Automating AD Domain Services Administration
•Download as PPTX, PDF•
0 likes•56 views
Windows server 2012
Recommended
More Related Content
What's hot
What's hot (19)
Similar to Automating AD Domain Services Administration
Similar to Automating AD Domain Services Administration (20)
More from Napoleon NV
More from Napoleon NV (12)
Recently uploaded
Recently uploaded (20)
Automating AD Domain Services Administration
- 1. Microsoft® Official Course Module 4 Automating Active Directory Domain Services Administration
- 2. Module Overview • Using Commandline Tools for AD DS Administration • Using Windows PowerShell for AD DS Administration • Performing Bulk Operations with Windows PowerShell
- 3. Lesson 1: Using Commandline Tools for AD DS Administration • Benefits of Using CommandLine Tools for AD DS Administration • What Is Csvde? • What Is Ldifde? • What Are DS Commands?
- 4. Benefits of Using Command-Line Tools for AD DS Administration Command-line tools allow you to automate AD DS administration Benefits of using command-line tools: • Faster implementation of bulk operations • Customized processes for AD DS administration • AD DS administration on server core
- 5. What Is Csvde? AD DS Import Export csvde.exe filename.csv Use csvde to export objects to a .csv file: Use csvde to create objects from a .csv file: • -f filename • -d RootDN • -p SearchScope • -r Filter • -l ListOfAtrributes csvde –i –f filename –k
- 6. What Is Ldifde? Use ldifde to export objects to a LDIF file: Use ldifde to create, modify, or delete objects: • -f filename • -d RootDN • -r Filter • -p SearchScope • -l ListOfAttributes • -o ListOfAttributes ldifde –i –f filename –k Export ldifde.exe filename.ldif AD DS Import
- 7. What Are DS Commands? Windows Server 2012 includes command-line tools that are suitable for use in scripts • Examples • To modify the department of a user account, type: • To display the email of a user account, type: • To delete a user account, type: • To create a new user account, type: Dsmod user "cn=Joe Healy,ou=Managers, dc=adatum,dc=com" –dept IT Dsget user "cn=Joe Healy,ou=Managers, dc=adatum,dc=com" –email Dsrm "cn=Joe Healy,ou=Managers,dc=adatum,dc=com" Dsadd user "cn=Joe Healy,ou=Managers,dc=adatum,dc=com"
- 8. Lesson 2: Using Windows PowerShell for AD DS Administration • Using Windows PowerShell Cmdlets to Manage User Accounts • Using Windows PowerShell Cmdlets to Manage Groups • Using Windows PowerShell Cmdlets to Manage Computer Accounts • Using Windows PowerShell Cmdlets to Manage OUs
- 9. Using Windows PowerShell Cmdlets to Manage User Accounts Cmdlet Description New-ADUser Creates user accounts Set-ADUser Modifies properties of user accounts Remove-ADUser Deletes user accounts Set-ADAccountPassword Resets the password of a user account Set-ADAccountExpiration Modifies the expiration date of a user account Unlock-ADAccount Unlocks a user account after it has become locked after too many incorrect login attempts Enable-ADAccount Enables a user account Disable-ADAccount Disables a user account New-ADUser "Sten Faerch" –AccountPassword (Read-Host –AsSecureString "Enter password") -Department IT
- 10. Using Windows PowerShell Cmdlets to Manage Groups New-ADGroup –Name "CustomerManagement" –Path "ou=managers,dc=adatum,dc=com" –GroupScope Global –GroupCategory Security Add-ADGroupMember CustomerManagement –Members "Joe" Cmdlet Description New-ADGroup Creates new groups Set-ADGroup Modifies properties of groups Get-ADGroup Displays properties of groups Remove-ADGroup Deletes groups Add-ADGroupMember Adds members to groups Get-ADGroupMember Displays membership of groups Remove-ADGroupMember Removes members from groups Add-ADPrincipalGroupMembership Adds group membership to objects Get-ADPrincipalGroupMembership Displays group membership of objects Remove-ADPrincipalGroupMembership Removes group membership from an object
- 11. Using Windows PowerShell Cmdlets to Manage Computer Accounts New-ADComputer –Name LON-SVR8 -Path "ou=marketing,dc=adatum,dc=com" -Enabled $true Test-ComputerSecureChannel -Repair Cmdlet Description New-ADComputer Creates new computer accounts Set-ADComputer Modifies properties of computer accounts Get-ADComputer Displays properties of computer accounts Remove-ADComputer Deletes computer accounts Test-ComputerSecureChannel Verifies or repairs the trust relationship between a computer and the domain Reset-ComputerMachinePassword Resets the password for a computer account
- 12. Using Windows PowerShell Cmdlets to Manage OUs New-ADOrganizationalUnit –Name Sales –Path "ou=marketing,dc=adatum,dc=com" –ProtectedFromAccidentalDeletion $true Cmdlet Description New-ADOrganizationalUnit Creates organizational units Set-ADOrganizationalUnit Modifies properties of organizational units Get-ADOrganizationalUnit Views properties of organizational units Remove-ADOrganizationalUnit Deletes organizational units New-ADOrganizationalUnit Creates organizational units Set-ADOrganizationalUnit Modifies properties of organizational units Get-ADOrganizationalUnit Views properties of organizational units
- 13. Lesson 3: Performing Bulk Operations with Windows PowerShell • What Are Bulk Operations? • Demonstration: Using Graphical Tools to Perform Bulk Operations • Querying Objects with Windows PowerShell • Modifying Objects with Windows PowerShell • Working with CSV Files • Demonstration: Performing Bulk Operations with Windows PowerShell
- 14. What Are Bulk Operations? • A bulk operation is a single action that changes multiple objects • The process for performing a bulk operation is: • You can perform bulk operations by using: • Graphical tools • Command-line tools • Scripts 1. Define a query 2. Modify the objects defined by the query
- 15. Demonstration: Using Graphical Tools to Perform Bulk Operations In this demonstration, you will see how to: • Create a query for all users • Configure the Company attribute for all users • Verify that the Company attribute has been modified
- 16. Querying Objects with Windows PowerShell Show all the properties for a user account: Show all the user accounts in the Marketing OU and all its subcontainers: Show all of the user accounts with a last logon date older than a specific date: Show all of the user accounts in the Marketing department that have a last logon date older than a specific date: Get ADUser Administrator Properties * Get ADUser –Filter * SearchBase "ou=Marketing,dc=adatum,dc=com" SearchScope subtree Get ADUser Filter {lastlogondate lt "January 1, 2012"} Get ADUser Filter {(lastlogondate lt "January 1, 2012") and (department eq "Marketing")} Operator Description -eq Equal to -ne Not equal to -lt Less than -le Less than or equal to -gt Greater than -ge Greater than or equal to -like Uses wildcards for pattern matching Parameter Description SearchBase Defines the AD DS path to begin searching. SearchScope Defines at what level below the SearchBase a search should be performed. ResultSetSize Defines how many objects to return in response to a query. Properties Defines which object properties to return and display.
- 17. Modifying Objects with Windows PowerShell Use the pipe character ( | ) to pass a list of objects to a cmdlet for further processing Get -ADUser -Filter {company -notlike "*"} | Set-ADUser -Company "A. Datum" Get -ADUser -Filter {lastlogondate -lt "January 1, 2012"} | Disable-ADAccount Get Content C:users.txt | Disable ADAccountGet Content C:users.txt | Disable ADAccount
- 18. Working with CSV Files The first line of a .csv file defines the names of the columns A foreach loop processes the contents of a .csv that have been imported into a variable FirstName,LastName,Department Greg,Guzik,IT Robin,Young,Research Qiong,Wu,Marketing $users=Import-CSV C:users.csv Foreach ($i in $users) { Write-Host "The first name is:" $i.FirstName }
- 19. Demonstration: Performing Bulk Operations with Windows PowerShell In this demonstration, you will see how to: • Configure a department for users • Create an OU • Run a script to create new user accounts • Verify that new user accounts were created
- 20. Lab: Automating AD DS Administration by Using Windows PowerShell • Exercise 1: Creating User Accounts and Groups by Using Windows PowerShell • Exercise 2: Using Windows PowerShell to Create User Accounts in Bulk • Exercise 3: Using Windows PowerShell to Modify User Accounts in Bulk Logon Information Virtual machines 20410B-LON-DC1 20410B-LON-CL1 User name AdatumAdministrator Password Pa$$w0rd Estimated Time: 45 minutes
- 21. Lab Scenario A. Datum Corporation is a global engineering and manufacturing company with a head office based in London, England. An IT office and a data center are located in London to support the London location and other locations. A. Datum has recently deployed a Windows Server 2012 infrastructure with Windows 8 clients. You have been working for A. Datum for several years as a desktop support specialist. In this role, you visited desktop computers to troubleshoot application and network problems. You have recently accepted a promotion to the server support team. One of your first assignments is configuring the infrastructure service for a new branch office. As part of configuring a new branch office, you need to create user and group accounts. Creating multiple users with graphical tools is inefficient, so, you will be using Windows PowerShell.
- 22. Lab Review • By default, are new user accounts enabled or disabled when you create them by using the NewADUser cmdlet? • What file extension do Windows PowerShell scripts use?
- 23. Module Review and Takeaways • Review Questions
Editor's Notes
- Presentation: 60 minutes Lab: 45 minutes After completing this module, students will be able to: Use command‑line tools for administration. Use Windows PowerShell® for administration. Perform bulk operations with Windows PowerShell. Automate Active Directory® Domain Services (AD DS) administration by using Windows PowerShell. Make sure that students are aware that the Course Companion contains additional module information and resources. Required Materials To teach this module, you need the Microsoft® Office PowerPoint® file 20410B_04.pptx. Important: It is recommended that you use Office PowerPoint 2007 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not display correctly. Preparation Tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations and the lab exercises. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on‑the‑job performance.
- Briefly describe the lessons that are included in this module. Explain that this module focuses on using command‑line tools and Windows PowerShell to perform bulk administration.
- Explain to students that they can use csvde to create or export AD DS objects. However, they cannot use csvde to modify or delete existing objects. Point out that when you export objects without specifying which attributes to include, all attributes are included. You can use the resulting header row to identify the Lightweight Directory Access Protocol (LDAP) names of specific attributes that you want to include in a .csv file. In most organization, csvde is used primarily to export data. Consider performing an export with csvde, and reviewing the contents of the .csv file.
- The key to presenting this topic is to differentiate ldifde from csvde. The major differences are that: Ldifde can modify and remove objects. Far fewer applications can export and import data in LDAP Data Interchange Format (LDIF).
- Describe the DS commands that are available for manipulating AD DS objects. Use the examples on the slide to describe the syntax of the commands. Verify that students understand the format of a distinguished name. If necessary, explain that the format of a distinguished name is based on LDAP. Describe the: Common name: cn Organizational unit: ou Domain component: dc Explain to students that unlike csvde and ldifde, these tools are not designed explicitly for bulk management of objects. They can be used to manipulate individual objects or to perform bulk operations. Question What criteria would you use to select between using csvde, ldifde, and the DS commands? Answer If you are using a data source that can export as a .csv file, you most likely will use csvde. However, csvde cannot modify existing objects. You are also likely to use csvde when exporting data from AD DS. If you are using a data source that can export as an LDIF file, then you would most likely use ldifde. You would also use ldifde if you need to remove or modify existing objects. If you are modifying individual objects, then you will most likely use the DS commands if you have chosen not to use graphical tools.
- To help students understand how to use Windows PowerShell to perform AD DS Administration, it is critical that they see examples of how the cmdlets are used. Examples are provided on many of the slides in this lesson. It is critical that you describe all of the examples on each slide, including the purpose of each parameter.
- Describe each of the cmdlets on the slide to students. In addition, describe the example of using the New‑ADUser cmdlet. Consider providing a demonstration of using the cmdlets. To avoid typing slide examples, you can use examples in E:\Labfiles\Mod04\Mod04Examples.ps1. Question Are all cmdlet parameters that you use to manage user accounts the same? Answer No. Many of the parameters are the same or similar, but each cmdlet has its own list of parameters.
- Describe each of the cmdlets on the slide to students. Be sure to explain the difference between the *‑ADGroupMember cmdlets and the *‑ADPrincipalGroupMembership cmdlets. The easiest distinction to make for students is that the *‑ADGroupMember cmdlets are similar to modifying membership in the properties of a group, while the *‑ADPrincipalGroupMembership cmdlets are similar to modifying the Member Of property in the properties of an object, such as a user account. Consider demonstrating how to create a group, and then add group members to it. To avoid typing slide examples, you can use examples in E:\Labfiles\Mod04\Mod04Examples.ps1.
- Describe each of the cmdlets on the slide to students. Relate the use of these cmdlets back to the computer account management information in Module 3. Be sure to mention that the New‑ADComputer cmdlet does not offer the option to delegate permissions to join a computer to the new computer account; if these permissions are necessary, then students need to assign those permissions manually. The AD DS permissions required on the computer account are: Reset Password Validated write to DNS host name Validated write to service principal name Write Account Restrictions Consider demonstrating the permissions differences when creating a computer account in Active Directory Users and Computers with delegation, and when using the New‑AdComputer cmdlet. To avoid typing slide examples, you can use examples in E:\Labfiles\Mod04\Mod04Examples.ps1.
- Describe each of the cmdlets on the slide to students. Mention that the default value for the ProtectedFromAccidentalDeletion parameter is $true. Consider doing a demonstration where you: Create a new OU. Attempt to remove the OU, which fails due to protection from accidental deletion. Set ProtectedFromAccidentalDeletion parameter to $false. Again attempt to remove the OU. This time you should be successful. To avoid typing slide examples, you can use the examples in E:\Labfiles\Mod04\Mod04Examples.ps1. Question In the slide example, is the ProtectedFromAccidentalDeletion parameter required? Answer No. The default value is set to $true. The same result would have occurred if the ProtectedFromAccidentalDeletion parameter was not used.
- To help students understand how to use Windows PowerShell to perform bulk operations, it is critical that they see examples of how the cmdlets are used. Examples are provided on many of the slides in this lesson. It is critical that you describe all of the examples on each slide, including the purpose of each parameter.
- Define a bulk operation for students and provide some examples, such as: Moving multiple user accounts to a new OU. Changing the department name for a set of user accounts. Disabling a set of user accounts.
- Preparation Steps For this demonstration, you require the 20410B-LON-DC1 server. Demonstration Steps Create a query for all users Start 20410B‑LON‑DC1 and sign in as Adatum\Administrator by using the password Pa$$w0rd. On LON‑DC1, in Server Manager, click Tools, and then click Active Directory Administrative Center. In Active Directory Administrative Center, in the navigation pane, click Global Search. At the far right of the Global Search pane, click the down arrow to display Add criteria. Click Add criteria, select the Object type is user/inetOrgPerson/computer/group/organization unit check box, and then click Add. Verify that the criteria that you added is and The object type is: User. Click the Search button. Configure the Company attribute for all users Press Ctrl+A to select all of the user accounts, and then click Properties. In the Multiple Users window, in the Organization section, select the Company check box. In the Company text box, type A. Datum, and then click OK. Verify that the Company attribute has been modified In the Global Search pane, click Adam Barr, and then click Properties. In the Adam Barr window, verify that the Company is A. Datum. Click Cancel. Close Active Directory Administrative Center.
- This is an animated slide. You will need to click to show the second slide. Use the first slide to introduce the Filter parameter as a method for performing queries with the Get‑AD* cmdlets. Make note of the operators that can be used. Students might be expecting to use mathematical operators such as the equal sign (=), less than sign (<), and greater than sign (>). Let them know that it is not possible to do so. Also highlight that only ‑like can be used with the asterisk (*) wildcard for matching strings. Use the examples on the second slide to describe the parameters commonly used with the Get‑ADUser cmdlet. Note that the final example uses single quotes around then entire filter because double quotes are used within the filter. To avoid typing slide examples, you can use examples in E:\Labfiles\Mod04\Mod04Examples.ps1. Question What is the difference between using ‑eq and ‑like when comparing strings? Answer The ‑eq operator is used to find an exact match, meaning that it is not case sensitive. The ‑like operator can be used with the asterisk (*) wildcard to find partial matches.
- Explain to students how they can use the pipe character ( | ) to pass objects to another cmdlet for further processing. Use the examples on the slide to show that they can use either the results of a query or the content of a text file. Stress to students that not just any data can be passed to another cmdlet. The objects being passed to a cmdlet must be of the correct type. For example, you can pass a list of user account objects to the Set‑ADUser cmdlet, but you could not pass a list of groups to the Set‑ADUser cmdlet. The help documentation for each Set‑AD* cmdlet defines how the identity of the object being modified can be specified. If you are using a list of objects from a text file, this tells you how you need to format the data in the text file. For example, the Set‑ADUser cmdlet allows you to identify user objects by distinguished name, globally unique identifier (GUID), security identifier (SID), or Security Accounts Manager (SAM) account name. To avoid typing slide examples, you can use examples in E:\Labfiles\Mod04\Mod04Examples.ps1. Question Which attributes of a user account can you use when creating a query by using the Filter parameter? Answer You can use any user account parameter that you can query. Use the Properties parameter with a value of * (‑Properties *) to identify all properties that can be retrieved.
- Use the slide content to explain the following four key points: The header in the .csv file defines the name of each column. Import‑csv reads the contents of the .csv file. A foreach loop processes each row from the .csv file. The $i represents each row as it is processed. To avoid typing slide examples, you can use examples in E:\Labfiles\Mod04\Mod04Examples.ps1. Question In the foreach loop, how does $i change? Answer The foreach loop processes each row from the .csv file that has been loaded into the $users variable. The loop is performed once for each row from the .csv file. The variable $i represents each row as it is processed.
- Preparation Steps For this demonstration, you require the 20410B-LON-DC1 server. Demonstration Steps Configure a department for users Start 20410B‑LON‑DC1, and sign in as Adatum\Administrator by using the password of Pa$$w0rd. On LON‑DC1, on the task bar, click the Windows PowerShell icon. At the Windows PowerShell prompt, type the following command, and then press Enter: Get‑ADUser –Filter * ‑SearchBase “ou=Research,dc=adatum,dc=com” Type the following command, and then press Enter: Get‑ADUser –Filter * ‑SearchBase “ou=Research,dc=adatum,dc=com” | Set‑ADUser ‑Department Research Type the following command, and then press Enter: Get‑ADUser –Filter ‘department ‑eq “Research”’ | Format‑Table DistinguishedName,Department Type the following command, and then press Enter: Get‑ADUser –Filter ‘department ‑eq “Research”’ ‑Properties Department | Format‑Table DistinguishedName,Department Create an OU At the Windows PowerShell prompt, type the following command, and then press Enter: New‑ADOrganizationalUnit LondonBranch ‑Path “dc=adatum,dc=com”
- Run a script to create new user accounts On the taskbar, click the Windows Explorer icon. In the Windows Explorer window, expand drive E, expand Labfiles, and then click Mod04. Double‑click DemoUsers.csv. In the How do you want to open this type of file (.csv) window, click Notepad. In Notepad, review the contents of the .csv file, and read the header row. Close Notepad. In the Windows® Explorer window, right‑click DemoUsers.ps1, and then click Edit. In Windows PowerShell ISE, review the contents of the script. Note that the script: Refers to the location of the .csv file. Uses a foreach loop to process the .csv file contents. Refers to the columns defined by the header in the .csv file. Close Windows PowerShell ISE. At the Windows PowerShell prompt, type cd E:\Labfiles\Mod04, and then press Enter. Type .\DemoUsers.ps1, and then press Enter. Close the Windows PowerShell prompt. Verify that new user accounts were created In Server Manager, click Tools, and then click Active Directory Administrative Center. In Active Directory Administrative Center, in the navigation pane, browse to Adatum (local)>LondonBranch. Verify that the user accounts were created. Note that the accounts are disabled, because no password was set during creation. Close Active Directory Administrative Center.
- Before the students begin the lab, read the lab scenario and display the next slide. Before each exercise, read the scenario associated with the exercise to the class. The scenarios give context to the lab and exercises, and help to facilitate the discussion at the end of the lab. Remind students to complete the discussion questions after the last lab exercise. Exercise 1: Creating User Accounts and Groups by Using Windows PowerShell A. Datum Corporation has a number of scripts that have been used in the past to create user accounts by using command‑line tools. It has been mandated that all future scripting will be done by using Windows PowerShell. As the first step in creating scripts, you need to identify the syntax required to manage AD DS objects in Windows PowerShell. Exercise 2: Using Windows PowerShell to Create User Accounts in Bulk You have been given a .csv file that contains a large list of new users for the branch office. It would be inefficient to create these users individually with graphical tools. Instead, you will use a Windows PowerShell script to create the users. A colleague that is experienced with scripting has provided you with a script that she created. You need to modify the script to match the format of your .csv file. Exercise 3: Using Windows PowerShell to Modify User Accounts in Bulk You have received a request to update all user accounts in the new branch office OU with the correct address of the new building. You have also been asked to ensure that all of the new user accounts in the branch office are configured to force users to change their passwords at their next logon.
- Question By default, are new user accounts enabled or disabled when you create them by using the New‑ADUser cmdlet? Answer By default, new user accounts are disabled when you create them by using the New‑ADUser cmdlet. Question What file extension do Windows PowerShell scripts use? Answer Windows PowerShell scripts use the .ps1 file extension.
- Review Questions Point students to the appropriate section in the course so that they are able to answer the questions that this section presents. Question A colleague is creating a Windows PowerShell script that creates user accounts from data in a .csv file. However, his script is experiencing errors when attempting to set a default password. Why might this be happening? Answer The most common source of errors received when setting passwords during user account creation is the format of the variable containing the password. The variable containing a user password must be a secure string. After importing default passwords from the .csv file, your colleague must convert the value to a secure string so that it is encrypted in memory. Another common problem is trying to use passwords that do not meet complexity requirements. If you try to create a user account with the New‑ADUser cmdlets and use a password that does not meet complexity requirements, the user account is created but the password is not set, causing the user account to be disabled. Question You are an administrator for a school district that creates 20,000 new user accounts for students each year. The administration system for students can generate a list of the new students and then export it as a .csv file. After the data has been exported to a .csv file, what information do you need to work with the data in a script? Answer To work with a .csv file, you need to know the name and location of the .csv file. This information allows you to import the .csv file into a variable. You also need to know the name of each column in the .csv file. If there is no header row with column names, then you need to create one. Question The Research department in your organization has been renamed “Research and Development.” You need to update the Department property of users in the Research department to reflect this change. You have created a query for user accounts with the department property set to Research, by using the Get‑ADUser cmdlet and the ‑Filter parameter. What is the next step to update the department property to Research and Development? Answer You need to pipe the output from the query to the Set‑ADUser cmdlet. The Set‑ADUser cmdlet modified the department property of the user accounts.