2. Module Overview
• Using Commandline Tools for AD DS
Administration
• Using Windows PowerShell for AD DS
Administration
• Performing Bulk Operations with Windows
PowerShell
3. Lesson 1: Using Commandline Tools for AD DS
Administration
• Benefits of Using CommandLine Tools for AD DS
Administration
• What Is Csvde?
• What Is Ldifde?
• What Are DS Commands?
4. Benefits of Using Command-Line Tools for
AD DS Administration
Command-line tools allow you to automate
AD DS administration
Benefits of using command-line tools:
• Faster implementation of bulk operations
• Customized processes for AD DS administration
• AD DS administration on server core
5. What Is Csvde?
AD DS
Import
Export
csvde.exe
filename.csv
Use csvde to export objects to a .csv file:
Use csvde to create objects from a .csv file:
• -f filename
• -d RootDN
• -p SearchScope
• -r Filter
• -l ListOfAtrributes
csvde –i –f filename –k
6. What Is Ldifde?
Use ldifde to export objects to a LDIF file:
Use ldifde to create, modify, or delete objects:
• -f filename
• -d RootDN
• -r Filter
• -p SearchScope
• -l ListOfAttributes
• -o ListOfAttributes
ldifde –i –f filename –k
Export
ldifde.exe
filename.ldif AD DS
Import
7. What Are DS Commands?
Windows Server 2012 includes command-line tools
that are suitable for use in scripts
• Examples
• To modify the department of a user account, type:
• To display the email of a user account, type:
• To delete a user account, type:
• To create a new user account, type:
Dsmod user "cn=Joe Healy,ou=Managers,
dc=adatum,dc=com" –dept IT
Dsget user "cn=Joe Healy,ou=Managers,
dc=adatum,dc=com" –email
Dsrm "cn=Joe Healy,ou=Managers,dc=adatum,dc=com"
Dsadd user "cn=Joe Healy,ou=Managers,dc=adatum,dc=com"
8. Lesson 2: Using Windows PowerShell for
AD DS Administration
• Using Windows PowerShell Cmdlets to Manage User
Accounts
• Using Windows PowerShell Cmdlets to Manage Groups
• Using Windows PowerShell Cmdlets to Manage
Computer Accounts
• Using Windows PowerShell Cmdlets to Manage OUs
9. Using Windows PowerShell Cmdlets to
Manage User Accounts
Cmdlet Description
New-ADUser Creates user accounts
Set-ADUser Modifies properties of user accounts
Remove-ADUser Deletes user accounts
Set-ADAccountPassword Resets the password of a user account
Set-ADAccountExpiration Modifies the expiration date of a user account
Unlock-ADAccount Unlocks a user account after it has become
locked after too many incorrect login attempts
Enable-ADAccount Enables a user account
Disable-ADAccount Disables a user account
New-ADUser "Sten Faerch" –AccountPassword (Read-Host
–AsSecureString "Enter password") -Department IT
10. Using Windows PowerShell Cmdlets to
Manage Groups
New-ADGroup –Name "CustomerManagement" –Path
"ou=managers,dc=adatum,dc=com" –GroupScope Global
–GroupCategory Security
Add-ADGroupMember CustomerManagement –Members "Joe"
Cmdlet Description
New-ADGroup Creates new groups
Set-ADGroup Modifies properties of groups
Get-ADGroup Displays properties of groups
Remove-ADGroup Deletes groups
Add-ADGroupMember Adds members to groups
Get-ADGroupMember Displays membership of groups
Remove-ADGroupMember Removes members from groups
Add-ADPrincipalGroupMembership Adds group membership to objects
Get-ADPrincipalGroupMembership Displays group membership of objects
Remove-ADPrincipalGroupMembership Removes group membership from an object
11. Using Windows PowerShell Cmdlets to
Manage Computer Accounts
New-ADComputer –Name LON-SVR8 -Path
"ou=marketing,dc=adatum,dc=com" -Enabled $true
Test-ComputerSecureChannel -Repair
Cmdlet Description
New-ADComputer Creates new computer accounts
Set-ADComputer Modifies properties of computer
accounts
Get-ADComputer Displays properties of computer
accounts
Remove-ADComputer Deletes computer accounts
Test-ComputerSecureChannel Verifies or repairs the trust relationship
between a computer and the domain
Reset-ComputerMachinePassword Resets the password for a computer
account
12. Using Windows PowerShell Cmdlets to
Manage OUs
New-ADOrganizationalUnit –Name Sales
–Path "ou=marketing,dc=adatum,dc=com"
–ProtectedFromAccidentalDeletion $true
Cmdlet Description
New-ADOrganizationalUnit Creates organizational units
Set-ADOrganizationalUnit Modifies properties of organizational
units
Get-ADOrganizationalUnit Views properties of organizational units
Remove-ADOrganizationalUnit Deletes organizational units
New-ADOrganizationalUnit Creates organizational units
Set-ADOrganizationalUnit Modifies properties of organizational
units
Get-ADOrganizationalUnit Views properties of organizational units
13. Lesson 3: Performing Bulk Operations with
Windows PowerShell
• What Are Bulk Operations?
• Demonstration: Using Graphical Tools to Perform
Bulk Operations
• Querying Objects with Windows PowerShell
• Modifying Objects with Windows PowerShell
• Working with CSV Files
• Demonstration: Performing Bulk Operations with
Windows PowerShell
14. What Are Bulk Operations?
• A bulk operation is a single action that changes
multiple objects
• The process for performing a bulk operation is:
• You can perform bulk operations by using:
• Graphical tools
• Command-line tools
• Scripts
1. Define a query
2. Modify the objects defined by the query
15. Demonstration: Using Graphical Tools to
Perform Bulk Operations
In this demonstration, you will see how to:
• Create a query for all users
• Configure the Company attribute for all users
• Verify that the Company attribute has been modified
16. Querying Objects with Windows PowerShell
Show all the properties for a user account:
Show all the user accounts in the Marketing OU and all its
subcontainers:
Show all of the user accounts with a last logon date older than
a specific date:
Show all of the user accounts in the Marketing department that
have a last logon date older than a specific date:
Get ADUser Administrator Properties *
Get ADUser –Filter * SearchBase
"ou=Marketing,dc=adatum,dc=com" SearchScope subtree
Get ADUser Filter {lastlogondate lt "January 1, 2012"}
Get ADUser Filter {(lastlogondate lt "January 1, 2012") and
(department eq "Marketing")}
Operator Description
-eq Equal to
-ne Not equal to
-lt Less than
-le Less than or equal to
-gt Greater than
-ge Greater than or equal to
-like Uses wildcards for pattern matching
Parameter Description
SearchBase Defines the AD DS path to begin searching.
SearchScope Defines at what level below the SearchBase a search should be performed.
ResultSetSize Defines how many objects to return in response to a query.
Properties Defines which object properties to return and display.
17. Modifying Objects with Windows PowerShell
Use the pipe character ( | ) to pass a list of objects to a
cmdlet for further processing
Get -ADUser -Filter {company -notlike "*"} |
Set-ADUser -Company "A. Datum"
Get -ADUser -Filter {lastlogondate -lt "January 1,
2012"} | Disable-ADAccount
Get Content C:users.txt | Disable ADAccountGet
Content C:users.txt | Disable ADAccount
18. Working with CSV Files
The first line of a .csv file defines the names of the
columns
A foreach loop processes the contents of a .csv that
have been imported into a variable
FirstName,LastName,Department
Greg,Guzik,IT
Robin,Young,Research
Qiong,Wu,Marketing
$users=Import-CSV C:users.csv
Foreach ($i in $users) {
Write-Host "The first name is:" $i.FirstName
}
19. Demonstration: Performing Bulk Operations with
Windows PowerShell
In this demonstration, you will see how to:
• Configure a department for users
• Create an OU
• Run a script to create new user accounts
• Verify that new user accounts were created
20. Lab: Automating AD DS Administration by Using
Windows PowerShell
• Exercise 1: Creating User Accounts and Groups by
Using Windows PowerShell
• Exercise 2: Using Windows PowerShell to Create
User Accounts in Bulk
• Exercise 3: Using Windows PowerShell to Modify
User Accounts in Bulk
Logon Information
Virtual machines 20410B-LON-DC1
20410B-LON-CL1
User name AdatumAdministrator
Password Pa$$w0rd
Estimated Time: 45 minutes
21. Lab Scenario
A. Datum Corporation is a global engineering and manufacturing
company with a head office based in London, England. An IT office
and a data center are located in London to support the London
location and other locations. A. Datum has recently deployed a
Windows Server 2012 infrastructure with Windows 8 clients.
You have been working for A. Datum for several years as a
desktop support specialist. In this role, you visited desktop
computers to troubleshoot application and network problems. You
have recently accepted a promotion to the server support team.
One of your first assignments is configuring the infrastructure
service for a new branch office.
As part of configuring a new branch office, you need to create
user and group accounts. Creating multiple users with graphical
tools is inefficient, so, you will be using Windows PowerShell.
22. Lab Review
• By default, are new user accounts enabled or
disabled when you create them by using the
NewADUser cmdlet?
• What file extension do Windows PowerShell
scripts use?
Presentation: 60 minutes
Lab: 45 minutes
After completing this module, students will be able to:
Use command‑line tools for administration.
Use Windows PowerShell® for administration.
Perform bulk operations with Windows PowerShell.
Automate Active Directory® Domain Services (AD DS) administration by using Windows PowerShell.
Make sure that students are aware that the Course Companion contains additional module information and resources.
Required Materials
To teach this module, you need the Microsoft® Office PowerPoint® file 20410B_04.pptx.
Important: It is recommended that you use Office PowerPoint 2007 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not display correctly.
Preparation Tasks
To prepare for this module:
Read all of the materials for this module.
Practice performing the demonstrations and the lab exercises.
Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on‑the‑job performance.
Briefly describe the lessons that are included in this module. Explain that this module focuses on using command‑line tools and Windows PowerShell to perform bulk administration.
Explain to students that they can use csvde to create or export AD DS objects. However, they cannot use csvde to modify or delete existing objects. Point out that when you export objects without specifying which attributes to include, all attributes are included. You can use the resulting header row to identify the Lightweight Directory Access Protocol (LDAP) names of specific attributes that you want to include in a .csv file. In most organization, csvde is used primarily to export data.
Consider performing an export with csvde, and reviewing the contents of the .csv file.
The key to presenting this topic is to differentiate ldifde from csvde. The major differences are that:
Ldifde can modify and remove objects.
Far fewer applications can export and import data in LDAP Data Interchange Format (LDIF).
Describe the DS commands that are available for manipulating AD DS objects. Use the examples on the slide to describe the syntax of the commands. Verify that students understand the format of a distinguished name. If necessary, explain that the format of a distinguished name is based on LDAP. Describe the:
Common name: cn
Organizational unit: ou
Domain component: dc
Explain to students that unlike csvde and ldifde, these tools are not designed explicitly for bulk management of objects. They can be used to manipulate individual objects or to perform bulk operations.
Question
What criteria would you use to select between using csvde, ldifde, and the DS commands?
Answer
If you are using a data source that can export as a .csv file, you most likely will use csvde. However, csvde cannot modify existing objects. You are also likely to use csvde when exporting data from AD DS.
If you are using a data source that can export as an LDIF file, then you would most likely use ldifde. You would also use ldifde if you need to remove or modify existing objects.
If you are modifying individual objects, then you will most likely use the DS commands if you have chosen not to use graphical tools.
To help students understand how to use Windows PowerShell to perform AD DS Administration, it is critical that they see examples of how the cmdlets are used. Examples are provided on many of the slides in this lesson. It is critical that you describe all of the examples on each slide, including the purpose of each parameter.
Describe each of the cmdlets on the slide to students. In addition, describe the example of using the New‑ADUser cmdlet. Consider providing a demonstration of using the cmdlets. To avoid typing slide examples, you can use examples in E:\Labfiles\Mod04\Mod04Examples.ps1.
Question
Are all cmdlet parameters that you use to manage user accounts the same?
Answer
No. Many of the parameters are the same or similar, but each cmdlet has its own list of parameters.
Describe each of the cmdlets on the slide to students. Be sure to explain the difference between the *‑ADGroupMember cmdlets and the *‑ADPrincipalGroupMembership cmdlets. The easiest distinction to make for students is that the *‑ADGroupMember cmdlets are similar to modifying membership in the properties of a group, while the *‑ADPrincipalGroupMembership cmdlets are similar to modifying the Member Of property in the properties of an object, such as a user account.
Consider demonstrating how to create a group, and then add group members to it.
To avoid typing slide examples, you can use examples in E:\Labfiles\Mod04\Mod04Examples.ps1.
Describe each of the cmdlets on the slide to students. Relate the use of these cmdlets back to the computer account management information in Module 3.
Be sure to mention that the New‑ADComputer cmdlet does not offer the option to delegate permissions to join a computer to the new computer account; if these permissions are necessary, then students need to assign those permissions manually.
The AD DS permissions required on the computer account are:
Reset Password
Validated write to DNS host name
Validated write to service principal name
Write Account Restrictions
Consider demonstrating the permissions differences when creating a computer account in Active Directory Users and Computers with delegation, and when using the New‑AdComputer cmdlet.
To avoid typing slide examples, you can use examples in E:\Labfiles\Mod04\Mod04Examples.ps1.
Describe each of the cmdlets on the slide to students. Mention that the default value for the ProtectedFromAccidentalDeletion parameter is $true.
Consider doing a demonstration where you:
Create a new OU.
Attempt to remove the OU, which fails due to protection from accidental deletion.
Set ProtectedFromAccidentalDeletion parameter to $false.
Again attempt to remove the OU. This time you should be successful.
To avoid typing slide examples, you can use the examples in E:\Labfiles\Mod04\Mod04Examples.ps1.
Question
In the slide example, is the ProtectedFromAccidentalDeletion parameter required?
Answer
No. The default value is set to $true. The same result would have occurred if the ProtectedFromAccidentalDeletion parameter was not used.
To help students understand how to use Windows PowerShell to perform bulk operations, it is critical that they see examples of how the cmdlets are used. Examples are provided on many of the slides in this lesson. It is critical that you describe all of the examples on each slide, including the purpose of each parameter.
Define a bulk operation for students and provide some examples, such as:
Moving multiple user accounts to a new OU.
Changing the department name for a set of user accounts.
Disabling a set of user accounts.
Preparation Steps
For this demonstration, you require the 20410B-LON-DC1 server.
Demonstration Steps
Create a query for all users
Start 20410B‑LON‑DC1 and sign in as Adatum\Administrator by using the password Pa$$w0rd.
On LON‑DC1, in Server Manager, click Tools, and then click Active Directory Administrative Center.
In Active Directory Administrative Center, in the navigation pane, click Global Search.
At the far right of the Global Search pane, click the down arrow to display Add criteria.
Click Add criteria, select the Object type is user/inetOrgPerson/computer/group/organization unit check box, and then click Add.
Verify that the criteria that you added is and The object type is: User.
Click the Search button.
Configure the Company attribute for all users
Press Ctrl+A to select all of the user accounts, and then click Properties.
In the Multiple Users window, in the Organization section, select the Company check box.
In the Company text box, type A. Datum, and then click OK.
Verify that the Company attribute has been modified
In the Global Search pane, click Adam Barr, and then click Properties.
In the Adam Barr window, verify that the Company is A. Datum.
Click Cancel.
Close Active Directory Administrative Center.
This is an animated slide. You will need to click to show the second slide.
Use the first slide to introduce the Filter parameter as a method for performing queries with the Get‑AD* cmdlets. Make note of the operators that can be used. Students might be expecting to use mathematical operators such as the equal sign (=), less than sign (<), and greater than sign (>). Let them know that it is not possible to do so. Also highlight that only ‑like can be used with the asterisk (*) wildcard for matching strings.
Use the examples on the second slide to describe the parameters commonly used with the Get‑ADUser cmdlet. Note that the final example uses single quotes around then entire filter because double quotes are used within the filter.
To avoid typing slide examples, you can use examples in E:\Labfiles\Mod04\Mod04Examples.ps1.
Question
What is the difference between using ‑eq and ‑like when comparing strings?
Answer
The ‑eq operator is used to find an exact match, meaning that it is not case sensitive. The ‑like operator can be used with the asterisk (*) wildcard to find partial matches.
Explain to students how they can use the pipe character ( | ) to pass objects to another cmdlet for further processing. Use the examples on the slide to show that they can use either the results of a query or the content of a text file.
Stress to students that not just any data can be passed to another cmdlet. The objects being passed to a cmdlet must be of the correct type. For example, you can pass a list of user account objects to the Set‑ADUser cmdlet, but you could not pass a list of groups to the Set‑ADUser cmdlet. The help documentation for each Set‑AD* cmdlet defines how the identity of the object being modified can be specified. If you are using a list of objects from a text file, this tells you how you need to format the data in the text file. For example, the Set‑ADUser cmdlet allows you to identify user objects by distinguished name, globally unique identifier (GUID), security identifier (SID), or Security Accounts Manager (SAM) account name.
To avoid typing slide examples, you can use examples in E:\Labfiles\Mod04\Mod04Examples.ps1.
Question
Which attributes of a user account can you use when creating a query by using the Filter parameter?
Answer
You can use any user account parameter that you can query. Use the Properties parameter with a value of * (‑Properties *) to identify all properties that can be retrieved.
Use the slide content to explain the following four key points:
The header in the .csv file defines the name of each column.
Import‑csv reads the contents of the .csv file.
A foreach loop processes each row from the .csv file.
The $i represents each row as it is processed.
To avoid typing slide examples, you can use examples in E:\Labfiles\Mod04\Mod04Examples.ps1.
Question
In the foreach loop, how does $i change?
Answer
The foreach loop processes each row from the .csv file that has been loaded into the $users variable. The loop is performed once for each row from the .csv file. The variable $i represents each row as it is processed.
Preparation Steps
For this demonstration, you require the 20410B-LON-DC1 server.
Demonstration Steps
Configure a department for users
Start 20410B‑LON‑DC1, and sign in as Adatum\Administrator by using the password of Pa$$w0rd.
On LON‑DC1, on the task bar, click the Windows PowerShell icon.
At the Windows PowerShell prompt, type the following command, and then press Enter:
Get‑ADUser –Filter * ‑SearchBase “ou=Research,dc=adatum,dc=com”
Type the following command, and then press Enter:
Get‑ADUser –Filter * ‑SearchBase “ou=Research,dc=adatum,dc=com” | Set‑ADUser ‑Department Research
Type the following command, and then press Enter:
Get‑ADUser –Filter ‘department ‑eq “Research”’ | Format‑Table DistinguishedName,Department
Type the following command, and then press Enter:
Get‑ADUser –Filter ‘department ‑eq “Research”’ ‑Properties Department | Format‑Table DistinguishedName,Department
Create an OU
At the Windows PowerShell prompt, type the following command, and then press Enter:
New‑ADOrganizationalUnit LondonBranch ‑Path “dc=adatum,dc=com”
Run a script to create new user accounts
On the taskbar, click the Windows Explorer icon.
In the Windows Explorer window, expand drive E, expand Labfiles, and then click Mod04.
Double‑click DemoUsers.csv.
In the How do you want to open this type of file (.csv) window, click Notepad.
In Notepad, review the contents of the .csv file, and read the header row.
Close Notepad.
In the Windows® Explorer window, right‑click DemoUsers.ps1, and then click Edit.
In Windows PowerShell ISE, review the contents of the script. Note that the script:
Refers to the location of the .csv file.
Uses a foreach loop to process the .csv file contents.
Refers to the columns defined by the header in the .csv file.
Close Windows PowerShell ISE.
At the Windows PowerShell prompt, type cd E:\Labfiles\Mod04, and then press Enter.
Type .\DemoUsers.ps1, and then press Enter.
Close the Windows PowerShell prompt.
Verify that new user accounts were created
In Server Manager, click Tools, and then click Active Directory Administrative Center.
In Active Directory Administrative Center, in the navigation pane, browse to Adatum (local)>LondonBranch.
Verify that the user accounts were created. Note that the accounts are disabled, because no password was set during creation.
Close Active Directory Administrative Center.
Before the students begin the lab, read the lab scenario and display the next slide. Before each exercise, read the scenario associated with the exercise to the class. The scenarios give context to the lab and exercises, and help to facilitate the discussion at the end of the lab. Remind students to complete the discussion questions after the last lab exercise.
Exercise 1: Creating User Accounts and Groups by Using Windows PowerShell
A. Datum Corporation has a number of scripts that have been used in the past to create user accounts by using command‑line tools. It has been mandated that all future scripting will be done by using Windows PowerShell. As the first step in creating scripts, you need to identify the syntax required to manage AD DS objects in Windows PowerShell.
Exercise 2: Using Windows PowerShell to Create User Accounts in Bulk
You have been given a .csv file that contains a large list of new users for the branch office. It would be inefficient to create these users individually with graphical tools. Instead, you will use a Windows PowerShell script to create the users. A colleague that is experienced with scripting has provided you with a script that she created. You need to modify the script to match the format of your .csv file.
Exercise 3: Using Windows PowerShell to Modify User Accounts in Bulk
You have received a request to update all user accounts in the new branch office OU with the correct address of the new building. You have also been asked to ensure that all of the new user accounts in the branch office are configured to force users to change their passwords at their next logon.
Question
By default, are new user accounts enabled or disabled when you create them by using the New‑ADUser cmdlet?
Answer
By default, new user accounts are disabled when you create them by using the New‑ADUser cmdlet.
Question
What file extension do Windows PowerShell scripts use?
Answer
Windows PowerShell scripts use the .ps1 file extension.
Review Questions
Point students to the appropriate section in the course so that they are able to answer the questions that this section presents.
Question
A colleague is creating a Windows PowerShell script that creates user accounts from data in a .csv file. However, his script is experiencing errors when attempting to set a default password. Why might this be happening?
Answer
The most common source of errors received when setting passwords during user account creation is the format of the variable containing the password. The variable containing a user password must be a secure string. After importing default passwords from the .csv file, your colleague must convert the value to a secure string so that it is encrypted in memory.
Another common problem is trying to use passwords that do not meet complexity requirements. If you try to create a user account with the New‑ADUser cmdlets and use a password that does not meet complexity requirements, the user account is created but the password is not set, causing the user account to be disabled.
Question
You are an administrator for a school district that creates 20,000 new user accounts for students each year. The administration system for students can generate a list of the new students and then export it as a .csv file. After the data has been exported to a .csv file, what information do you need to work with the data in a script?
Answer
To work with a .csv file, you need to know the name and location of the .csv file. This information allows you to import the .csv file into a variable. You also need to know the name of each column in the .csv file. If there is no header row with column names, then you need to create one.
Question
The Research department in your organization has been renamed “Research and Development.” You need to update the Department property of users in the Research department to reflect this change.
You have created a query for user accounts with the department property set to Research, by using the Get‑ADUser cmdlet and the ‑Filter parameter. What is the next step to update the department property to Research and Development?
Answer
You need to pipe the output from the query to the Set‑ADUser cmdlet. The Set‑ADUser cmdlet modified the department property of the user accounts.