Microsoft

Managing Active Directory objects with PowerShell in Windows Server 2008

The Windows PowerShell environment allows object interaction through providers or native integration. Using this tool can make automating the management of AD fairly straightforward for all administrators.

With Windows Server 2008 Microsoft has included Windows PowerShell as an available feature that brings a new object-oriented command shell environment to aid in managing the operating system. Power Shell is the primary management shell of other Microsoft products, including Exchange 2007 and SQL Server 2008.

Available as a download for Windows Server 2003 and Windows XP, PowerShell brings additional capabilities in automation and command-line management to Active Directory (AD). I'll concentrate on the management of AD objects with PowerShell. Using simple scripts or interactive commands, users, groups, and computers can be added, modified, or deleted. With a simple example, I will walk you through the process. If PowerShell really is the future of the command shell in Windows, getting started early will certainly benefit the Windows administrator. Even though there's a bit of a learning curve, PowerShell will make the life of an administrator much simpler when dealing with users, groups, and computers in AD.

Note: For those who have worked with VBScript in managing AD objects, you should fall right in with PowerShell.

Adding PowerShell to Windows Server 2008

Before using Windows PowerShell, it must first be installed in your environment. To do this, complete the following steps:

  1. Open the Windows Server 2008 Server Manager.
  2. Select the features node.
  3. Click Add feature.
  4. In the features node, scroll down the list and select Windows PowerShell.
  5. Click Next and then click Install.

Creating a User Object with Windows PowerShell

Now that Windows PowerShell is installed, open the PowerShell command shell by entering powershell.exe at the command line or choosing the executable from the Start Menu. When the command shell opens, the command prompt will display:

C:\ PS>
Note: Windows PowerShell does not include in this release a native set of tools for working with Active Directory. Version 1.0 uses a provider to hook into AD and manipulate objects.

In Windows PowerShell you can create variables to speed the entry process and allow the reuse of text when running a script. To create a variable, enter the name of the variable and prepend a dollar sign. For example, $variable, would create a variable called variable.

Creating a user object in AD requires the following actions:

  1. Connect to the container object in AD where you want to create the user object.
  2. Use the Create method of the container object to add the user.
  3. Specify the type of object and provide the name.
  4. Set the required properties of the object with the Put method of the newly created object.
  5. Commit the changes and new object to Active Directory.

For example, let's create a user object for a new user named Kevin Jefferson in the Accounting Users OU.

At the PowerShell command prompt, enter the following:

$objTargetOU = [ADSI]"LDAP://OU=Accounting Users,DC=yourcompany,DC=com"
$objUser=$objTargetOU.Create("user", "CN=Kevin Jefferson")
$objUser.Put("sAMAccountname","kevin.jefferson")
$objUser.setinfo()

The [ADSI] specifies that the variable should use the Active Directory Services Interface (ADSI) provider to connect to the Accounting Users organization unit (OU) object within the yourcompany.com domain. The provider is required because the current release of Windows PowerShell does not include native support for AD.

When specifying a property for the object you have created, you will use the Put method of the object and specify the attribute and its value. You can repeat these steps once the object has been created to add other properties. To commit them to AD you must specify the setinfo() method for the object.

Specifying passwords

Passwords are not added using the Put method; you will need to use the SetPassword method. Also in Windows Server 2008, security principal objects are disabled by default, using the following command:

$objUser.pbase.invokeset("AccountDisabled", false)

This sets the disabled value to false.

Notes about reusing code in a script
  • To work with Windows PowerShell it needs to be installed on each system where it will be used.
  • Running scripts in Windows PowerShell is disabled by default. To enable it, enter the following from the PowerShell command prompt:
Set-ExecutionPolicy remotesigned

Using scripts in Windows PowerShell also requires that the path to the script be specified. Specifying the local directory can be done using a .\ (dot backslash) notation.

I hope that you will give Windows PowerShell a look when working with objects in Active Directory in Windows Server 2008 to automate the maintenance of AD objects. Keep in mind that Windows PowerShell is capable of many things, and this post is focused on creating an object. A great resource for Windows PowerShell is available at http://www.microsoft.com/technet/scriptcenter/default.mspx.

Need help configuring, administering, supporting, and optimizing network infrastructure? Then turn to our free Network Administration NetNote. Automatically sign up today!

About

Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.

Editor's Picks