2,187
edits
Difference between revisions of "Active Directory (PowerShell)"
Jump to navigation
Jump to search
m
Active Directory (PowerShell) (view source)
Revision as of 15:24, 28 August 2013
, 15:24, 28 August 2013→Computers: Added "Remove-ADComputer"
(Next draft) |
m (→Computers: Added "Remove-ADComputer") |
||
| (10 intermediate revisions by the same user not shown) | |||
| Line 12: | Line 12: | ||
Import-Module ActiveDirectory | Import-Module ActiveDirectory | ||
</source> | </source> | ||
=== Credentials === | |||
Whilst its probably possible to perform <code>Get</code>/read-only CmdLets from your normal login, you should need to use an admin account to actually make changes. If you get the following error, you probably need to supply different username and password credentials to the command. | |||
* '''Either the target name is incorrect or the server has rejected the client credentials.''' | |||
All of the Active Directory module commands allow you to specify a <code>-Credential</code>, you can either pre-create a credentials object, or supply one at the time of running the command. | |||
<source lang="powershell"> | |||
$cred = Get-Credential # Create a credential object, the command will ask for your user/pass | |||
Add-ADGroupMember -Identity $Group -Members $Users -Credential $cred # Add $users to $Group, using $cred credentials | |||
# Alternatively do it all in the same command | |||
Add-ADGroupMember -Identity $Group -Members $Users -Credential (Get-Credential) | |||
</source> | |||
For more info on using Credentials in PowerShell see this page - [[Credentials_(PowerShell)]] | |||
=== Group Policy === | === Group Policy === | ||
| Line 26: | Line 42: | ||
== Users == | == Users == | ||
=== AD Fields === | === AD Fields === | ||
Field names don't necessarily match up between the PowerShell module, [[Acronyms#L|LDAP]], and what you see in the Users and Computers MMC GUI, see below for an in-exhaustive list... | Field names don't necessarily match up between the PowerShell module, [[Acronyms#L|LDAP]], and what you see in the Users and Computers MMC GUI, see below for an in-exhaustive list... | ||
| Line 67: | Line 67: | ||
| AccountPassword || || || If not set, new user account is disabled | | AccountPassword || || || If not set, new user account is disabled | ||
|} | |} | ||
=== <code>Get-ADUser</code> examples === | |||
<source lang="powershell"> | |||
$users = Get-ADUser -Filter * -SearchBase "DC=domain,DC=com" # Get all users in domain.com | |||
$user = Get-ADUser -Filter {SamAccountName -eq "username"} # Get user by logon/SAM account name | |||
$user = Get-ADUser -Filter {SamAccountName -eq "username"} -Properties * # Get all properties for user | |||
$user = Get-ADUser -Filter {{Surname -eq "last" -and GivenName -eq "first"}} # Get user by first and last names | |||
$users = Get-ADUser -Filter * -SearchBase "OU=London,OU=Users,DC=EU,DC=domain,DC=com" # Get users in London OU | |||
</source> | |||
To create a CSV export of fields from AD... | |||
<source lang="powershell"> | |||
$users = Get-ADUser -Filter * -SearchBase "DC=DOMAIN,DC=COM" -Properties Enabled, CanonicalName, Country, Created, LastLogonDate, mail | |||
$users | Select-Object Name, Enabled, CanonicalName, Country, Created, LastLogonDate, mail | export-csv -Path users.csv | |||
</source> | |||
* '''LastLogonDate''' - Be aware that the last logon date field typically has an accuracy/tolerance of 14 days, AD intentionally doesn't update the field at every logon from the user/device object so as to reduce the amount of data replication between domain controllers | |||
==== Distinguished Name ==== | |||
You can't filter using wildcards for the Distinguished Name filed (see http://social.technet.microsoft.com/Forums/en-US/ITCG/thread/e6f5a98d-62d1-4659-b328-ebab6f546cc4). | |||
As a workaround, do a generic export from AD and pipe it through a <code>Where-Object</code> CmdLet (not that if you have a large number of users in AD this isn't particularly efficient). | |||
<source lang="powershell"> | |||
$users = Get-ADUser -Filter * | Where-Object {$_.DistinguishedName -like "*,CN=OuFolder,*"} | |||
</source> | |||
=== <code>New-ADUser</code> examples === | |||
<source lang="powershell"> | |||
# Create default new users password | |||
$UsrPwd = ConvertTo-SecureString -String $BssUsrPassword -AsPlainText -Force | |||
# Destination OU for new user | |||
$DstPath = "OU=department,DC=domain,DC=com" | |||
# Create new user | |||
$Usr = New-ADUser -Name $LogonName -GivenName $firstname -Surname $lastname -Description $desc -AccountPassword $UsrPwd -ChangePasswordAtLogon $true -Path $DstPath -PassThru | |||
# Make user account active | |||
Set-ADUser $Usr -ChangePasswordAtLogon $true -Enabled $true | |||
</source> | |||
=== <code>Remove-ADUser</code> examples === | |||
It would normally be quite foolhardy to delete a user account that wasn't already disabled. Deletion removes group memberships, file-permissions etc etc. Whilst you can create a new account with the same name, it won't have the same [[Acronyms#S|SID]] so '''it's not the same account'''. | |||
<source lang="powershell"> | |||
Remove-ADUser -Identity $user -Confirm:$false # $user retrieved from Get-ADUser, -Confirm:$false prevents confirmation prompt | |||
</source> | |||
== Groups == | == Groups == | ||
=== <code> Get-ADGroups</code> examples === | |||
<source lang="powershell"> | |||
$group = Get-ADGroup "Operations Supervisors" # Get the "Operations Supervisors" group | |||
$groups = Get-ADGroup -Filter 'Name -like "*Operations*"' # Get all security groups with Operations in the title | |||
$groups = Get-ADGroup -Filter 'GroupCategory -eq "Security"' -SearchBase "OU=Groups,DC=DOMAIN,DC=COM" # Get all security groups in the Groups OU | |||
</source> | |||
=== Copy Users From Existing Group === | |||
The script below copies users from an existing group and adds them to another group (existing users in the group are unaffected). | |||
<source lang="powershell"> | |||
$Src_Group = "Source Group Name" | |||
$Dst_Group = "Destination Group Name" | |||
$Users = Get-ADGroupMember $Src_Group | |||
Add-ADGroupMember -Identity $Dst_Group -Members $Users -Credential (Get-Credential) | |||
</source> | |||
=== AD Fields === | === AD Fields === | ||
{|class="vwikitable" | {|class="vwikitable" | ||
| Line 87: | Line 149: | ||
== Computers == | == Computers == | ||
To disable a computer account, use <code>Disable-ADAccoun</code> | |||
=== <code>Get-ADComputer</code> examples === | === <code>Get-ADComputer</code> examples === | ||
<source lang="powershell"> | <source lang="powershell"> | ||
| Line 92: | Line 155: | ||
</source> | </source> | ||
* '''LastLogonDate''' - Be aware that the last logon date field typically has an accuracy/tolerance of 14 days, AD intentionally doesn't update the field at every logon from the user/device object so as to reduce the amount of data replication between domain controllers | * '''LastLogonDate''' - Be aware that the last logon date field typically has an accuracy/tolerance of 14 days, AD intentionally doesn't update the field at every logon from the user/device object so as to reduce the amount of data replication between domain controllers | ||
=== <code>Remove-ADComputer</code> examples === | |||
<source lang="powershell"> | |||
Remove-ADComputer -Identity $computer -Confirm:$false | |||
</source> | |||
== Organisation Unit == | == Organisation Unit == | ||