Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

Module 2: Cmdlets for administration

Contents:

Module overview

Lesson 1: Active Directory administration cmdlets

Lesson 2: Network configuration cmdlets

Lesson 3: Other server administration cmdlets

Lab: Windows administration

Module review and takeaways

Module overview

Each time you need to accomplish a task in the Windows PowerShell command-line interface, you could search
for the cmdlets you need. However, you will be a more productive administrator if you have at least a basic
understanding of the cmdlets that are available for system administration so that you do not need to search for
them at all. Even if you do need to search for cmdlets, you can predict naming patterns and find them more
quickly. In this module, you will learn about the cmdlets that you will commonly use for administration.

Objectives
After completing this module, students will be able to:

• Identify and use cmdlets for Active Directory administration.

• Identify and use cmdlets for network configuration.

• Identify and use cmdlets for other server administration tasks.

Lesson 1: Active Directory administration cmdlets

Active Directory Domain Services (AD DS) and its related service form the core of Windows Server–based
networks. The AD DS database stores information about all the objects that make up the network, such as
accounts for users, computers, and groups. The AD DS database is searchable and provides a mechanism for
applying configuration and security settings for all of those objects.

1 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

The Active Directory module for Windows PowerShell gives you the ability to automate AD DS administration. The
use of Windows PowerShell for AD DS administration speeds up administration by allowing you to make bulk
updates instead of updating AD DS objects individually. In this lesson, you will learn about the cmdlets for
administering AD DS. To find Active Directory cmdlets, look for the prefix “AD,” which most Active Directory
cmdlets have in the noun part of the cmdlet name.

Lesson objectives
After completing this lesson, students will be able to:

• Identify user management cmdlets.

• List group management cmdlets.

• Manage users and groups.

• Describe the cmdlets for managing computer objects.

• Describe the cmdlets for managing organizational units (OUs).

• Describe the cmdlets for managing Active Directory objects.

• Manage Active Directory objects.

User management cmdlets

2 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

User management is a core responsibility of administrators. Windows PowerShell cmdlets allow you to create,
modify, and delete user accounts individually or in bulk. User account cmdlets have the text “User” or “Account”
in the noun part of the name. Include one or the other in wildcard name searches when you are using Get-Help or
Get-Command.

The following table lists some common cmdlets for managing user accounts.

Cmdlet Description

New-ADUser Creates a user account

Get -ADUser Retrieves a user account

Set-ADUser Modifies properties of a user account

Remove-ADUser Deletes a user account

Set-ADAccountPassword Resets the password of a user account

Set-ADAccountExpiration Modifies the expiration date of a user account

Unlock-ADAccount Unlocks a user account that has been locked after exceeding the accepted
number of incorrect sign-in attempts

Enable-ADAccount Enables a user account

Disable-ADAccount Disables a user account

3 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

Retrieving users

The Get-ADUser cmdlet requires that you identify the user or users that you want to retrieve. You can do this by
using the -Identity parameter, which accepts one of several property values, including the Security Accounts
Manager (SAM) account name or distinguished name.

Windows PowerShell only returns a default set of properties when you use Get-ADUser. To view other properties,
you will need to use the -Properties parameter with a comma-separated list of properties or the “*” wildcard.

For example, you can retrieve the default set of properties along with the department and email address of a user
with the SAM account janedoe by typing the following command in the console, and then pressing Enter:

Get-ADUser -Identity janedoe -Properties Department,EmailAddress

The other way to specify a user or users is with the -Filter parameter. The -Filter parameter accepts a query based
on regular expressions, which later modules in this course cover in more detail. For example, to retrieve all AD DS
users and their properties, type the following command in the console, and then press Enter:

Get-ADUser -Filter * -Properties *

Note: The help for Get-ADUser includes examples that use features of Windows PowerShell that you will
learn about later in this course. For example, more advanced -Filter operations require comparison
operators, which you will learn about in the next module.

Creating new user accounts

When you use the New-ADUser cmdlet to create new user accounts, the -Name parameter is required.

You can also set most other user properties, including a password. When you create a new account, consider the
following points:

• If you do not use the -AccountPassword parameter, then no password is set and the user
account is disabled. You cannot set the -Enabled parameter as $true when no password is
set.

• If you use the -AccountPassword parameter to specify a password, then you must specify a
variable that contains the password as a secure string or choose to enter the password from
the console. A secure string is encrypted in memory.

• If you set a password, then you can enable the user account by setting the -Enabled
parameter as $true.

4 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

The following table lists common parameters for the New-ADUser cmdlet.

Parameter Description

- AccountExpirationDate Defines the expiration date for a user account

- AccountPassword Defines the password for a user account

- ChangePasswordAtLogon Requires a user account to change passwords at the next sign-in

- Department Defines the department for a user account

- DisplayName Defines the display name for a user account

- HomeDirectory Defines the location of the home directory for a user account

- HomeDrive Defines the drive letters that map to the home directory for a user account

- GivenName Defines the first name of a user account

- Name Defines the name of a user account

- Path Defines the OU or container where the user account is created

- SamAccountName Defines the SAM account name for a user account

- Surname Defines the last name of a user account

To add a user account in the IT department, type the following command in the console, and then press Enter:

New-ADUser "Jane Doe" -Department IT

Because no password was set, the account is not enabled, and you cannot enable it.

Note: Later in the course, you will learn how to read text files and comma-delimited files, which you can
use for bulk creation of passwords.

Group management cmdlets

5 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

The management of Active Directory groups closely relates to the management of users. You can use Windows
PowerShell cmdlets to create and delete groups and to modify group properties. You can also use these cmdlets
to change the members who are assigned to a group. Additionally, you can use some cmdlets to modify the
groups that are assigned to a user or another Active Directory object.

Managing groups

Cmdlets for modifying groups have the text “group” in their names. Those that modify group membership by
adding members to a group, for example, have the text “groupmember” in their names. Cmdlets that modify the
groups that a user, computer, or other Active Directory object is a member of have the text
“principalgroupmembership” in their names.

The following table lists some cmdlets for managing groups.

Cmdlet Description

New-ADGroup Creates a new group

Set-ADGroup Modifies properties of a group

Get-ADGroup Displays properties of a group

Remove-ADGroup Deletes a group

Add-ADGroupMember Adds members to a group

Get-ADGroupMember Displays members of a group

6 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

Cmdlet Description

Remove-ADGroupMember Removes members from a group

Add- Adds group membership to an object

ADPrincipalGroupMembership

Get- Displays group membership of an object

ADPrincipalGroupMembership

Remove- Removes group membership from an object

ADPrincipalGroupMembership

Creating new groups

You can use the New-ADGroup cmdlet to create groups. However, when you create groups by using the New-
ADGroup cmdlet, you must use the GroupScope parameter in addition to the group name. This is the only
required parameter. The following table lists common parameters for New-ADGroup.

Parameter Description

-Name Defines the name of a group

-GroupScope Defines the scope of a group as DomainLocal, Global, or Universal; you must
provide this parameter

-DisplayName Defines the Lightweight Directory Access Protocol (LDAP) display name for an
object

-GroupCategory Defines whether a group is a security group or a distribution group; if you do not
specify either, a security group is created

-ManagedBy Defines a user or group that can manage a group

-Path Defines the OU or container in which a group is created

-SamAccountName Defines a name that is backward-compatible with older operating systems

To create a new group named FileServerAdmins, type the following command in the console, and then press
Enter:

New-ADGroup -Name FileServerAdmins -GroupScope Global

Managing group membership

As mentioned earlier, you can use the *-ADGroupMember or the *-ADPrincipalGroupMembership cmdlets to
manage group management in two different ways. The difference between the two is a matter of focusing on an
object and modifying the groups to which it belongs, or focusing on the group and modifying the members that
belong to it. Additionally, you can choose which set to use based on the decision to pipe a list of members to the
command or provide a list of members.

7 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

Note: You will learn about piping in Module 4, “Understanding how the pipeline works”.

• *-ADGroupMember cmdlets modify the membership of a group. For example, you can add
or remove members of a group.

o You can pass a list of groups to these cmdlets.

o You cannot pipe a list of members to these cmdlets.

• *-ADPrincipalGroupMembership cmdlets modify the group membership of an object such

as a user. For example, you can change a user account to add it as a member of a group.

o You cannot provide a list of groups to these cmdlets.

o You can pipe a list of members to these cmdlets.

Note: Use *-ADGroupMember when speed is important because membership is modified as a single
operation in AD DS. Loop operations, such as piping, change membership as a series of operations.

Demonstration: Managing users and groups

In this demonstration, you will see how to:

• Create a new global group in the IT department.

• Create a new user in the IT department.

• Add two users from the IT department to the HelpDesk group.

• Set the address for all HelpDesk group users.

• Verify the group membership for the new user.

• Verify the updated user properties.

Demonstration steps
Create a new global group in the IT department

1. On LON-CL1, start a Windows PowerShell session with elevated permissions.

2. Run the following command:

8 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

New-ADGroup -Name HelpDesk -Path "ou=IT,dc=Adatum,dc=com" –GroupScope

Global

Create a new user in the IT department

• Run the following command:

New-ADUser -Name “Jane Doe” -Department “IT”

Add two users from the IT department to the HelpDesk group

• Run the following command:

Add-ADGroupMember “HelpDesk” -Members “Lara”,”Jane Doe”

Set the address for a HelpDesk group user

1. Run the following command:

Get-ADGroupMember HelpDesk

2. Run the following command:

Set-ADUser Lara -StreetAddress "1530 Nowhere Ave." -City "Winnipeg"

-State "Manitoba" -Country "CA"

Verify the group membership for the new user

• Run the following command:

9 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

Get-ADPrincipalGroupMembership “Jane Doe”

Verify the updated user properties

• Run the following command:

Get-ADUser Lara -Properties StreetAddress,City,State,Country

Computer object management cmdlets

The Active Directory module also has cmdlets to create, modify, and delete computer accounts. You can use these
cmdlets for individual operations or as part of a script to perform bulk operations. The cmdlets for managing
computer objects have the text “computer” in their names.

The following table lists cmdlets that you can use to manage computer accounts.

Cmdlet Description

10 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

Cmdlet Description

New-ADComputer Creates a new computer account

Set-ADComputer Modifies properties of a computer account

Get-ADComputer Displays properties of a computer account

Remove-ADComputer Deletes a computer account

Test-ComputerSecureChannel Verifies or repairs the trust relationship between a computer and the domain

Reset-ComputerMachinePassword Resets the password for a computer account

Creating new computer accounts

You can use the New-ADComputer cmdlet to create a new computer account before you join the computer to the
domain. You do this so that you can create the computer account in the correct OU before deploying the
computer.

The following table lists common parameters for New-ADComputer.

Parameter Description

- Name Defines the name of a computer account

- Path Defines the OU or container where a computer account is created

- Enabled Defines whether the computer account is enabled or disabled; by default, a

computer account is enabled and a random password is generated

The following is an example of a command that you can use to create a computer account:

New-ADComputer -Name LON-CL10 -Path "ou=marketing,dc=adatum,dc=com" -Enabled $true

Repairing the trust relationship for a computer account

You can use the Test-ComputerSecureChannel cmdlet with the -Repair parameter to repair a lost trust
relationship between a computer and a domain. You must run the cmdlet on the computer with the lost trust
relationship.

Account vs. device management cmdlets

*-ADComputer cmdlets are part of the Active Directory module and manage the computer object, not the
computer. *-Computer cmdlets manage the physical device. For example, you can use the Add-Computer
cmdlet to join a computer to a domain.

OU management cmdlets

11 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

Windows PowerShell provides cmdlets that you can use to create, modify, and delete OUs. Like the cmdlets for
users, groups, and computers, you can use these cmdlets for individual operations or as part of a script to
perform bulk operations.

OU management cmdlets have the text “organizationalunit” in the name. The following table lists the cmdlets that
you can use to manage OUs.

Cmdlet Description

New-ADOrganizationalUnit Creates an OU

Set-ADOrganizationalUnit Modifies properties of an OU

Get-ADOrganizationalUnit Displays properties of an OU

Remove-ADOrganizationalUnit Deletes an OU

Creating new OUs

You can use the New-ADOrganizationalUnit cmdlet to create a new OU to represent departments or physical
locations within your organization. The following table shows common parameters for the New-
ADOrganizationalUnit cmdlet.

Parameters Description

- Name Defines the name of a new OU

12 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

Parameters Description

- Path Defines the location of a new OU

- ProtectedFromAccidentalDeletion Prevents anyone from accidentally deleting an OU; the default value is $true

The following is an example of a command to create a new OU:

New-ADOrganizationalUnit -Name Sales -Path "ou=marketing,dc=adatum,dc=com"

-ProtectedFromAccidentalDeletion $true

Active Directory object cmdlets

You will sometimes need to manage Active Directory objects that do not have their own management cmdlets,
such as contacts. You might also want to manage multiple object types in a single operation, such as moving
users and computers from one OU to another OU. The Active Directory module provides cmdlets that allow you to
create, delete, and modify these objects and their properties. Because these cmdlets can manage all objects, they
repeat some functionality of the cmdlets for managing users, computers, groups, and OUs.

*-ADObject cmdlets sometimes perform faster than cmdlets that are specific to object type. This is because those
cmdlets add the cost of filtering the set of applicable objects to their operations.

Cmdlets for changing generic Active Directory objects have the text “Object” in the noun part of the name. The

13 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

following table lists some cmdlets for managing Active Directory objects.

Cmdlet Description

New-ADObject Creates a new Active Directory object

Set-ADObject Modifies properties of an Active Directory object

Get-ADObject Displays properties of an Active Directory object

Remove-ADObject Deletes an Active Directory object

Renam e- ADObject Renames an Active Directory object

Restore-ADObject Restores a deleted Active Directory object from the Active Directory
Recycle Bin

Move-ADObject Moves an Active Directory object from one container to another

container

Sync-ADObject Syncs an Active Directory object between two domain controllers

Creating a new Active Directory object

You can use the New-ADObject cmdlet to create objects. When using New-ADObject, you must specify the
name and the object type. The following table lists common parameters for New-ADObject.

Parameter Description

- Name Defines the name of an object

- Type Defines the LDAP type of an object

- OtherAttributes Defines properties of an object that is not accessible from other parameters

- Path Defines the container in which an object is created

The following command creates a new contact object:

New-ADObject -Name "JohnSmithcontact" -Type contact

Demonstration: Managing Active Directory objects

In this demonstration, you will see how to:

• Create an Active Directory contact object that has no dedicated cmdlets.

• Verify the creation of the contact.

• Manage user properties by using Active Directory object cmdlets.

14 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

• Verify the property changes.

• Change the name of the HelpDesk group to SupportTeam.

• Verify the HelpDesk group name change.

Demonstration steps
Create an Active Directory contact object that has no dedicated cmdlets

1. On LON-CL1, start a Windows PowerShell session with elevated permissions.

2. Run the following command:

New-ADObject -Name JohnSmithcontact -Type contact -DisplayName “John

Smith (Contoso.com)”

Verify the creation of the contact

• Run the following command:

Get-ADObject -Filter ‘ObjectClass -eq “contact”’

Manage user properties by using Active Directory object cmdlets

• Run the following command:

Set-ADObject -Identity “CN=Lara Raisic,OU=IT,DC=Adatum,DC=com"

-Description “Member of support team”

Verify the property changes

• Run the following command:

15 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

Get-ADUser Lara -Properties Description

Change the name of the HelpDesk group to SupportTeam

• Run the following command:

Rename-ADObject -Identity “CN=HelpDesk,OU=IT,DC=Adatum,DC=com” -NewName

SupportTeam

Verify the HelpDesk group name change

• Run the following command:

Get-ADGroup HelpDesk

Note: Note that the Name and DistinguishedName properties changed, but not the SAMAccountName
property.

Lesson 2: Network configuration cmdlets

Networking is another core functional area for administrators. In this lesson, you will learn about cmdlets for
configuring networking in Windows Server. Windows PowerShell provides cmdlets for managing all aspects of
Windows Server networks, including TCP/IP, Domain Name System (DNS), firewalls, and gateways. In addition to
the cmdlets for managing network features and components, the Test-NetConnection cmdlet is also available.
This cmdlet offers the same functionality as command-line interface tools such as Ping.exe and Telnet.exe, and
you can use it to diagnose network configuration settings.

Lesson objectives
After completing this lesson, students will be able to:

• Identify cmdlets for managing IP addresses.

• Describe how to change the default gateways.

16 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

• Describe how to modify DNS client configuration.

• List cmdlets for managing Windows Firewall.

• Configure network settings.

Managing IP addresses

Windows PowerShell offers a complete set of cmdlets for managing IP addresses on local and remote computers.
You can use cmdlets to add, remove, and change IP addresses.

IP address management cmdlets use the noun “netipaddress” in their names. You can also find them by using the
Get-Command command with the -Module NetTCPIP parameter.

The following table lists common cmdlets for managing IP addresses.

Cmdlet Description

New-NetIPAddress Creates a new IP address

Get-NetIPAddress Displays properties of an IP address

Set-NetIPAddress Modifies properties of an IP address

Remove-NetIPAddress Deletes an IP address

17 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

Creating new IP addresses

The New-NetIPAddress cmdlet requires an IPv4 or IPv6 address and either the alias or index of a network
interface. As a best practice, you should also set the default gateway and subnet mask at the same time.

The following table lists common parameters for Create-NetIPAddress.

Parameter Description

- IPAddress Defines the IPv4 or IPv6 address to create

- InterfaceIndex Defines the network interface, by index, for the IP address

- InterfaceAlias Defines the network interface, by name, for the IP address

- DefaultGateway Defines the IPv4 or IPv6 address of the default gateway host

- PrefixLength Defines the subnet mask for the IP address

The following command creates a new IP address on the Ethernet interface:

New-NetIPAddress -IPAddress 192.168.1.10 -InterfaceAlias “Ethernet” -PrefixLength 24

-DefaultGateway 192.168.1.1

The New-NetIPAddress cmdlet also accepts the –AddressFamily parameter, which defines the IP address family.
If you do not use this parameter, the address family property is detected automatically.

Note: Windows Server 2012 and newer also introduced IP Address Management (IPAM) server features,
which include related cmdlets found in the IPAMServer module for Windows PowerShell. Those cmdlets
have the text “IPAM” in the noun part of the name.

Managing routing

18 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

IP routing forwards data packets based on the destination IP address. This routing is based on routing tables, and
while entries are made automatically, you might need to add, remove, or modify routing table entries manually. The
cmdlets for managing routing table entries have the noun “NetRoute” in the names.

The following table lists common cmdlets for managing routing table entries.

Cmdlet Description

New-NetRoute Creates an entry in the IP routing table

Get-NetRoute Retrieves an entry from the IP routing table

Set-NetRoute Modifies properties of an entry in the IP routing table

Remove-NetRoute Deletes an entry from the IP routing table

Find-NetRoute Identifies the best local IP address and route to reach a remote address

Creating an IP routing table entry

You can use the New-NetRoute cmdlet to create routing table entries. The New-NetRoute cmdlet requires you to
identify the network interface and destination prefix.

The following table lists common parameters for New-NetRoute.

19 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

Parameter Description

- DestinationPrefix Defines the destination prefix of an IP route

- InterfaceAlias Defines the network interface, by alias, for an IP route

- InterfaceIndex Defines the network interface, by index, for an IP route

- NextHop Defines the next hop for an IP route

- RouteMetric Defines the route metric for an IP route

The following command creates an IP routing table entry:

New-NetRoute -DestinationPrefix 0.0.0.0/24 -InterfaceAlias “Ethernet” -DefaultGateway

192.168.1.1

Managing DNS clients

Managing DNS clients, including DNS servers and domain controllers, is essential to the health of your network.
Windows PowerShell offers cmdlets for managing DNS client settings and the client resolve cache, and for
securing DNS clients.

DNS client management cmdlets are part of the DNSClient module for Windows PowerShell and have the text
“DnsClient” in the noun part of the name.

20 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

The following table lists common cmdlets for modifying client settings.

Cmdlet Description

Get-DnsClient Gets details about a network interface

Set-DnsClient Sets DNS client configuration settings for a network interface

Get-DnsClientServerAddress Gets the DNS server address settings for a network interface

Set-DnsClientServerAddress Sets the DNS server address for a network interface

Note: Set-DnsClient requires an interface that an alias or index references.

The following command sets the connection-specific suffix for an interface:

Set-DnsClient -InterfaceAlias Ethernet -ConnectionSpecificSuffix “adatum.com”

Managing Windows Firewall

Proper administration of Windows Firewall settings is essential to improving the security of networks and
computers. You can use some Windows PowerShell cmdlets to manage firewall settings and rules.

21 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

You can find the cmdlets for managing Windows Firewall in the NetSecurity module for Windows PowerShell. The
cmdlets have the text “NetFirewall” in their names, and the cmdlets for firewall rule management use the noun
“NetFirewallRule.”

The following table lists most of the cmdlets for managing firewall settings and rules.

Cmdlet Description

New-NetFirewallRule Creates a new firewall rule

Set- NetFirewallRule Sets properties for a firewall rule

Get- NetFirewallRule Gets properties for a firewall rule

Remove-NetFirewallRule Deletes a firewall rule

Rename-NetFirewallRule Renames a firewall rule

Copy-NetFirewallRule Makes a copy of a firewall rule

Enable-Net F irewallRule Enables a firewall rule

Disable-Net F irewallRule Disables a firewall rule

Get-NetFirewallProfile Gets properties for a firewall profile

Set-NetFirewallProfile Sets properties for a firewall profile

You can use the Get-NetFirewallRule cmdlet to retrieve settings for firewall rules. You can enable and disable
rules by using one of the following:

• The Set-NetFirewallRule cmdlet with the -Enabled parameter

• The Enable-NetFirewallRule or Disable-NetFirewallRule cmdlets.

The following commands both enable firewall rules in the group Remote Access:

Enable-NetFirewallRule -DisplayGroup “Remote Access”

and

Set-NetFirewallRule -DisplayGroup “Remote Access” -Enabled True

Demonstration: Configuring network settings

In this demonstration, you will see how to:

22 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

• Test the network connection to LON-DC1.

• View the network configuration for LON-CL1.

• Change the client IP address.

• Change the DNS server for LON-CL1.

• Change the default gateway for LON-CL1.

• Confirm the network configuration changes.

• Test the effect of the changes.

Demonstration steps
Test the network connection to LON-DC1

• Run the following command:

Test-Connection LON-DC1

Note: Note the speed of the connection so that you can compare it to the speed after you make
changes.

View the network configuration for LON-CL1

• Run the following command:

Get-NetIPConfiguration

Note: Note the IP address, default gateway, and DNS server.

Change the client IP address

1. Run the following command:

23 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

New-NetIPAddress -InterfaceAlias Ethernet -IPAddress 172.16.0.30

-PrefixLength 16

2. In the Administrator: Windows PowerShell window, type the following command, and
then press Enter:

Remove-NetIPAddress -InterfaceAlias Ethernet -IPAddress 172.16.0.40

3. Type Y and press Enter twice to confirm the change.

Change the DNS server for LON-CL1

• Run the following command:

Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddress

172.16.0.11

Change the default gateway for LON-CL1

1. Run the following command:

Remove-NetRoute -InterfaceAlias Ethernet -DestinationPrefix 0.0.0.0/0

2. Type Y and press Enter twice to confirm the change.

3. Run the following command:

New-NetRoute -InterfaceAlias Ethernet -DestinationPrefix 0.0.0.0/0

-NextHop 172.16.0.2

Confirm the network configuration changes

24 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

• Run the following command:

Get-NetIPConfiguration

Test the effect of the changes

• Run the following command:

Test-Connection LON-DC1

Note: It now takes much longer to receive a response from LON-DC1.

Lesson 3: Other server administration cmdlets

Windows PowerShell offers many cmdlets that you can use to manage Windows features and services. Teaching
you every available cmdlet is beyond the scope of this course; however, this course will familiarize you with the
cmdlets that you are most likely to need in your work. In this lesson, you will learn about other cmdlets to
administer Group Policy, Server Manager, Hyper-V, and Internet Information Services (IIS).

Lesson objectives
After completing this lesson, students will be able to:

• Describe the cmdlets for managing Group Policy.

• Describe the cmdlets for managing server features, roles, and services.

• Describe the cmdlets for managing Hyper-V and virtual machines (VMs).

• Describe the cmdlets for managing IIS.

Group Policy management cmdlets

25 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

You can use Windows PowerShell to automate the management of most tasks involving Group Policy Objects
(GPOs), including creating, deleting, backing up, reporting, and importing GPOs. You can also associate GPOs
with AD DS containers, and you can set GPO inheritance and permissions on AD DS OUs.

Group Policy management cmdlets require Windows Server 2008 R2 or newer, or Windows 7 or newer with
Remote Server Administration Tools installed. Group Policy management cmdlets are part of the GroupPolicy
module for Windows PowerShell. Cmdlet names include the prefix “GP” in the names, and most have “GPO” as
the noun.

The following table lists some common GPO cmdlets.

Cmdlet Description

New-GPO Creates a new GPO

Get-GPO Retrieves a GPO

Set-GPO Modifies properties of a GPO

Remove-GPO Deletes a GPO

Rename-GPO Renames a GPO

Backup-GPO Backs up one or more GPOs in a domain

Copy-GPO Copies a GPO from one domain to another domain

26 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

Cmdlet Description

Restore-GPO Restore a GPO from backup files

New-GPLink Links a GPO to an AD DS container

Import-GPO Imports GPO settings from a backed-up GPO

Set-GPRegistryValue Configures one or more registry-based policy settings in a GPO

New-GPO requires only the -Name parameter, which must be unique in the domain in which you create the GPO.
By default, the GPO is created in the domain of the user who is running the command. New-GPO also does not
link the created GPO to an AD DS container.

The following command creates a new GPO from a starter GPO:

New-GPO -Name “IT Team GPO” -StarterGPOName “IT Starter GPO”

The following command links the new GPO to an AD DS container:

New-GPLink -Name “IT Team GPO” -Target “OU=IT,DC=adatum,DC=com”

Server Manager cmdlets

27 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

The ServerManager module for Windows PowerShell contains cmdlets for managing server features, roles, and
services. These cmdlets are the equivalent of the Server Manager user interface. The Server Manager cmdlet
names include the noun “WindowsFeature.”

The following table lists the server management cmdlets.

Cmdlet Description

Get-WindowsFeature Gets information about Windows Server roles, services, and features that are
installed or are available for installation

Install-WindowsFeature Installs one or more roles, services, or features

Uninstall-WindowsFeature Uninstalls one or more roles, services, or features

The Install-WindowsFeature and Uninstall-WindowsFeature cmdlets require Windows Server 2012 R2 or

newer, or Windows 8 or newer. In Windows Server 2008 R2 and Windows 7, the equivalent cmdlets are Add-
WindowsFeature and Remove-WindowsFeature.

Note: On systems that support Install-WindowsFeature and Uninstall-WindowsFeature, the

commands Add-WindowsFeature and Remove-WindowsFeature are still available as aliases that point
to the newer commands.

The following command installs network load balancing on the local server:

28 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

Install-WindowsFeature “nlb”

Hyper-V cmdlets

Windows PowerShell offers more than 160 cmdlets for managing Hyper-V VMs, virtual hard disks, and other
components of a Hyper-V environment. Hyper-V cmdlets are available in the Hyper-V module for Windows
PowerShell.

You can install the Hyper-V module from within Windows PowerShell by installing the Windows feature. To do so,
type the following command in the console, and then press Enter:

Enable-WindowsOptionalFeature -Feature Microsoft-Hyper-V-Management-PowerShell -Online

Hyper-V cmdlets use one of three prefixes:

• “VM” for VM cmdlets

• “VHD” for Virtual hard disk cmdlets

• “VFD” for virtual hard disk cmdlets

29 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

The following table lists common cmdlets for managing Hyper-V VMs.

Cmdlet Description

Get-VM Gets properties of a VM

Set-VM Sets properties of a VM

New-VM Creates a new VM

Start-VM Starts a VM

Stop-VM Stops a VM

Restart-VM Restarts a VM

Suspend-VM Pauses a VM

Resume-VM Resumes a paused VM

Import-VM Imports a VM from a file

Export-VM Exports a VM to a file

Checkpoint-VM Creates a checkpoint of a VM

IIS management cmdlets

The Web server role is one of the most common server roles that administrators must manage. IIS cmdlets allow

30 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

you to configure and manage application pools, websites, web applications, and virtual directories.

IIS management cmdlets are available in the WebAdministration module for Windows PowerShell and have the
prefix “Web” in the noun part of their names. Cmdlets for managing application pools use the noun
“WebAppPool,” applications use the noun “WebApplication,” and sites use the noun “WebSite.”

The following table lists common IIS management cmdlets.

Cmdlet Description

New-WebSite Creates a new IIS website

Get-WebSite Gets properties about an IIS website

Start-WebSite Starts an IIS website

Stop-WebSite Stops an IIS website

New-WebApplication Creates a new web application

Remove-WebApplication Deletes a web application

New-WebAppPool Creates a new web application pool

Restart-WebAppPool Restarts a web application pool

To create a new IIS website, type the following command in the console, and then press Enter:

New-WebSite “London” -PhysicalPath C:\inetpub\wwwroot\london -IPaddress 172.16.0.15

-ApplicationPool LondonAppPool

Note: The WebAdministration module represents IIS as a PSDrive, which you can navigate by using the
Set-Location IIS:\ command. This allows you to navigate the IIS structure by using cmdlets such as
Get-ChildItem. You will learn more about PSDrives in Module 5, “Using PSProviders and PSDrives”.

Lab: Windows administration

Scenario
You work for Adatum Corporation on the server support team. One of your first assignments is to configure the
infrastructure service for a new branch office. Policy requires that you complete the tasks by using Windows
PowerShell.

Objectives
After completing this lab, you will have:

31 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

• Created and managed Active Directory objects by using Windows PowerShell.

• Configured network settings on Windows Server by using Windows PowerShell.

• Created an IIS website by using Windows PowerShell.

Lab setup

Estimated time: 60 minutes

Virtual machines: 10961C-LON-DC1, 10961C-LON-SVR1, and 10961C-LON-CL1

User name: Adatum\Administrator

Password: Pa55w.rd

For this lab, you need to use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:

1. On the host computer, start Hyper-V Manager.

2. In Hyper-V Manager, select 10961C-LON-DC1, and then in the Actions pane, select
Start.

3. In the Actions pane, select Connect. Wait until the virtual machine starts.

4. Sign in by using the following credentials:

o User name: Administrator

o Password: Pa55w.rd

o Domain: ADATUM

5. Repeat steps 2 through 4 for 10961C-LON-SVR1 and 10961C-LON-CL1.

Exercise 1: Creating and managing Active Directory objects

Scenario

In this exercise, you will create and manage Active Directory objects to create an OU for a branch office, along
with groups for OU administrators. You will create accounts for a user and computer in the branch office, in the
default OU, and add the user to the administrators group. You will later move the user and computer to the OU
that you created for the branch office. You will use individual Windows PowerShell commands to accomplish these
tasks from a client computer.

32 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

The main tasks for this exercise are as follows:

1. Create a new organizational unit (OU) for a branch office

2. Create group for branch office administrators

3. Create a user and computer account for the branch office

4. Move the group, user, and computer accounts to the branch office OU

Task 1: Create a new organizational unit (OU) for a branch office

• From LON-CL1, use Windows PowerShell to create a new OU named London.

Task 2: Create group for branch office administrators

• In the London OU, create the London Admins global security group.

Task 3: Create a user and computer account for the branch office

1. In the PowerShell console, create a user account for the user Ty Carlson.

2. Add the user to the London Admins group.

3. Create a computer account for the LON-CL2 computer.

Task 4: Move the group, user, and computer accounts to the branch office OU

• Use Windows PowerShell to move the following group, user, and computer accounts to the
London OU:

o London Admins

o Ty Carlson

33 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

o LON-CL2

Result: After completing this exercise, you will have successfully identified and used commands for managing
Active Directory objects in the Windows PowerShell command-line interface.

Exercise 2: Configuring network settings on Windows Server

Scenario

In this exercise, you will configure network settings on Windows Server. You will test network connectivity before
and after, making changes to view the effect. You will use individual Windows PowerShell commands to
accomplish these tasks on the server.

The main tasks for this exercise are as follows:

1. Test the network connection and view the configuration

2. Change the server IP address

3. Change the DNS settings and default gateway for the server

4. Verify and test the changes

Task 1: Test the network connection and view the configuration

1. Switch to LON-SVR1.

2. Open Windows PowerShell.

3. Test the connection to LON-DC1, and then note the speed of the test.

4. View the network configuration for LON-SVR1.

5. Note the IP address, default gateway, and DNS server.

Task 2: Change the server IP address

• Use Windows PowerShell to change the IP address for the Ethernet network interface to

34 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

172.16.0.15/16.

Task 3: Change the DNS settings and default gateway for the server

1. Change the DNS settings of the Ethernet network interface to point at 172.16.0.12.

2. Change the default gateway for the Ethernet network interface to 172.16.0.2.

Task 4: Verify and test the changes

1. On LON-SVR1, verify the changes to the network configuration.

2. Test the connection to LON-DC1, and then note the difference in the test speed.

Result: After completing this exercise, you will have successfully identified and used Windows PowerShell
commands for managing network configuration.

Exercise 3: Creating a website

Scenario

In this exercise, you will install the IIS server and create a new internal website for the London branch. You will use
individual Windows PowerShell commands to accomplish these tasks on the server.

The main tasks for this exercise are as follows:

1. Install IIS on the server

2. Create a folder on the server for the website files

3. Create a new application pool for the website

4. Create the IIS website

5. Prepare for the next module

Task 1: Install IIS on the server

35 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

• Use Windows PowerShell to install IIS on LON-SVR1.

Task 2: Create a folder on the server for the website files

• On LON-SVR1, use PowerShell to create a folder named London under C:\inetpub

\wwwroot for the website files.

Task 3: Create a new application pool for the website

• On LON-SVR1, use PowerShell to create an application pool for the site named
LondonAppPool.

Task 4: Create the IIS website

1. On LON-SVR1, use PowerShell to create the IIS website by using the following
configuration:

o Name: London

o Physical path: The folder that you created earlier

o IP address: The current IP address of LON-SVR1

o Application pool: LondonAppPool

2. Open the website in Internet Explorer by using the IP address, and then verify that the
site is using the provided settings.

Note: Internet Explorer displays an error message. The error message details give the
physical path of the site, which should be C:\inetpub\wwwroot\london.

Task 5: Prepare for the next module

36 of 37 16/07/2018 13:11
Module 2: Cmdlets for administration https://skillpipe.com/pt-BR/Book/BookPrintView/c50bcc75-...

When you have finished the lab, revert the virtual machines to their initial state. To do this, perform
the following steps:
1. On the host computer, start Hyper-V Manager.

2. In the Virtual Machines list, right-click 10961C-LON-DC1, and then click Revert.

3. In the Revert Virtual Machine dialog box, click Revert.

4. Repeat steps 2 and 3 for 10961C-LON-SVR1 and 10961C-LON-CL1.

Result: After completing this exercise, you will have successfully identified and used Windows PowerShell
commands that would be used as part of a standardized Web server configuration.

Review Question(s)

Module review and takeaways

Best Practice: Be sure to run the Update-Help command periodically so that you have the most up-to-
date help for Windows PowerShell commands.

Common Issues and Troubleshooting Tips

Common Issue Troubleshooting Tip

When I run the Get-Help command for a cmdlet Please see Student Companion Content for this course.
with the -Example parameter, I do not see any
examples.

I update the Windows PowerShell version on my Please see Student Companion Content for this course.
system, but a new command does not appear to
do anything.

Review Question(s)

37 of 37 16/07/2018 13:11