Windows PowerShell

Windows PowerShell 2.0 Brings Scripting to Active

Directory and Not Just or Windows Server 200! "2
Don Jones
Sometimes, it seems like Microsoft can take forever to produce the solutions we need. I mean, tens of thousands of worldwide
employees, and still no Halo 4? ut sometimes, the wait is simply !ecause it"s tryin# to produce the right solution $ and in the
case of %ctive &irectory scriptin# and automation, the wait has paid off. 'indows Server ())* +( ships with a 'indows
,owerShell (.) module that ena!les fantastic scriptin# and automation for %ctive &irectory.
Syste# "e$uire#ents% &ruths ' (yths
-he new %ctive &irectory commands for 'indows ,owerShell do re.uire 'indows ,owerShell v(. -he commands are
distri!uted in a module, which is new to (.), rather than as a ,SSnapin. Modules are easier to distri!ute and don"t re.uire
installation or re#istration$you simply copy their files to the shell"s Modules folder and use the )#port*(odule command to
!rin# the module into the shell.
'indows ,owerShell (.) is preinstalled in 'indows / and 'indows Server ())* +(0 it should !e availa!le for 'indows Server
())*, 'indows 1ista, 'indows 2, and 'indows Server ())3 sometime near the end of ())4 or early ()5). -he %ctive
&irectory module comes with 'indows Server ())* +(, !ut it"s a myth that you have to have every domain controller 6&78 in
your environment runnin# that 9S in order to use the commands. In fact, the commands will work fine a#ainst a 'indows Server
())3 &7 and a 'indows Server ())* 6non:+(8 &7$provided you install the free %ctive &irectory Mana#ement ;ateway
Service 6download from microsoft.com<downloads<details.asp=?displaylan#>en?@amilyI&>))*44)cA:)(4A:4B4/:!e3e:
5d(4c5cf)dda8 on those &7s. -he ;ateway Service is what the %ctive &irectory commands talk to, and the service can !e
installed on 'indows Server ())3 +( S,( and later, or 'indows Server ())* S,( or later.
@or now, your client computer needs to !e runnin# 'indows / or 'indows Server ())* +(, !ecause it is not currently possi!le
to install the %ctive &irectory module on anythin# older.
Authentication
9ne of the tricky !its of workin# with %ctive &irectory is authenticationC Dou may want to mana#e a domain other than the one
you lo# into, and you may not have trusts !etween all of the domains that you want to mana#e. In some cases, you may have
administrative ri#hts in another domain, !ut only throu#h an alternate user account. 'indows ,owerShell (.) doesn"t provide a
!uilt:in mechanism for persistin# all those different credentials, and so the folks who wrote the %ctive &irectory module had to
come up with a techni.ue. 'hat they desi#ned is as ele#ant as it is easyC -he %ctive &irectory module includes a 'indows
,owerShell ,S&rive provider, meanin# you can map a drive to an %ctive &irectory domain. -hat drive mappin# contains your
credentials, and it ena!les those credentials to persist for the duration of your shell session. 'hen the module loads into the shell,
it automatically maps your lo#in domain, usin# whatever credentials you used to run 'indows ,owerShell (.) 6cautionC Eser
%ccount 7ontrol applies, so !e sure to run the shell as %dministrator if that"s what you need to do8. -o map new domains, use
the New*PSDrive cmdlet, which supports command:line parameters for specifyin# credentials.
-o chan#e directories into a mapped domain, use the familiar +d commandC +d AD%, for e=ample, chan#es the shell"s focus into
the domain mapped !y default. 7han#in# into the domain is critical, !ecause all of the %ctive &irectory commands will, !y
default, use the credentials of whatever domain the shell is focused on at the time. It"s a really neat trick, allowin# you to run
%ctive &irectory commands without havin# to manually specify credentials each time. Feed to run the same command a#ainst
another domain? Gust chan#e to that domain, hit the up arrow a couple of times to recall the %ctive &irectory command, and hit
Hnter to run it a#ain in the new domain.
-he %ctive &irectory commands don"t force you to work that way, thou#hC Hach of them also supports the command:line
parameters needed to specify credentials on a case:!y:case !asis. So you can work whichever way you choose, a fle=i!ility that I
very much appreciate. -he product team could have easily selected one techni.ue or another, and the fact that they included !oth
is an acknowled#ement of the diversity of their audience.
&he +o##ands
%ll told, the %ctive &irectory module !rin#s *( new commands into the shell, ran#in# from o!vious like Few:%&Eser to the
more esoteric, like Install:%&Service%ccount. %ll of the cmdlets have an %& prefi=, which performs two important functions.
@irst, it helps distin#uish the cmdlets from other similar ones$New*AD,ser creates a new %& user, not a new local user or a
new SIJ Server user or somethin# else. Second, the prefi= helps you find all of the cmdlets easilyC +un -elp ./AD. and you"ll
#et a list of all *(.
Hach of the %ctive &irectory commands has command:line parameters$lots of parameters, in some cases. New*AD,ser, for
e=ample, has a!out a Killion parameters, allowin# you to set directory attri!utes$like 9ffice, 9r#aniKation and so on$without
havin# to memoriKe the internal schema attri!ute names 6I can never remem!er that Jast Fame is sn in the schema8.
9ne neat thin# a!out the commands is that they protect you from accidentally doin# somethin# stupid. @or e=ample, if you run
0et*AD,ser, you mi#ht e=pect to #et a list of every user in the directory. In a lar#e domain, that would not only take some time,
!ut mi#ht well create a noticea!le impact on your &7. -o prevent that, the command"s /ilter parameter is mandatory, forcin#
you to provide a startin# point 6such as an or#aniKational unit8 or some other criteria. 9f course, the command won"t stop you
from doin# whatever it is you want to do0 usin# /ilter . will in fact retrieve every user from the directory. It will not, however,
automatically retrieve every attribute of those users$!ecause, a#ain, that mi#ht dra# a &7 down for a !it. %dditional parameters
like /"esultPageSi1e, which lets you specify how many results to !rin# over at once, and /Properties, which lets you specify
which attri!utes to retrieve, help you fine:tune the !alance !etween performance and #ettin# the information you need.
)t2s 3i4e 5ou2re -ardly Wor4ing
I fondly$well, not really$recall the days when it took two doKen lines of 1Script to create and populate a new user in %ctive
&irectory. Fow it"s as simple asC
PS AD:\> new-aduser -name DonJ -CannotChangePassword $True -Department IT -Displayame !Don Jones!
-"mployeeum#er $% -&i'ename Don -())i*e !+as ,egas! -(rgani-ation !Con*entrated Te*hnology!
-Passwordne'er".pires $True
9ne neat trickC %fter you create a new user, you mi#ht want to do additional thin#s with the user o!Lect. If you add the /
Pass&hru switch to the command, the newly:created user o!Lect is output to the pipeline, where another cmdlet can accept it as
input. -hat lets you do somethin# like thisC
ew-AD/ser 000 -passThru 1 Set-ADA**ountPassword 000 -passThru 1 "na#le-ADA**ount
I"ve shortened the synta=, o!viously$... is where all the normal parameters would #o. -his Lust illustrates how /pass&hru lets
you continue outputtin# the user o!Lect to the pipeline so other cmdlets can do somethin# with it. -echni.ues like this ena!le
incredi!ly efficient one-liners$one command line, rather than a script$that let you work much more efficiently.
Wait 6 )t 0ets So Much Better
Here"s the spot where I set up a little shrine, ri#ht in my office, to the #uys and #als who wrote these %ctive &irectory
commandsC I discovered a little miracle called pipeline parameter binding, and these folks used it to full effect. +un -elp New*
AD,ser /ull, and start lookin# at the help for each individual parameter. Dou"ll notice that many of them$the ones that
correspond to %ctive &irectory attri!utes, like 7ity and 9ffice and &epartment$accept pipeline input y,ropertyFame. 'hat
that means is you can pipe input into the New*AD,ser cmdlet, and if your input contains properties that match the parameter
name, then they"ll match automatically. So, if your input contains a 7ity property, it"ll attach itself to the /+ity parameter. If
your input has a &epartment property, it"ll hook itself up to the /Depart#ent parameter.
If you know how the )#port*+S7 cmdlet works, then you"re already e=cited. Ima#ine a .7S1 file that contains columns like
thisC
2ame232Department232(rgani-ation232City2
Hach line in the file then contains the information for those columns. Dou could easily create this structure in Microsoft 9ffice
H=cel, Microsoft 9ffice %ccess, Microsoft SIJ Server, or whatever, and then e=port your data to 7S1 format. If you do that$
remem!erin# to match your column names to the parameter names of New*AD,ser $then you can create new users like thisC
Import-CS, *:\new-users0*s' 1 ew-AD/ser
Dep, that"s all you"d have to type. ,rovided your .7S1 file contains all the re.uired columns$like Fame, #iven the /Na#e
parameter is mandatory$then New*AD,ser will ma#ically connect the ri#ht .7S1 columns to the ri#ht parameters. Dou can
import a hundred new users in seconds, !y typin# fewer than B) characters. If that doesn"t completely sell you on learnin#
'indows ,owerShell (.) M well, I #uess you must really like clickin# Fe=t, Fe=t, @inish.
AD (anage#ent8 Done "ight
9ne of the !asic tenets of 'indows ,owerShell is that pro#rammers should write all of the administrative functionality$like
mana#in# %ctive &irectory$in shell cmdlets. %ny ;EI should !asically !e a front:end to those cmdlets. Microsoft H=chan#e
Server ())/ introduced this pattern to us, and it works #reat$you #et a #reat ;EI, and you always have the option of droppin#
to the command line if the ;EI doesn"t do e=actly what you need. So did Microsoft rewrite %ctive &irectory Esers and
7omputers this way?
'ell, no. ut honestly, that"s a pretty a#ed tool. However, another innovative feature in 'indows Server ())* +( is the %ctive
&irectory %dministration 7enter, an all:new ;EI used for mana#in# %ctive &irectory. %nd #uess what"s underneath the
%dministration 7enter? Dep, those %ctive &irectory cmdlets. -hat means anythin# you do in the ;EI, you can do from the shell
$so anythin# that"s repetitive or !orin#, you can rele#ate to a shell script.
So, finally, after almost a decade, %ctive &irectory has truly arrived. 'e now have the option of simple, intuitive mana#ement
throu#h a ;EI, or more powerful, automated administration throu#h a full:featured command line$that, frankly, isn"t that much
more complicated than usin# the ;EI. Dou don"t have to wait for 'indows Server ())* +(, !ecause with the ri#ht add:on, your
'indows Server ())3 domains can enLoy this same kind of mana#ea!ility.