Windows

Managing Active Directory objects with PowerShell in Windows Server 2008

The Windows PowerShell environment allows object interaction through providers or native integration. Using this tool can make automating the management of AD fairly straightforward for all administrators.

With Windows Server 2008 Microsoft has included Windows PowerShell as an available feature that brings a new object-oriented command shell environment to aid in managing the operating system. Power Shell is the primary management shell of other Microsoft products, including Exchange 2007 and SQL Server 2008.

Available as a download for Windows Server 2003 and Windows XP, PowerShell brings additional capabilities in automation and command-line management to Active Directory (AD). I'll concentrate on the management of AD objects with PowerShell. Using simple scripts or interactive commands, users, groups, and computers can be added, modified, or deleted. With a simple example, I will walk you through the process. If PowerShell really is the future of the command shell in Windows, getting started early will certainly benefit the Windows administrator. Even though there's a bit of a learning curve, PowerShell will make the life of an administrator much simpler when dealing with users, groups, and computers in AD.

Note: For those who have worked with VBScript in managing AD objects, you should fall right in with PowerShell.

Adding PowerShell to Windows Server 2008

Before using Windows PowerShell, it must first be installed in your environment. To do this, complete the following steps:

  1. Open the Windows Server 2008 Server Manager.
  2. Select the features node.
  3. Click Add feature.
  4. In the features node, scroll down the list and select Windows PowerShell.
  5. Click Next and then click Install.

Creating a User Object with Windows PowerShell

Now that Windows PowerShell is installed, open the PowerShell command shell by entering powershell.exe at the command line or choosing the executable from the Start Menu. When the command shell opens, the command prompt will display:

C:\ PS>
Note: Windows PowerShell does not include in this release a native set of tools for working with Active Directory. Version 1.0 uses a provider to hook into AD and manipulate objects.

In Windows PowerShell you can create variables to speed the entry process and allow the reuse of text when running a script. To create a variable, enter the name of the variable and prepend a dollar sign. For example, $variable, would create a variable called variable.

Creating a user object in AD requires the following actions:

  1. Connect to the container object in AD where you want to create the user object.
  2. Use the Create method of the container object to add the user.
  3. Specify the type of object and provide the name.
  4. Set the required properties of the object with the Put method of the newly created object.
  5. Commit the changes and new object to Active Directory.

For example, let's create a user object for a new user named Kevin Jefferson in the Accounting Users OU.

At the PowerShell command prompt, enter the following:

$objTargetOU = [ADSI]"LDAP://OU=Accounting Users,DC=yourcompany,DC=com"
$objUser=$objTargetOU.Create("user", "CN=Kevin Jefferson")
$objUser.Put("sAMAccountname","kevin.jefferson")
$objUser.setinfo()

The [ADSI] specifies that the variable should use the Active Directory Services Interface (ADSI) provider to connect to the Accounting Users organization unit (OU) object within the yourcompany.com domain. The provider is required because the current release of Windows PowerShell does not include native support for AD.

When specifying a property for the object you have created, you will use the Put method of the object and specify the attribute and its value. You can repeat these steps once the object has been created to add other properties. To commit them to AD you must specify the setinfo() method for the object.

Specifying passwords

Passwords are not added using the Put method; you will need to use the SetPassword method. Also in Windows Server 2008, security principal objects are disabled by default, using the following command:

$objUser.pbase.invokeset("AccountDisabled", false)

This sets the disabled value to false.

Notes about reusing code in a script
  • To work with Windows PowerShell it needs to be installed on each system where it will be used.
  • Running scripts in Windows PowerShell is disabled by default. To enable it, enter the following from the PowerShell command prompt:
Set-ExecutionPolicy remotesigned

Using scripts in Windows PowerShell also requires that the path to the script be specified. Specifying the local directory can be done using a .\ (dot backslash) notation.

I hope that you will give Windows PowerShell a look when working with objects in Active Directory in Windows Server 2008 to automate the maintenance of AD objects. Keep in mind that Windows PowerShell is capable of many things, and this post is focused on creating an object. A great resource for Windows PowerShell is available at http://www.microsoft.com/technet/scriptcenter/default.mspx.

Need help configuring, administering, supporting, and optimizing network infrastructure? Then turn to our free Network Administration NetNote. Automatically sign up today!

About

Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.

9 comments
Photogenic Memory
Photogenic Memory

I'm bullshitting! Gonna give MS Powershell a go. I loved DOS 6.0 by the way. And remember FAT!? I love a little bit on my women too( not a ton though).

davo_mitchell
davo_mitchell

Cool! Quest make a great set of AD tools for Powershell that simplify this and other day-to-day AD admin tasks even further.

Craig_B
Craig_B

I really like PowerShell and I'm learning more each day about it. It is easy to use, flexible and powerful. I can't wait for PS 2.0 to be released to really bring it up to speed. I highly recommend Quest PowerGUI and plugins at powergui.org Quest adds a lot of AD management functionality, something that Microsoft should have included to begin with and they are adding to PS 2.0.

Derek Schauland
Derek Schauland

Will the ability to manage Active Directory and other products like Exchange move you toward PowerShell?

Derek Schauland
Derek Schauland

Full integration of Active Directory. With the management allowed now and the Quest tools, it should be a pretty sweeping set of tools and command-lets that come out when Microsoft fully integrates AD and Powershell

Tony K
Tony K

As someone who manages his environment with a large collection of batch files, vbscripts and now .net apps written with the VB 2008 Express Edition, I was intrigued when PowerShell came about. But, as I played with it, I realized it was really nothing more than vbscript...without an IDE. I continue to follow PowerShell along. I continually look for something that would get me to start using it exclusively, but I haven't found it yet. Your example, for example, is a good one. But, I would write that in VB and make it generic enough that I could use it to create users regularly. Why would I type all of that only to use it once? Sure, I could write it as a PowerShell script and have it available, but how is that any different from having my scripts directory in my path and just running them from the regular command line? All of that being said, I think for new Windows administrators, PowerShell is probably big boon if they've never scripted before, if only due to the wealth of community-generated documentation that's available such as this article. But, as someone who's already rooted in other tools, I can't see a value-add.

Craig_B
Craig_B

Granted if you already have a ton of vbscripts or other utils you will be ok for now but I find I can write something in PS much easier and reuse it in many different ways. With the help of the Quest AD plugins, to create a new user: new-QADUser -name 'UserX' -ParentContatiner 'Ou=UserOU,DC=company,DC=com' -samAccountName 'userx' -UserPassword 'password' Here are some other things: Returns all computers that are not a member of any groups: get-qadcomputer | where-object{-not$_.memberof} Add notes to userx: get-qaduser UserX | set-qaduser -notes "Added by PowerShell" Get current mail permissions on a user and export to a csv file: get-adpermission UserX | export-csv -path c:\file.csv With the VMWare plugin: Create a snapshot: new-snapshot VMGuestName -Name SnapshotName Display all snapshots: get-vm | get-snapshot Here's a simple function that will change the color of the text: color-text "hello world" will display green text by default. Function Color-Text { Param([string]$text="Default color is green!", [string] $color="green") write-host $text -foregroundcolor $color } Piping objects is where the power is at, you are not just piping output. I hope the above examples show how easy it is to do some cool things.

Ryk
Ryk

Read up on it, because you definitely get some great features that you don't have with vbscript. The main one is that it's truly object-oriented, so that you're always working with objects instead of a text string that refers to the object. Plus, there are a lot of built-in features that automatically do things that you now have to write additional code for (one that comes to mind is outputting stuff in various formats.)

Tony K
Tony K

All of your examples are things that I currently do with vbscript or .Net... but it's a whole different syntax and thus I have to relearn everything, but without gaining any additional features.