Module 5

Automating
Active Directory
Administration

Module Overview
Use the AD: drive in Windows PowerShell
Identify Active Directory cmdlets in Windows PowerShell

Perform key Active Directory management tasks related to

users, groups, computers, and organizational units, by

means of Windows PowerShell cmdlets

Lesson 1: Active Directory Automation Overview

Identify prerequisites for using the Microsoft Active

Directory cmdlets in a domain

Explain the purpose and use of the AD: drive

List the cmdlets included in the ActiveDirectory module

Active Directory Administration

Nearly all Active Directory administration in PowerShell is

accomplished using the ActiveDirectory module.

This module is installed on all Domain Controllers. It is also

included as part of the Remote Server Administration Tools
(RSAT) for Windows 7.

The ActiveDirectory module includes cmdlets that facilitate

virtually every activity in Active Directory administration.

Its cmdlets provide the functionality that powers the graphical

Active Directory Administrative Center console.

Its cmdlets communicate with a web service that is a part of

Active Directory in Windows Server 2008 R2.

This same web service can be added to Windows Server 2003

and Windows Server 2008 by downloading and installing the
Active Directory Management Gateway Service.

The web service needs to be installed to only a single

Domain Controller in your local site.

Adding a Module
The Import-Module cmdlet

Can be used to load any external module into PowerShell.

Uses the following syntax to add the ActiveDirectory module:

Import-Module ActiveDirectory

Using this cmdlet imports the module into only the currentlyrunning session. You will need to import it in each session.

After it is loaded, the module adds a set of commands for

administering Active Directory. You can retrieve the list of
commands using:
Get-Command module ActiveDirectory

The Remove-Module cmdlet will unload the module from

the current session.

The AD: Drive

Adding the ActiveDirectory module also adds a PSDrive

provider.

This provider maps the AD: drive to your logon domain.

The main purpose of this drive is to provide a security context

for executing cmdlets.

When you run an Active Directory cmdlet, it will

automatically use the credentials and domain of the

current AD: drive.

This eliminates the need to supply credentials for each

command.

You can map other drives to other domains and credentials.

Cmdlets will run using the credentials associated with the
current drive.

To use a different domain or set of credentials, change to the

correct mapped drive, and then begin running cmdlets.

Demonstration: The AD: Drive

Learn how to import the ActiveDirectory module and use

the AD: drive

Tip for Earlier Versions of Windows

Be Aware: The Active Directory cmdlets are designed to be

used on Windows Server 2008 R2 and Windows 7 only

This means that other operating systems cannot directly

install and use the cmdlets

However, these older operating systems can indirectly use

the cmdlets of another host

The process to use another hosts cmdlets is called implicit

remoting, and will be covered later in this course

Lesson 2: Managing Users and Groups

Use Windows PowerShell cmdlets to retrieve, create,

enable, disable, modify, move, and remove Active

Directory users and groups

Use Windows PowerShell cmdlets to reset Active Directory

user account passwords

Discussion: User and Group Cmdlets

Which cmdlets are available to manage users and groups?
Which parameters accept pipeline input when you are

creating a new user? Adding a member to a group?

Filtering
It is generally a bad idea to query every object in Active

Directory at once

Doing so is computationally expensive

Doing so can impact your Domain Controllers performance

Most Active Directory cmdlets have defined a mandatory

parameter called filter

This filter parameter limits the number of records that the

cmdlet will work with

It can accept wildcards and PowerShell-style criteria:

Get-ADUser -Filter 'Name -like "*SvcAccount"'

Get-ADUser -Filter {Name -eq "GlenJohn"}

Demonstration: Managing Users and Groups

Review how to manage users and groups from within the

shell

Lab A: Managing Users and Groups

Exercise 1: Retrieving a Filtered List of Users from Active

Directory

Exercise 2: Resetting User Passwords and Address

Information

Exercise 3: Disabling Users That Belong to a Specific

Group

Logon information
Virtual machine

LON-DC1

Logon user name

Contoso\Administrator

Password

Pa$$w0rd

Estimated time: 30 minutes

Lab Scenario
You are an Active Directory administrator and want to

manage your users and groups via PowerShell.

You recently upgraded your domain controller to Windows

Server 2008 R2 and want to try the new PowerShell Active

Directory cmdlets that came with it.

In order to handle internal tasks more quickly and be

prepared to automate them, you want to learn how to find

information in Active Directory. You also want to
accomplish basic tasks such as resetting users' passwords,
disabling users, and moving objects in Active Directory.

Lab Review
Which common Active Directory cmdlet parameter is used

to limit search results to matches based on attributes?

Which common Active Directory cmdlet parameter is used

to specify the attributes that you want in your query

results?

How do you add the Active Directory functionality to your

PowerShell session?

Lesson 3: Managing Computers and Other

Directory Objects
Use Windows PowerShell cmdlets to retrieve and modify

Active Directory computer accounts

Use Windows PowerShell cmdlets to retrieve and view

Active Directory fine-grained password policies

Use Windows PowerShell cmdlets to retrieve computer

account information, including operating system version,

service pack version, and last logon timestamp

Computer and Other Objects

The ActiveDirectory cmdlet can also interact with objects

other than users, such as:

Computer objects

Groups

Fine-grained password policies

The cmdlets Get-ADComputer, New-

ADFineGrainedPasswordPolicy, and many others interact

with these objects in ways that are similar to working with
users

Remember to pipe objects to Get-Member or Format-List * to

see which objects are available
Spend time with the help for the ActiveDirectory
modules cmdlets to see which administrative
actions are exposed

Demonstration: Computer and Other Objects

Learn how to manage computer and other directory

objects from within the shell

Lab B: Managing Computers and Other Directory

Objects
Exercise 1: Listing All Computers That Appear to Be

Running a Specific Operating System According to Active

Directory Information

Exercise 2: Creating a Report Showing All Windows Server

2008 R2 Servers

Exercise 3: Discovering Any Organizational Units That

Arent Protected Against Accidental Deletion

Logon information
Virtual machine

LON-DC1

Logon user name

Contoso\Administrator

Password

Pa$$w0rd

Estimated time: 20 minutes

Lab Scenario
As an Active Directory administrator, in addition to

managing users and groups you also need to monitor the

servers in your organization.

Active Directory contains details identifying servers, and

you want to be able to use those details to discover

servers and generate reports.

To meet new security policies, your company has decided

to put more stringent password policies in place. You need

to create fine-grained password policies for your
organization and heard that PowerShell is the only way to
do so.

As a senior IT administrator responsible for a team, you

want to make sure that your team members dont

accidentally delete important information in Active
Directory. You want to use a new feature for OUs that
prevents them from accidental deletion.

Lab Review
How can you see a list of all attributes that are available

for an Active Directory object?

Which parameter can be used to limit the total number of

objects returned in an Active Directory query?

Module Review and Takeaways

On which operating systems are the Active Directory

cmdlets available?

Which module contains the Active Directory cmdlets?

What is the purpose of an Active Directory PSDrive?
Which drive must be active in order to use New-PSDrive to

map a new drive to Active Directory?

Class Discussion
Common issues related to Active Directory