automating active directory mgmt in powershell
DESCRIPTION
TRANSCRIPT
Automating Active Directory Automating Active Directory Management in Windows PowerShellManagement in Windows PowerShellDon JonesDon JonesConcentratedTech.com
Pre-requisites for this presentation:
1) Familiarity with AD administration 2) Basic understanding of how to use Windows PowerShell
Level: Intermediate
This slide deck was used in one of our many conference presentations. We hope you enjoy it, and invite you to use it
within your own organization however you like.
For more information on our company, including information on private classes and upcoming conference appearances, please
visit our Web site, www.ConcentratedTech.com.
For links to newly-posted decks, follow us on Twitter:@concentrateddon or @concentratdgreg
This work is copyright ©Concentrated Technology, LLC
About the InstructorAbout the Instructor
Don Jones Contributing Editor,
technetmagazine.com IT author, consultant, and speaker Co-founder of Concentrated Technology Seven-time recipient of Microsoft’s Most
Valuable Professional (MVP) Award Author and Editor-in-Chief for Realtime
Publishers Trainer for www.CBTNuggets.com
About this SessionAbout this Session
Primarily demo – not slides We’ll start with some key functional
concepts, and move right into the “how-to”
Bring your questions – anytime is the time to ask them! Don’t save ‘em for the end.
We’ll take a quick break halfway through
Start ThinkingStart Thinking
Since we’re mostly doing demos, start thinking of AD administrative tasks you’d like to automate
I’ll take your suggestions and construct some demos on the fly
Cool…Cool…
I’ll capture everything I type in the shell into a text file, and save all of my scripts
There’s no need for you to copy down anything I do
It’ll all be available for download from my Web site after the show
URL is on the last slide, and there are “reminder” cards if you’d like to take one
Now let’s go…
RequirementsRequirements
Windows PowerShell v2 Windows 7 or Windows Server 2008 R2
– PowerShell v2 is available back to WinXP– You need a Win7 or Win2008R2 machine to run
the commands I’ll be showing – at least one such machine in your environment
Compatible Domain Controller– Windows Server 2008 R2– Windows Server 2008 (w/Gateway Service)– Windows Server 2003 (w/Gateway Service)
Gateway ServiceGateway Service
The PowerShell AD commands “talk” to a Gateway Service
Ships with Win2008R2 Available for Win2008/Win2003 – you
do not need a 2008 R2 domain controller
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=008940c6-0296-4597-be3e-1d24c1cf0dda
Managing from Vista/XP?Managing from Vista/XP?
No problem – get PowerShell v2 installed and I’ll show you how you can use these older versions to run the AD commands
This’ll come at the end PowerShell v2:
http://support.microsoft.com/kb/968929– Win2003, Win2008, WinXP, Win2003, Vista– Preinstalled w/Win2008R2 and Win7
First: The AD ModuleFirst: The AD Module
This module is installed with AD in Win2008R2, and with the RSAT on Win7
Import-Module ActiveDirectory Adds a PSDrive provider an several
dozen new cmdlets Using it a lot? Put the Import-Module
command into your PowerShell profile script
Second: The AD: DriveSecond: The AD: Drive
A drive (AD:) is automatically mapped to your logon domain
You can map additional drives to other domains
Change to the AD: drive and run New-PSDrive to do so
You can specify alternate credentials for the drive mapping
WhatWhat’’s the Drive For?s the Drive For?
The drive is useful for managing ACLs using Get-ACL and Set-ACL
It’s primary purpose, however, is to “remember” the credentials you used to map the drive in the first place
Whenever you are “in” an AD drive, any AD cmdlets you run will automatically use the drive’s credentials
Saves you from having to specify a –credential parameter for every command!
Third: The AD CmdletsThird: The AD Cmdlets
Let’s see the cmdlets added by this module
They come with full help, including detailed usage examples
RTFM – The help is your friend!!! Let’s play with a few of these cmdlets to
get a feel for how they work Remember, you can always specify
–credential, but if you’re “in” an AD drive, it’ll use those credentials automatically
Pipeline InputPipeline Input
Most AD cmdlets accept pipeline input, meaning you don’t have to specify parameters – you can pipe data in
Each parameter can attach to pipeline input “ByValue” or “ByPropertyName”
Let’s look at the differences with a very cool example
ByPropertyNameByPropertyName
This requires input objects’ property names to match the parameter names
What if they don’t? Use Select-Object to copy an existing
property to a new one having a matching name
Let’s see another tres cool example
GotchasGotchas
New-ADUser’s docs don’t say that –Name is required – it is
-samAccountName is not required – but it is. Let’s see why.
GotchasGotchas
By default, most Get-AD* cmdlets only pull over a subset of attributes
Use the –property parameter (e.g., -prop *) to pull over more
This raises the load on the responding domain controller – use with some caution
Let’s see
Best PracticeBest Practice
Always use –filter to minimize what’s brought back by a Get-AD* cmdlet (that’s why –filter is a required parameter)
Don’t rely on –filter * in a production environment
-filter uses standard PowerShell comparison operators
Let’s see
TipTip
If you don’t know LDAP naming conventions, this is a good time to learn– CN = Canonical Name (user, group, container)– OU = organizational unit– DC = DNS domain name component
Cn=DonJ,ou=Sales,ou=West,dc=company,dc=com
Work from the more specific to the least specific (object to top-level domain)
Pipeline OutputPipeline Output
Many AD cmdlets don’t normally produce output
-passThru forces them to output whatever object they created or whatever object was input
This enables powerful command chains – one liners that accomplish the work of a complicated script
Let’s see!
PasswordsPasswords
Cmdlets which accept a password require it as a SecureString
Use ConvertTo-SecureString string –force to create a secure string
Let’s see…
Demos, Demos, DemosDemos, Demos, Demos
Let’s take some of your suggestions for demos
We’ll also make sure we run through at least one quick demo for each major category of cmdlets
We’ve got the time – so you’ll get to see how everything works
Remember, this is all going into a transcript and I’m saving my script files – download URL at the end!
Using an Older OS?Using an Older OS?
Provided you have:– A domain controller running the Gateway Service– At least one Win7 or Win2008R2 machine
You can use the AD commands on XP, Vista, 2003, and 2008 RTM
Using a feature called implicit remoting Establish a PSSession remoting
connection to the Win7 or Win2008R2 machine
“Import” the AD commands from the remote machine
Implicit RemotingImplicit Remoting
Step 1Step 1
Establish a session to a remote machine that has the cmdlets
Tell the remote session to import the AD module
Step 2Step 2
Export the AD commands to an Implicit Remoting Module – this is a module that lives on your local disk
PowerShell will create this in your Documents folder under WindowsPowerShell/Modules
Step 3Step 3
To use the remote commands, make sure the remote machine is running
Import the module that’s on your local computer
Notice that you specify a prefix for the remote commands
New-ADUser is now New-RemADUser Helps distinguish remote commands
Help?Help?
You can’t get help on remote commands until the remote session is running
Get the remote session running by trying to run a remote command
Break out of the command if you don’t really want to run it
Running CommandsRunning Commands
What’s on your local computer is a “pointer” to the real cmdlet running on the remote machine
The cmdlet execution takes place remotely; you see the results on your computer
Great way to run commands that don’t, or can’t, exist on your local machine – but which do exist on another machine on the network
Great reason to get one Win2008R2 DC in the environment
Finished?Finished?
The remote session will close as soon as your local PowerShell session closes
This all requires that PowerShell remoting be set up in advance – that’s a whole separate session!
Q&AQ&A
Last chance for Q&A Also a last chance for some additional
demos
Thank You!Thank You!
Please feel free to pick up a card if you’d like copies of my session materials
I’ll be happy to take any last questions while I pack up
Please complete and submit an evaluation form for this and every session you attend!
This slide deck was used in one of our many conference presentations. We hope you enjoy it, and invite you to use it
within your own organization however you like.
For more information on our company, including information on private classes and upcoming conference appearances, please
visit our Web site, www.ConcentratedTech.com.
For links to newly-posted decks, follow us on Twitter:@concentrateddon or @concentratdgreg
This work is copyright ©Concentrated Technology, LLC