Premier Field Engineering
A Customer Service and Support Organization


Server Side (We need AD Web Services)
 At least one 2008 R2 or 2012 DC in the targeted domain, OR
 A 2003 or 2008 DC running the Active Directory Management Gateway Service
 Client Side (We need the AD PowerShell Module)
 OS Requirement: Windows 7, Windows 8, Windows Server 2008 R2, Windows
Server 2012
 Windows 7 and 8: Install current Remote Server Administration Tools
 On Server versions, RSAT already present, just add feature
 Add the ActiveDirectory Module either through the Add/Remove Features GUI or using PowerShell:
 Install-WindowsFeature RSAT-AD-Powershell
 To actually use the cmdlets the module must be imported
 On PowerShell v2: Import-Module ActiveDirectory
 PowerShell v3: you can import manually, but v2 will automatically import modules the first time you attempt to use a command from one
Microsoft Confidential

 The current set of AD Powershell cmdlets can be classified into categories:
 Account Management
 Topology management
 Directory object management
 Provider cmdlets
 New with Server 2012
 Active Directory Replication and Topology Management
Using Windows PowerShell
 Installing AD DS Using Windows PowerShell
 Removing AD DS Using Windows PowerShell
Microsoft Confidential

 In the account management set we have cmdlets that –
 Create, delete, write and read users, groups, computers, managed service accounts and
Organizational units (OUs).
 Manage account settings such as: expiration date, password etc.
 Manage group membership, get account token groups.
 Manage fine grained password policy and default domain password policy.
Microsoft Confidential

 In the topology management set we have cmdlets that –
 Discover DCs, manage FSMOs, move DCs across site and get DC info.
 Manage password replication policy of RODCs.
 Manage domain and forest, set forest and domain functional level.
 Manage optional features.
Microsoft Confidential

 In the directory object management set we have cmdlets that –
 Create, delete, write and read all types of AD object.
 Move, rename and restore AD objects.
 In the Provider cmdlets set we have cmdlets that enables file-system like browsing capabilities in Active Directory
PSDrive.
Microsoft Confidential

 In the Active Directory Replication and Topology
Management cmdlets that-
 Manage
 Replication
 Sites
 SiteLinks
 Similar functionality as RepAdmin.exe
 In addition, the cmdlets are compatible with the existing Windows PowerShell for Active Directory cmdlets, thus creating a streamlined experience and allowing customers to easily create automation scripts.
Microsoft Confidential

 Installing AD DS Using Windows PowerShell
 Beginning with Windows Server 2012, you can install
AD DS using Windows PowerShell. Dcpromo.exe is deprecated beginning with Windows Server 2012
 Removing AD DS Using Windows PowerShell
 Uninstall-ADDomainController for removal of Domain
Controller
 Deployment (install and uninstall) cmdlets are in
ADDSDeployment Module
Microsoft Confidential

 PSv3 Introduces Updatable Help
 No Help included with cmdlets, needs to be updates from internet
 Tricky with no direct internet connection
 Can be done offline (Save-Help and target Update-Help)
 Internet connection machine will only save-help for modules it has
 Deployment Module only runs on DC
 Likely internet connected machine wont have module, thus no “off-line” help update (copying the module manifest can make this work)
Microsoft Confidential

 You don’t need to do anything to connect to AD with default settings
 PSDrives do add some convienence:
 When you load the AD PowerShell module (import-module activedirectory), a default basic AD drive is created: AD:
 Additional PS drives can be created for different flavors of AD connection, like DC vs GC, serverless vs explicit, alternate credentials to AD
 Simply change the current working directory to the drive (or AD connection) you want to use, and then run the cmdlets
 Example Default GC Connection Drive:
New-PSDrive -Name GC -PSProvider ActiveDirectory -Root "" -Description "Global Catalog
Connection" -Server " contoso.com:3268“
 On a cmdlet-by-cmdlet basis you can also control these same connection related settings
Microsoft Confidential

 Cmdlets return objects with limited properties by default
 Using the –Properties param to specify additional properties to bring back
(i.e. ‘–properties office’ or ‘–properties *’)
 Many Account Management Most ADObjects have default formatting of a listTables tend to be nicer looking so often times you must pipe to a format-table to get nice looking results
(i.e. Get-ADUser –Filter * | Format-Table Name,givenname –Autosize)
Microsoft Confidential

 The identity param is the default param, and position 1
 Param used to target a single object
 The eligible attributes vary by object type
 Example for ADUser Object:
 Distinguished Name
 GUID (objectGUID)
 Security Identifier (objectSid)
 SAM User Name (sAMUserName)
 More Details in: Get-Help about_ActiveDirectory_Identity
This help topic is only viewable while module loaded
Microsoft Confidential

 This paramter allows for native LDAP Filters
 Can use filter created from other tools
 LDAP filters use an odd syntax if you aren't already familiar with it
 Must use actual attribute names from AD
 Unless you are re-using old filters, or already are familiar with this syntax, I recommend using the –filter param instead of -LDAPFilter
 Ex:
Get-ADUser
–LDAPFilter “(givenname=g*)”
Get-ADUser
–LDAPFilter “(|(givenname=g*)(givenname=s*))”
Get-ADUser –LDAPFilter “(&(|(givenname=g*)(givenname=s*))(office=mason))”
Microsoft Confidential

 This is a more PowerShell-like syntax that resembles the syntax of a Where-Object
 Details can be found in the help topic: about_ActiveDirectory_Filter
 We have more user friendly names for attributes that can be used, though actual AD Attributes name can also be used
(to see all the friendly and AD names see: about_ActiveDirectory_ObjectModel)
 Limited operators supported
 Ex:
Get-ADUser -Filter {surname -eq "Siepser"}
Microsoft Confidential

 AD Provider is available once AD Module is imported:
Get-PSProvider
Name
--------
ActiveDirectory
Capabilities Drives
-----------------------
Include... {AD}
 Use common Provider cmdlets to manage AD drive:
PS C:\> Set-location ad:
PS AD:\> dir
Name ObjectClass
-------------contoso domainDNS
Configuration configuration
Schema dMD
DomainDnsZones
ForestDnsZones domainDNS domainDNS
DistinguishedName
-----------------
DC=contoso,DC=com
CN=Configuration,DC=contoso,DC=com
CN=Schema,CN=Configuration,DC=contoso,DC=com
DC=DomainDnsZones,DC=contoso,DC=com
DC=ForestDnsZones,DC=contoso,DC=com
PS AD:\> cd "DC=contoso,DC=com“
PS AD:\DC=contoso,DC=com\> dir | ft pschildname
PS AD:\DC=contoso,DC=com\> md “OU=Test“
PS AD:\DC=contoso,DC=com\> cd “OU=Test“
PS AD:\OU=Test,DC=contoso,DC=com\>
Microsoft Confidential

Create User
New-ADUser –name jpublic -SamAccountName “jpublic“ `
-GivenName “John" -Surname “Public" -DisplayName “John Public“
Import-Csv c:\pristine.csv | New-ADUser –Office Miami
Query
Users
Modify User
Get-ADUser -Filter * -Properties *
Get-ADUser -Filter * -Properties *,msDS-ReplAttributeMetaData
Get-ADUser –Filter {office –eq ‘Los Angeles’}
Targets Single AD Object Only!
Set-ADUser -Identity “jpublic" –Title “Engineer“
Get-ADUser –Filter {office –eq ‘Miami’} | Set-ADUser –Office MIA
Delete User
Remove-ADUser jpublic
Get-ADUser –Filter {office –eq ‘Miami’} | Remove-ADUser
Microsoft Confidential

Computer
Information
Get-ADComputer -Filter * -property name,OperatingSystem,`
OperatingSystemServicePack,OperatingSystemVersion | Out-GridView
Find Stale
Computer
Accounts
$OneYearAgo = (Get-Date).AddYears(-1)
Get-ADComputer -Filter {LastLogonTimeStamp –lt$OneYearAgo} |
Disable-ADAccount
OR
Search-ADAccount –ComputersOnly –AccountInactive –TimeSpan 180
Microsoft Confidential

Enumerate
Group
Create
Group
Get-ADGroupMember IT
Get-ADGroupMember IT -Recursive
Only members in group
(includes groups)
Users in nested groups as well
New-ADGroup –name “Sales” -Path “OU=Groups,DC=Contoso,DC=com” `
-GroupScope “Global” -GroupCategory “Security”
Populate
Group
$ITUsers = Get-ADUser -filter {Department -eq "IT"}
Add-ADGroupMember -Identity ITCommunications -Members $ITUsers
OR
$ITUsers | Add-ADPrincipalGroupMembership -MemberOf ITCommunications
Microsoft Confidential

Remove
From
Group
$ITUsers | Remove-ADPrincipalGroupMembership -MemberOf "IT“
OR
Remove-ADGroupMember -Identity "IT" -members $ITUsers
TIP: There will be a prompt to confirm.
Consider setting $ConfirmPreference automatic variable in scripts. To suppress all confirmations or the –Comfirm:$false on any action cmdlet to suppress just that one time
$OrignalConfirmPreference = $ConfirmPreference
$ConfirmPreference = "none"
Remove-ADGroupMember -Identity "IT" -members $itusers
$ConfirmPreference = $OrignalConfirmPreference
OR
Remove-ADGroupMember -Identity "IT" -members $itusers –Confirm:$False
Microsoft Confidential

 Example:
 OtherTelephone
 Multi-valued attribute can contain a single or multiple values
 Each value must be unique
 Use Hash Table (Key/Value pair) i.e. @{}
New-ADUser -Path "ou=sales,ou=departments,dc=contoso,dc=com" `
-name "Sales1" -SamAccountName "Sales1" `
-UsePrincipalName "Sales1@contoso.com" `
-department "sales“ -OtherAttributes `
@{otherTelephone="555-555-5555","123-456-7890"}
User
Telephone
Numbers
New-ADUser –Identity jpublic `
–Add @{otherTelephone="555-555-5555","123-456-7890"}
Microsoft Confidential


To create a new site
 New-ADReplicationSite BRANCH1
 This command creates the new branch office site, branch1.
 To create a new site link
 New-ADReplicationSiteLink 'CORPORATE-BRANCH1' -SitesIncluded
CORPORATE,BRANCH1 -OtherAttributes @{'options'=1}
 This command created the site link to BRANCH1 and turned on the change notification process.

To set the site link cost and replication frequency
 Set-ADReplicationSiteLink CORPORATE-BRANCH1 -Cost 100 -
ReplicationFrequencyInMinutes 15
 This command sets the site link cost to BRANCH1 at 100 and set the replication frequency with the site to 15 minutes.

To move a domain controller to a different site
 Get-ADDomainController DC2 | Move-ADDirectoryServer -Site BRANCH1
 This command moves the domain controller, DC2 to the BRANCH1 site.
Microsoft Confidential

 Get-ADReplicationUpToDatenessVectorTable
 Look at “High Water Mark”…highest USN per server and replication partner
 Example below has great variance:
PS > Get-ADReplicationUpToDatenessVectorTable * | sort Partner,Server | ft Server,UsnFilter,partner -AutoSize
The numbers
-------------- -------
2012DC1.contoso.com 20796 CN=NTDS Settings,CN=2012DC1,CN=Servers,CN=HQ,CN=Sites,CN=Configuration,DC=contos...
2012DC2.child.contoso.com 22459 CN=NTDS Settings,CN=2012DC2,CN=Servers,CN=HQ,CN=Sites,CN=Configuration,DC=contos...
2012DC3.child.contoso.com 17039 CN=NTDS Settings,CN=2012DC2,CN=Servers,CN=HQ,CN=Sites,CN=Configuration,DC=contos...
2012DC2.child.contoso.com 12777 CN=NTDS Settings,CN=2012DC3,CN=Servers,CN=Branch-Office1,CN=Sites,CN=Configurati...
2012DC3.child.contoso.com 13260 CN=NTDS Settings,CN=2012DC3,CN=Servers,CN=Branch-Office1,CN=Sites,CN=Configurati...
 DC3 not up to date, its missing many new user accounts:
Replication Behind Replication Caught Up
PS C:\> (Get-ADUser -Filter * -server 2012dc2).Count
804
PS C:\> (Get-ADUser -Filter * -server 2012dc3).Count
4
PS C:\> (Get-ADUser -Filter * -server 2012dc2).Count
804
PS C:\> (Get-ADUser -Filter * -server 2012dc3).Count
804
Microsoft Confidential

 Separate PS Module – ADDSDeployment
PS C:\> Get-Command -Module ADDSDeployment
CommandType
-----------
Cmdlet
Cmdlet
Cmdlet
Cmdlet
Cmdlet
Cmdlet
Cmdlet
Cmdlet
Cmdlet
Cmdlet
Name ModuleName
----
Add-ADDSReadOnlyDomainControllerAccount
Install-ADDSDomain
Install-ADDSDomainController
Install-ADDSForest
Test-ADDSDomainControllerInstallation
Test-ADDSDomainControllerUninstallation
Test-ADDSDomainInstallation
----------
ADDSDeployment
ADDSDeployment
ADDSDeployment
ADDSDeployment
ADDSDeployment
ADDSDeployment
ADDSDeployment
Test-ADDSForestInstallation ADDSDeployment
Test-ADDSReadOnlyDomainControllerAccountCreation ADDSDeployment
Uninstall-ADDSDomainController ADDSDeployment
Install-ADDSDomainController -DomainName child.contoso.com -Credential (get-credential)
In this example, you would be prompted for the safe mode password, and credentials to actually join the domain as a DC. All prompts can be answered ahead and thus suppressed
Microsoft Confidential

 Go out there and deal with the pre-reqs now
 Get the module ready to roll even if don’t use it much
 Once you get hooked on the “PowerShell” way, you’ll probably start hating the GUI
 That doesn’t mean to avoid the GUI, you’ll just find that language based administration can really rock sometimes
 Play, Play, Play and discover all the other great nuggets I haven’t found yet. This stuff is brand new
Microsoft Confidential

 Active Directory Administration with Windows PowerShell: http://technet.microsoft.com/en-us/library/dd378937(v=WS.10).aspx
 http://blogs.msdn.com/b/adpowershell/
 Active Directory Replication and Topology Management Using Windows
PowerShell
 Installing AD DS Using Windows PowerShell
 Removing AD DS Using Windows PowerShell
 In the Dynamic Access Control deployment documentation , look for any sections that are labeled Windows PowerShell equivalent commands
 In the Active Directory Domain Services (AD DS) Virtualization documentation , see the steps for deploying a virtualized domain controller.
Microsoft Confidential