Windows Platform - CH 4

Chapter 4: Automating Active Directory

Domain Services Administration

-0-
Windows Platform - CH 4

Subject Page Number

Lesson 1: Using Command-line Tools for 3
Administration
Benefits of Using Command-Line Tools for 4
Administration
What Is Csvde? 4
What Is Ldifde? 5
What Are DS Commands? 6
Lesson 2: Using Windows PowerShell for 7
Administration
Using Windows PowerShell Cmdlets to 8
Manage Users
Using Windows PowerShell Cmdlets to 8
Manage Groups
Using Windows PowerShell Cmdlets to 9
Manage Computer Accounts
Using Windows PowerShell Cmdlets to 10
Manage OUs
Lesson 3: Performing Bulk Operations with 11
Windows PowerShell
What Are Bulk Operations? 12
Demonstration: Using Graphical Tools to 12
Perform Bulk Operations
Querying Objects with Windows PowerShell 12
Modifying Objects with Windows PowerShell 13
Working with CSV Files 14
Demonstration: Performing Bulk Operations 14
with Windows PowerShell

-1-
Windows Platform - CH 4

Module Overview
 Using Command-line Tools for Administration
 Using Windows PowerShell for Administration
 Performing Bulk Operations with Windows PowerShell

-2-
Windows Platform - CH 4

Lesson 1: Using Command-line Tools for Administration

 Benefits of Using Command-Line Tools for Administration
 What Is Csvde?
 What Is Ldifde?
 What Are DS Commands?

-3-
Windows Platform - CH 4

Benefits of Using Command-Line Tools for Administration

Command-line tools allow you to automate AD DS administration
Benefits of using command-line tools:
 Faster implementation of bulk operations
 Customized processes for AD DS administration
 AD DS administration on server core

What Is Csvde?

Use CSVDE to export objects to a .csv file:

 –f filename
 -d RootDN
 -p SearchScope
 -r Filter
 -l ListOfAtrributes

Use CSVDE to create objects from a .csv file:

 Csvde –i –f filename –k

-4-
Windows Platform - CH 4

What Is Ldifde?

Use ldifde to export objects to a LDIF file:

 –f filename
 -d RootDN
 -r Filter
 -p SearchScope
 -l ListOfAttributes
 -o ListOfAttributes

Use ldifde to create, modify, or delete objects:

 ldifde –i –f filename –k

-5-
Windows Platform - CH 4

What Are DS Commands?

 Windows Server 2012 includes command-line tools that are suitable for use
in scripts.
 Examples:
 To modify the department of a user account, type:

Dsmod user “cn=Joe Healy,ou=Managers,dc=adatum,dc=com” –dept IT

 To display the email of a user account, type:

Dsget user “cn=Joe Healy,ou=Managers,dc=adatum,dc=com” –email

 To delete a user account, type:

Dsrm “cn=Joe Healy,ou=Managers,dc=adatum,dc=com”

 To create a new user account, type:

Dsadd user “cn=Joe Healy,ou=Managers,dc=adatum,dc=com”

-6-
Windows Platform - CH 4

Lesson 2: Using Windows PowerShell for Administration

 Using Windows PowerShell Cmdlets to Manage Users
 Using Windows PowerShell Cmdlets to Manage Groups
 Using Windows PowerShell Cmdlets to Manage Computer Accounts
 Using Windows PowerShell Cmdlets to Manage OUs

-7-
Windows Platform - CH 4

Using Windows PowerShell Cmdlets to Manage Users

Cmdlet Description
New-ADUser Creates user accounts
Set-ADUser Modifies properties of user accounts
Remove-ADUser Deletes user accounts
Set-ADAccountPassword Resets the password of a user account
Set-ADAccountExpiration Modifies the expiration date of a user account
Unlock-ADAccount Unlocks a user account after it has become locked
after too many incorrect login attempts
Enable-ADAccount Enables a user account
Disable-ADAccount Disables a user account

New-ADUser “Joe Healy” –AccountPassword (Read-Host –

AsSecureString “Enter password”) -Department IT

Using Windows PowerShell Cmdlets to Manage Groups

Cmdlet Description
New-ADGroup Creates new groups.
Set-ADGroup Modifies properties of groups.
Get-ADGroup Displays properties of groups.
Remove-ADGroup Deletes groups.
Add-ADGroupMember Adds members to groups.
Get-ADGroupMember Displays membership of groups.
Remove-ADGroupMember Removes members from groups.
Add-ADPrincipalGroupMembership Adds group membership to objects.
Get-ADPrincipalGroupMembership Displays group membership of objects.
Remove-ADPrincipalGroupMembership Removes group membership from an
object.

-8-
Windows Platform - CH 4

New-ADGroup –Name “CustomerManagement” –Path

“ou=managers,dc=adatum,dc=com” –GroupScope Global –GroupCategory
Security

Add-ADGroupMember CustomerManagement –Members “Joe Healy”

Using Windows PowerShell Cmdlets to Manage Computer

Accounts
Cmdlet Description
New-ADComputer Creates new computer accounts
Set-ADComputer Modifies properties of computer accounts
Get-ADComputer Displays properties of computer accounts
Remove-ADComputer Deletes computer accounts
Test-ComputerSecureChannel Verifies or repairs the trust relationship
between a computer and the domain
Reset-ComputerMachinePassword Resets the password for a computer account
Cmdlet Description

New-ADComputer –Name LON-SVR8 –Path “ou=marketing,dc=adatum,dc=com –

Enabled $true

Test-ComputerSecureChannel -Repair

-9-
Windows Platform - CH 4

Using Windows PowerShell Cmdlets to Manage OUs

Cmdlet Description
New-ADOrganizationalUnit Creates organizational units
Set-ADOrganizationalUnit Modifies properties of organizational units
Get-ADOrganizationalUnit Views properties of organizational units
Remove-ADOrganizationalUnit Deletes organizational units
New-ADOrganizationalUnit Creates organizational units
Set-ADOrganizationalUnit Modifies properties of organizational units
Get-ADOrganizationalUnit Views properties of organizational units

New-ADOrganizationalUnit –Name Sales –Path

“ou=marketing,dc=adatum,dc=com” –ProtectedFromAccidentalDeletion $true

- 10 -
Windows Platform - CH 4

Lesson 3: Performing Bulk Operations with Windows PowerShell

 What Are Bulk Operations?
 Demonstration: Using Graphical Tools to Perform Bulk Operations
 Querying Objects with Windows PowerShell
 Modifying Objects with Windows PowerShell
 Working with CSV Files
 Demonstration: Performing Bulk Operations with Windows PowerShell

- 11 -
Windows Platform - CH 4

What Are Bulk Operations?

 A bulk operation is a single action that changes multiple objects
 You can perform bulk operations by using:
 Graphical tools
 Command-line tools
 Scripts
 The process for performing a bulk operation is:
 Define a query
 Modify the objects defined by the query

Demonstration: Using Graphical Tools to Perform Bulk

Operations
In this demonstration, you will see how to:
 Create a query for all users
 Configure the Company attribute for all users
 Verify that the Company attribute has been modified

Querying Objects with Windows PowerShell

Parameter Description
SearchBase Defines the AD DS path to begin searching.
SearchScope Defines at what level below the SearchBase a search should be
performed.
ResultSetSize Defines how many objects to return in response to a query.
Properties Defines which object properties to return and display.

- 12 -
Windows Platform - CH 4

Operator Description
-eq Equal to
-ne Not equal to
-lt Less than
-le Less than or equal to
-gt Greater than
-ge Greater than or equal to
-like Uses wildcards for pattern matching

Modifying Objects with Windows PowerShell

Use the pipeline operator (|) to pass a list of objects to a cmdlet for further
processing

Get-ADUser –Filter ‘company –eq “$null”’ | Set-ADUser –Company “A. Datum”

Get-ADUser –Filter ‘lastlogondate –lt “January 1, 2012”’ | Disable-ADAccount

Get-Content C:\users.txt | Disable-ADAccount

- 13 -
Windows Platform - CH 4

Working with CSV Files

The first line of a .csv file defines the names of the columns

FirstName,LastName,Department
Greg,Guzik,IT
Robin,Young,Research
Qiong,Wu,Marketing

A foreach loop processes the contents of a .csv that have been imported into a
variable

$users=Import-CSV C:\users.csv
Foreach ($i in $users) {
Write-Host “The first name is: $i.FirstName”
}

Demonstration: Performing Bulk Operations with Windows

PowerShell
In this demonstration, you will see how to:
 Perform bulk operations at a Windows PowerShell prompt
 Use a Windows PowerShell script to create user accounts from a .csv file

- 14 -
Windows Platform - CH 4

Lab: Automating AD DS Administration by Using Windows PowerShell

 Exercise 1: Creating User Accounts and Groups by Using Windows
PowerShell
 Exercise 2: Using Windows PowerShell to Create User Accounts in Bulk
 Exercise 3: Using Windows PowerShell to Modify User Accounts in Bulk

- 15 -
Windows Platform - CH 4

Module_04

Question: What criteria would you use to select between using csvde, ldifde, and the
DS commands?
Answer: If you are using a data source that can export as a .csv file, you would
most likely use csvde. However, csvde cannot modify existing objects. You are also
likely to use csvde when exporting data from AD DS.
If you are using a data source that can export as an LDIF file, then you would most
likely use ldifde. You would also use ldifde if you need to remove or modify existing
objects.
If you are modifying individual objects, then you will most likely use the DS
commands if you have chosen not to use graphical tools.

Question: Are the parameters for all cmdlets that you use to manage user accounts
the same?
Answer: No. Many of the parameters are the same or similar, but each cmdlet has
its own list of parameters.

Question: What is the difference between using –eq and –like when comparing
strings?
Answer: The –eq operator is used to find an exact match, meaning that it is not case
sensitive. The –like operator can be used with wildcards to find partial matches.

Question: Which attributes of a user account can you use when creating a query by
using the Filter parameter?
Answer: You can use any user account parameter that you can query. Use the
Properties parameter with a value of * (-Properties *) to identify all properties that
can be retrieved.

- 16 -
Windows Platform - CH 4

Question: In the foreach loop, how does $i change?

Answer: The foreach loop processes each row from the .csv file that has been
loaded into the $users variable. The loop is performed once for each row from the
.csv file. The variable $i represents each row as it is processed.

Question: By default, are new user accounts enabled or disabled when you create
them by using the New-ADUser cmdlet?
Answer: By default, new user accounts are disabled when you create them by using
the New-ADUser cmdlet.

Question: Which file extension is used by Windows PowerShell scripts?

Answer: Windows PowerShell scripts use the .ps1 file extension.

Question: A colleague is creating a Windows PowerShell script that creates user

accounts from data in a .csv file, but is experiencing errors when attempting to set a
default password. Why might this be happening?
Answer: The most common source of errors received when setting passwords during
user account creation is the format of the variable containing the password. The
variable containing a user password must be a secure string. After importing default
passwords from the .csv file, your colleague must convert the value to a secure
string so that it is encrypted in memory.
Another common problem is trying to use passwords that do not meet complexity
requirements. If you try to create a user account with the New-ADUser cmdlets, and
use a password that does not meet complexity requirements, the user account is
created, but the password is not set which causes the user account to be disabled.

- 17 -
Windows Platform - CH 4

Question: You are an administrator for a school district that creates 20,000 new user
accounts for students each year. The administration system for students can
generate a list of the new students and then export it as a .csv file. After the data
has been exported to a .csv file, what information do you need to work with the data
in a script?
Answer: To work with a .csv file, you need to know the name and location of the
.csv file. This information allows you to import the .csv file into a variable. You also
need to know the name of each column in the .csv file. If there is no header row
with column names, then you need to create one.

Question: The Research department in your organization has been renamed to

Research and Development. You need to update the Department property of users
in the Research department to reflect this change.
You have created a query for user accounts with the department property set to
Research by using the Get-ADUser cmdlet and the –Filter parameter. What is the
next step to update the department property to Research and Development?
Answer: You need to pipe the output from the query to the Set-ADUser cmdlet. The
Set-ADUser cmdlet modified the department property of the user accounts.

- 18 -