Server versions, RSAT already present, just add feature  Add the ActiveDirectory Module either through the Add/Remove Features GUI or using PowerShell:  Install-WindowsFeature RSAT-AD-Powershell  To actually use the cmdlets the module must be imported  On PowerShell v2: Import-Module ActiveDirectory  PowerShell v3: you can import manually, but v2 will automatically import modules the first time you attempt to use a command from one

3 Microsoft Confidential New AD Cmdlets  The current set of AD Powershell cmdlets can be classified into categories:  Account Management  Topology management  Directory object management  Provider cmdlets  New with Server 2012  Active Directory Replication and Topology Management Using Windows PowerShell  Installing AD DS Using Windows PowerShell  Removing AD DS Using Windows PowerShell

4 Microsoft Confidential New AD Cmdlets  In the account management set we have cmdlets that –  Create, delete, write and read users, groups, computers, managed service accounts and Organizational units (OUs).  Manage account settings such as: expiration date, password etc.  Manage group membership, get account token groups.  Manage fine grained password policy and default domain password policy.

5 Microsoft Confidential New AD Cmdlets  In the topology management set we have cmdlets that –  Discover DCs, manage FSMOs, move DCs across site and get DC info.  Manage password replication policy of RODCs.  Manage domain and forest, set forest and domain functional level.  Manage optional features.

6 Microsoft Confidential New AD Cmdlets  In the directory object management set we have cmdlets that –  Create, delete, write and read all types of AD object.  Move, rename and restore AD objects.  In the Provider cmdlets set we have cmdlets that enables file-system like browsing capabilities in Active Directory PSDrive.

7 Microsoft Confidential New AD Cmdlets (new for 2012)  In the Active Directory Replication and Topology Management cmdlets that-  Manage  Replication  Sites  SiteLinks  Similar functionality as RepAdmin.exe  In addition, the cmdlets are compatible with the existing Windows PowerShell for Active Directory cmdlets, thus creating a streamlined experience and allowing customers to easily create automation scripts.

8 Microsoft Confidential New AD Cmdlets (new for 2012)  Installing AD DS Using Windows PowerShell  Beginning with Windows Server 2012, you can install AD DS using Windows PowerShell. Dcpromo.exe is deprecated beginning with Windows Server 2012  Removing AD DS Using Windows PowerShell  Uninstall-ADDomainController for removal of Domain Controller  Deployment (install and uninstall) cmdlets are in ADDSDeployment Module

9 Microsoft Confidential Getting Help with the Module  PSv3 Introduces Updatable Help  No Help included with cmdlets, needs to be updates from internet  Tricky with no direct internet connection  Can be done offline (Save-Help and target Update-Help)  Internet connection machine will only save-help for modules it has  Deployment Module only runs on DC  Likely internet connected machine wont have module, thus no “off-line” help update (copying the module manifest can make this work)

10 Microsoft Confidential Connecting the Cmdlets to AD  You don’t need to do anything to connect to AD with default settings  PSDrives do add some convienence:  When you load the AD PowerShell module (import-module activedirectory), a default basic AD drive is created: AD:  Additional PS drives can be created for different flavors of AD connection, like DC vs GC, serverless vs explicit, alternate credentials to AD  Simply change the current working directory to the drive (or AD connection) you want to use, and then run the cmdlets  Example Default GC Connection Drive: New-PSDrive -Name GC -PSProvider ActiveDirectory -Root "" -Description "Global Catalog Connection" -Server "contoso.com:3268“  On a cmdlet-by-cmdlet basis you can also control these same connection related settings

11 Microsoft Confidential Key Concept: Object Ouput from the Cmdlets  Cmdlets return objects with limited properties by default  Using the –Properties param to specify additional properties to bring back (i.e. ‘–properties office’ or ‘–properties *’)  Many Account Management Most ADObjects have default formatting of a listTables tend to be nicer looking so often times you must pipe to a format-table to get nice looking results (i.e. Get-ADUser –Filter * | Format-Table Name,givenname –Autosize)

12 Microsoft Confidential Key Concept: The -Identity Parameter  The identity param is the default param, and position 1  Param used to target a single object  The eligible attributes vary by object type  Example for ADUser Object:  Distinguished Name  GUID (objectGUID)  Security Identifier (objectSid)  SAM User Name (sAMUserName)  More Details in: Get-Help about_ActiveDirectory_Identity This help topic is only viewable while module loaded

13 Microsoft Confidential Key Concept: The -LDAPFilter Parameter  This paramter allows for native LDAP Filters  Can use filter created from other tools  LDAP filters use an odd syntax if you aren't already familiar with it  Must use actual attribute names from AD  Unless you are re-using old filters, or already are familiar with this syntax, I recommend using the –filter param instead of -LDAPFilter  Ex: Get-ADUser –LDAPFilter “(givenname=g*)” Get-ADUser –LDAPFilter “(|(givenname=g*)(givenname=s*))” Get-ADUser –LDAPFilter “(&(|(givenname=g*)(givenname=s*))(office=mason))”

14 Microsoft Confidential Key Concept: The –Filter Parameter  This is a more PowerShell-like syntax that resembles the syntax of a Where-Object  Details can be found in the help topic: about_ActiveDirectory_Filter  We have more user friendly names for attributes that can be used, though actual AD Attributes name can also be used (to see all the friendly and AD names see: about_ActiveDirectory_ObjectModel)  Limited operators supported  Ex: Get-ADUser -Filter {surname -eq "Siepser"}

15 Microsoft Confidential AD Provider  AD Provider is available once AD Module is imported:  Use common Provider cmdlets to manage AD drive: Get-PSProvider PS C:\> Set-location ad: PS AD:\> dir Name ObjectClass DistinguishedName contoso domainDNS DC=contoso,DC=com Configuration configuration CN=Configuration,DC=contoso,DC=com Schema dMD CN=Schema,CN=Configuration,DC=contoso,DC=com DomainDnsZones domainDNS DC=DomainDnsZones,DC=contoso,DC=com ForestDnsZones domainDNS DC=ForestDnsZones,DC=contoso,DC=com PS AD:\> cd "DC=contoso,DC=com“ PS AD:\DC=contoso,DC=com\> dir | ft pschildname PS AD:\DC=contoso,DC=com\> md “OU=Test“ PS AD:\DC=contoso,DC=com\> cd “OU=Test“ PS AD:\OU=Test,DC=contoso,DC=com\> PS C:\> Set-location ad: PS AD:\> dir Name ObjectClass DistinguishedName contoso domainDNS DC=contoso,DC=com Configuration configuration CN=Configuration,DC=contoso,DC=com Schema dMD CN=Schema,CN=Configuration,DC=contoso,DC=com DomainDnsZones domainDNS DC=DomainDnsZones,DC=contoso,DC=com ForestDnsZones domainDNS DC=ForestDnsZones,DC=contoso,DC=com PS AD:\> cd "DC=contoso,DC=com“ PS AD:\DC=contoso,DC=com\> dir | ft pschildname PS AD:\DC=contoso,DC=com\> md “OU=Test“ PS AD:\DC=contoso,DC=com\> cd “OU=Test“ PS AD:\OU=Test,DC=contoso,DC=com\> NameCapabilitiesDrives ActiveDirectory Include... {AD} NameCapabilitiesDrives ActiveDirectory Include... {AD}

16 Microsoft Confidential User Account Management Examples Create User New-ADUser –name jpublic -SamAccountName “jpublic“ ` -GivenName “John" -Surname “Public" -DisplayName “John Public“ Import-Csv c:\pristine.csv | New-ADUser –Office Miami New-ADUser –name jpublic -SamAccountName “jpublic“ ` -GivenName “John" -Surname “Public" -DisplayName “John Public“ Import-Csv c:\pristine.csv | New-ADUser –Office Miami Modify User Set-ADUser -Identity “jpublic" –Title “Engineer“ Get-ADUser –Filter {office –eq ‘Miami’} | Set-ADUser –Office MIA Set-ADUser -Identity “jpublic" –Title “Engineer“ Get-ADUser –Filter {office –eq ‘Miami’} | Set-ADUser –Office MIA Delete User Remove-ADUser jpublic Get-ADUser –Filter {office –eq ‘Miami’} | Remove-ADUser Remove-ADUser jpublic Get-ADUser –Filter {office –eq ‘Miami’} | Remove-ADUser Targets Single AD Object Only! Query Users Query Users Get-ADUser -Filter * -Properties * Get-ADUser -Filter * -Properties *,msDS-ReplAttributeMetaData Get-ADUser –Filter {office –eq ‘Los Angeles’} Get-ADUser -Filter * -Properties * Get-ADUser -Filter * -Properties *,msDS-ReplAttributeMetaData Get-ADUser –Filter {office –eq ‘Los Angeles’}

17 Microsoft Confidential Computer Account Management Examples Find Stale Computer Accounts $OneYearAgo = (Get-Date).AddYears(-1) Get-ADComputer -Filter {LastLogonTimeStamp –lt$OneYearAgo} | Disable-ADAccount $OneYearAgo = (Get-Date).AddYears(-1) Get-ADComputer -Filter {LastLogonTimeStamp –lt$OneYearAgo} | Disable-ADAccount Computer Information Get-ADComputer -Filter * -property name,OperatingSystem,` OperatingSystemServicePack,OperatingSystemVersion | Out-GridView Get-ADComputer -Filter * -property name,OperatingSystem,` OperatingSystemServicePack,OperatingSystemVersion | Out-GridView Search-ADAccount –ComputersOnly –AccountInactive –TimeSpan 180 OR

18 Microsoft Confidential Group Management Examples Populate Group $ITUsers = Get-ADUser -filter {Department -eq "IT"} Add-ADGroupMember -Identity ITCommunications -Members $ITUsers OR $ITUsers | Add-ADPrincipalGroupMembership -MemberOf ITCommunications $ITUsers = Get-ADUser -filter {Department -eq "IT"} Add-ADGroupMember -Identity ITCommunications -Members $ITUsers OR $ITUsers | Add-ADPrincipalGroupMembership -MemberOf ITCommunications Create Group New-ADGroup –name “Sales” -Path “OU=Groups,DC=Contoso,DC=com” ` -GroupScope “Global” -GroupCategory “Security” New-ADGroup –name “Sales” -Path “OU=Groups,DC=Contoso,DC=com” ` -GroupScope “Global” -GroupCategory “Security” Enumerate Group Get-ADGroupMember IT Get-ADGroupMember IT -Recursive Get-ADGroupMember IT Get-ADGroupMember IT -Recursive Users in nested groups as well Only members in group (includes groups)

19 Microsoft Confidential Group Management (continued) Remove From Group $ITUsers | Remove-ADPrincipalGroupMembership -MemberOf "IT“ OR Remove-ADGroupMember -Identity "IT" -members $ITUsers $ITUsers | Remove-ADPrincipalGroupMembership -MemberOf "IT“ OR Remove-ADGroupMember -Identity "IT" -members $ITUsers $OrignalConfirmPreference = $ConfirmPreference $ConfirmPreference = "none" Remove-ADGroupMember -Identity "IT" -members $itusers $ConfirmPreference = $OrignalConfirmPreference OR Remove-ADGroupMember -Identity "IT" -members $itusers –Confirm:$False $OrignalConfirmPreference = $ConfirmPreference $ConfirmPreference = "none" Remove-ADGroupMember -Identity "IT" -members $itusers $ConfirmPreference = $OrignalConfirmPreference OR Remove-ADGroupMember -Identity "IT" -members $itusers –Confirm:$False TIP:There will be a prompt to confirm. Consider setting $ConfirmPreference automatic variable in scripts. To suppress all confirmations or the –Comfirm:$false on any action cmdlet to suppress just that one time

20 Microsoft Confidential Multi-Valued Attributes  Example:  OtherTelephone  Multi-valued attribute can contain a single or multiple values  Each value must be unique  Use Hash Table (Key/Value pair) User Telephone Numbers New-ADUser -Path "ou=sales,ou=departments,dc=contoso,dc=com" ` -name "Sales1" -SamAccountName "Sales1" ` -UsePrincipalName ` -department "sales“ -OtherAttributes New-ADUser -Path "ou=sales,ou=departments,dc=contoso,dc=com" ` -name "Sales1" -SamAccountName "Sales1" ` -UsePrincipalName ` -department "sales“ -OtherAttributes New-ADUser –Identity jpublic ` New-ADUser –Identity jpublic `

21 Microsoft Confidential New Site Management (2012 Module)  To create a new site  New-ADReplicationSite BRANCH1  This command creates the new branch office site, branch1.  To create a new site link  New-ADReplicationSiteLink 'CORPORATE-BRANCH1' -SitesIncluded CORPORATE,BRANCH1  This command created the site link to BRANCH1 and turned on the change notification process.  To set the site link cost and replication frequency  Set-ADReplicationSiteLink CORPORATE-BRANCH1 -Cost ReplicationFrequencyInMinutes 15  This command sets the site link cost to BRANCH1 at 100 and set the replication frequency with the site to 15 minutes.  To move a domain controller to a different site  Get-ADDomainController DC2 | Move-ADDirectoryServer -Site BRANCH1  This command moves the domain controller, DC2 to the BRANCH1 site.

22 Microsoft Confidential Checking Replication Status (2012 Module)  Get-ADReplicationUpToDatenessVectorTable  Look at “High Water Mark”…highest USN per server and replication partner  Example below has great variance:  DC3 not up to date, its missing many new user accounts: The numbers are too far apart

23 Microsoft Confidential Domain Controller Deployment (2012 Server)  Separate PS Module – ADDSDeployment PS C:\> Get-Command -Module ADDSDeployment CommandType Name ModuleName Cmdlet Add-ADDSReadOnlyDomainControllerAccount ADDSDeployment Cmdlet Install-ADDSDomain ADDSDeployment Cmdlet Install-ADDSDomainController ADDSDeployment Cmdlet Install-ADDSForest ADDSDeployment Cmdlet Test-ADDSDomainControllerInstallation ADDSDeployment Cmdlet Test-ADDSDomainControllerUninstallation ADDSDeployment Cmdlet Test-ADDSDomainInstallation ADDSDeployment Cmdlet Test-ADDSForestInstallation ADDSDeployment Cmdlet Test-ADDSReadOnlyDomainControllerAccountCreation ADDSDeployment Cmdlet Uninstall-ADDSDomainController ADDSDeployment PS C:\> Get-Command -Module ADDSDeployment CommandType Name ModuleName Cmdlet Add-ADDSReadOnlyDomainControllerAccount ADDSDeployment Cmdlet Install-ADDSDomain ADDSDeployment Cmdlet Install-ADDSDomainController ADDSDeployment Cmdlet Install-ADDSForest ADDSDeployment Cmdlet Test-ADDSDomainControllerInstallation ADDSDeployment Cmdlet Test-ADDSDomainControllerUninstallation ADDSDeployment Cmdlet Test-ADDSDomainInstallation ADDSDeployment Cmdlet Test-ADDSForestInstallation ADDSDeployment Cmdlet Test-ADDSReadOnlyDomainControllerAccountCreation ADDSDeployment Cmdlet Uninstall-ADDSDomainController ADDSDeployment Install-ADDSDomainController -DomainName child.contoso.com -Credential (get-credential) In this example, you would be prompted for the safe mode password, and credentials to actually join the domain as a DC. All prompts can be answered ahead and thus suppressed

24 Microsoft Confidential Thank You  Go out there and deal with the pre-reqs now  Get the module ready to roll even if don’t use it much  Once you get hooked on the “PowerShell” way, you’ll probably start hating the GUI  That doesn’t mean to avoid the GUI, you’ll just find that language based administration can really rock sometimes  Play, Play, Play and discover all the other great nuggets I haven’t found yet. This stuff is brand new

25 Microsoft Confidential Resources  Active Directory Administration with Windows PowerShell:  Active Directory PowerShell blog:  Active Directory Replication and Topology Management Using Windows PowerShell Active Directory Replication and Topology Management Using Windows PowerShell  Installing AD DS Using Windows PowerShell Installing AD DS Using Windows PowerShell  Removing AD DS Using Windows PowerShell Removing AD DS Using Windows PowerShell  In the Dynamic Access Control deployment documentation, look for any sections that are labeled Windows PowerShell equivalent commandsDynamic Access Control deployment documentation  In the Active Directory Domain Services (AD DS) Virtualization documentation, see the steps for deploying a virtualized domain controller.Active Directory Domain Services (AD DS) Virtualization documentation


Download ppt "The ActiveDirectory Module 2008R2 and 2012 Written and Delivered by: Gary Siepser."

Similar presentations


Ads by Google