Active Directory (PowerShell): Difference between revisions

From vwiki
Jump to navigation Jump to search
m (STILL DRAFT: Minor update)
(Next draft)
Line 41: Line 41:
</source>
</source>
* '''LastLogonDate''' - Be aware that the last logon date field typically has an accuracy/tolerance of 14 days, AD intentionally doesn't update the field at every logon from the user/device object so as to reduce the amount of data replication between domain controllers
* '''LastLogonDate''' - Be aware that the last logon date field typically has an accuracy/tolerance of 14 days, AD intentionally doesn't update the field at every logon from the user/device object so as to reduce the amount of data replication between domain controllers
=== AD Fields ===
Field names don't necessarily match up between the PowerShell module, [[Acronyms#L|LDAP]], and what you see in the Users and Computers MMC GUI, see below for an in-exhaustive list...
{|class="vwikitable"
|+Active Directory user field equivalents
|-
! PowerShell !! ldapDisplayName !! Users and Computers !! Comments
|-
| UserPrincipalName || || Account <nowiki>|</nowiki> User logon name
|-
| Name || name || Account <nowiki>|</nowiki> Pre Win2k login name
|-
| GivenName || givenName || General <nowiki>|</nowiki> First name
|-
| Surname || sn || General <nowiki>|</nowiki> Last name
|-
| DisplayName || displayName || General <nowiki>|</nowiki> Display Name
|-
| Description || description || General <nowiki>|</nowiki> Description
|-
| Path || N/A || N/A || X.500 path of OU/container for object
|-
| SamAccountName || sAMAccountName || || Set to same as name if not specified
|-
| AccountPassword || || || If not set, new user account is disabled
|}
== Groups ==
=== AD Fields ===
{|class="vwikitable"
|+Active Directory group field equivalents
|-
! PowerShell !! ldapDisplayName !! Users and Computers !! Comments
|-
| Name || name || General (name at top)
|-
| SamAccountName || sAMAccountName || General <nowiki>|</nowiki> Group name (per-Windows 2000) || Set to same as name if not specified
|-
| N/A || info || General <nowiki>|</nowiki> Notes
|-
| Description || description || General <nowiki>|</nowiki> Description
|-
| Path || N/A || N/A || X.500 path of OU/container for object
|}


== Computers ==
== Computers ==
Line 48: Line 92:
</source>
</source>
* '''LastLogonDate''' - Be aware that the last logon date field typically has an accuracy/tolerance of 14 days, AD intentionally doesn't update the field at every logon from the user/device object so as to reduce the amount of data replication between domain controllers
* '''LastLogonDate''' - Be aware that the last logon date field typically has an accuracy/tolerance of 14 days, AD intentionally doesn't update the field at every logon from the user/device object so as to reduce the amount of data replication between domain controllers
== Organisation Unit ==
=== <code>New-ADOrganizationalUnit</code> examples ===
<source lang="powershell">
$OU = New-ADOrganizationalUnit -Name "DeptX" -Path "DC=domain,DC=com" -PassThru
</source>


== Errors ==
== Errors ==
Line 53: Line 103:
** Check that you have an accessible DC with Web Services available
** Check that you have an accessible DC with Web Services available
** See http://www.microsoft.com/en-gb/download/details.aspx?id=2852 to install (requires restart!)
** See http://www.microsoft.com/en-gb/download/details.aspx?id=2852 to install (requires restart!)
== Command Examples ==


== Managing Multiple Domains ==
== Managing Multiple Domains ==
Unless you've specified otherwise, commands will be handled by the domain identified by ...?
Unless you've specified otherwise, commands will be handled by the domain identified by ...?


Use <code>-Server</code> and <code>-Credentials</code> options, available for all PowerShell AD commands, to specify the DC and credentials required to service the commands.
Use <code>-Server</code> and <code>-Credentials</code> options, available for all PowerShell AD commands, to specify the DC and credentials required to service the commands, for example...
<source lang="powershell">
$users = Get-ADUser -Filter * -SearchBase "DC=domain,DC=com"  -Server "10.10.1.10" -Credential $cred
</source>
 
For more info on working with credentials or help on creating a credentails object see [[Credentials_(PowerShell)]].


[[Category:PowerShell]]
[[Category:PowerShell]]
[[category:Active Directory]]
[[category:Active Directory]]

Revision as of 22:07, 19 May 2013

Getting Started

You need to have RSAT (Remote Server Administration Tools) installed For Windows 7 see - http://www.microsoft.com/en-gb/download/details.aspx?id=7887. This enables your local machine to remotely manage Windows Servers and Services via the usual MMC GUI's (eg AD Users and Computers) and (most importantly) includes PowerShell modules in order to be able to do so as well.

Be aware that PowerShell DFS management is currently poor, its only possible from Windows 8 and 2012 machines, and even then its very limited.

Once installed go to Control Panel | Programs | Turn Windows features on or off and enable the PowerShell module, full path as follows...

  • Remote Server Administration Tools | Role Administration Tools | Active Directory Module for Windows PowerShell

In order to be able access the PowerShell Active Directory CmdLets, import the AD module into your PowerShell session...

Import-Module ActiveDirectory

Group Policy

The PowerShell GPO module is installed with

In order to be able access the PowerShell GPO CmdLets, import the GPO module into your PowerShell session...

Import-Module GroupPolicy

Users

Get-ADUser examples

$users = Get-ADUser -Filter * -SearchBase "DC=domain,DC=com"                           # Get all users in domain.com
$user = Get-ADUser -Filter {SamAccountName -eq "username"}                             # Get user by logon/SAM account name
$user = Get-ADUser -Filter {SamAccountName -eq "username"} -Properties *               # Get all properties for user
$user = Get-ADUser -Filter {{Surname -eq "last" -and GivenName -eq "first"}}           # Get user by first and last names
$users = Get-ADUser -Filter * -SearchBase "OU=London,OU=Users,DC=EU,DC=domain,DC=com"  # Get users in London OU

To create a CSV export of fields from AD...

$users = Get-ADUser -Filter * -SearchBase "DC=DOMAIN,DC=COM" -Properties Enabled, CanonicalName, Country, Created, LastLogonDate, mail
$users | Select-Object Name, Enabled, CanonicalName, Country, Created, LastLogonDate, mail | export-csv -Path users.csv
  • LastLogonDate - Be aware that the last logon date field typically has an accuracy/tolerance of 14 days, AD intentionally doesn't update the field at every logon from the user/device object so as to reduce the amount of data replication between domain controllers

AD Fields

Field names don't necessarily match up between the PowerShell module, LDAP, and what you see in the Users and Computers MMC GUI, see below for an in-exhaustive list...

Active Directory user field equivalents
PowerShell ldapDisplayName Users and Computers Comments
UserPrincipalName Account | User logon name
Name name Account | Pre Win2k login name
GivenName givenName General | First name
Surname sn General | Last name
DisplayName displayName General | Display Name
Description description General | Description
Path N/A N/A X.500 path of OU/container for object
SamAccountName sAMAccountName Set to same as name if not specified
AccountPassword If not set, new user account is disabled

Groups

AD Fields

Active Directory group field equivalents
PowerShell ldapDisplayName Users and Computers Comments
Name name General (name at top)
SamAccountName sAMAccountName General | Group name (per-Windows 2000) Set to same as name if not specified
N/A info General | Notes
Description description General | Description
Path N/A N/A X.500 path of OU/container for object

Computers

Get-ADComputer examples

$devices = Get-ADComputer -Filter * -SearchBase "DC=domain,DC=com" -Properties IPv4Address, OperatingSystem,  Created, LastLogonDate
  • LastLogonDate - Be aware that the last logon date field typically has an accuracy/tolerance of 14 days, AD intentionally doesn't update the field at every logon from the user/device object so as to reduce the amount of data replication between domain controllers

Organisation Unit

New-ADOrganizationalUnit examples

$OU = New-ADOrganizationalUnit -Name "DeptX" -Path "DC=domain,DC=com" -PassThru

Errors

Managing Multiple Domains

Unless you've specified otherwise, commands will be handled by the domain identified by ...?

Use -Server and -Credentials options, available for all PowerShell AD commands, to specify the DC and credentials required to service the commands, for example...

$users = Get-ADUser -Filter * -SearchBase "DC=domain,DC=com"  -Server "10.10.1.10" -Credential $cred

For more info on working with credentials or help on creating a credentails object see Credentials_(PowerShell).