Lab Instructions: Automating Active Directory® Administration

Module 5

Contents:
i. Lab A: Managing Users and Groups
a) Exercise 1: Retrieving a Filtered List of Users from Active Directory
b) Exercise 2: Resetting User Passwords and Address Information
c) Exercise 3: Disabling Users That Belong to a Specific Group

ii. Lab B: Managing Computers and Other Directory Objects

a) Exercise 1: Listing All Computers That Appear to Be Running a Specific
Operating System According to Active Directory Information
b) Exercise 2: Creating a Report Showing All Windows Server 2008 R2 Servers
c) Exercise 3: Discovering Any Organizational Units That Aren’t Protected Against
Accidental Deletion
Lab A: Managing Users and Groups
Estimated time: 30 minutes
You are an Active Directory administrator and want to manage your users and groups via
PowerShell. You recently upgraded your domain controller to Windows Server 2008 R2 and
want to try the new PowerShell Active Directory cmdlets that came with it. In order to handle
internal tasks more quickly and be prepared to automate them, you want to learn how to find
information in Active Directory as well as how to accomplish basic tasks such as resetting users'
passwords, disabling users, and moving objects in Active Directory.

Lab Setup
Before you begin the lab you must:
1. Start the AD virtual machine and log on with the following credentials:
• Username: NEWHORIZONS\administrator
• Password: Passw0rd
2. Open the Windows PowerShell console. All commands will be run within the Windows
PowerShell console.
3. In the Windows PowerShell console, execute the following command:
• Set-ExecutionPolicy RemoteSigned
Lab A: Exercise 1: Retrieving a Filtered List of Users from Active Directory

Scenario
You want to manage your users and groups via PowerShell. To begin, you want to use Windows
PowerShell to retrieve a filtered list of users from Active Directory.

The main tasks for this exercise are as follows:

1. List all modules installed on the local system.
2. Import the Active Directory module and populate the Active Directory Environment.
3. List all commands in the Active Directory module.
4. Retrieve all users matching a specific city and title by using server-side filtering.

� Task 1: List all modules installed on the local system

1. Read the help documentation and examples for the Get-Module command to familiarize
yourself with how it works.

2. Show a list of all modules installed on the AD computer by using Get-

Module with the ListAvailable parameter.

� Task 2: Import the Active Directory module and populate the Active
Directory environment
1. Read the help documentation and examples for the Import-Module command so that you
understand how it works.
2. Use the Import-Module command to import the Active Directory module into your current
PowerShell session.
3. In the Windows PowerShell console execute the following command:
Lab_05_setup.ps1.
� Task 3: List all commands in the Active Directory module
• Use Get-Command to retrieve a list of all commands that were loaded when you imported the
Active Directory module.

� Task 4: Retrieve all users matching a specific city and title by using server-side filtering
1. Read the help documentation and examples for the Get-ADUser command to learn how you
can use it to retrieve Active Directory users. Pay extra attention to the -filter parameter.
2. Invoke Get-ADUser with no parameters to see which parameters are required and learn how
to use them.
3. Retrieve a list of all Active Directory users whose office attribute has a value of “Bellevue.”
4. Retrieve a list of all Active Directory users whose office attribute has a value of “Bellevue”
and whose title attribute has a value of “PowerShell Scripter.”

Results: After this exercise you should have successfully imported the Active Directory module
into PowerShell and used it to retrieve a filtered list of users from Active Directory.
Lab A: Exercise 2: Resetting User Passwords and Address Information

Scenario
You are working in Bellevue, Washington, and you are automating some Active Directory tasks
using PowerShell. You need to reset user passwords and change address information for some
remote users.

The main tasks for this exercise are as follows:

1. Retrieve a list of remote users.
2. Reset remote user passwords to a specific password.
3. Change remote user address information to your local Bellevue, Washington office.

� Task 1: Retrieve a list of remote users

• Use Get-ADUser with the -filter parameter to retrieve a list of users whose office attribute is
not set to “Bellevue.”

� Task 2: Reset remote user passwords to a specific password

1. Review the documentation and examples for the Read-Host and Set-
ADAccountPassword commands. Pay close attention to the AsSecureString parameter for
Read-Host and the Reset and NewPassword parameters for Set-ADAccountPassword.
2. Pass the list of users whose office is not “Bellevue” to the Set-
ADAccountPassword command and use it with Read-Host to set their passwords to a password
of Pa$$w0rd that you are prompted to enter in PowerShell.
� Task 3: Change remote user address information to your local Bellevue, Washington
office
1. Look up the help documentation for the Properties parameter of Get-ADUser.
2. Retrieve a list of users whose office is not “Bellevue.” When retrieving the users, use the
Properties parameter to retrieve the Office, StreetAddress, City, State, Country/Region, and
PostalCode attributes. Show the results in a table containing SamAccountName along with the
other attributes you specified in the Properties parameter.
3. Read the help documentation and examples for the Set-ADUser cmdlet.
4. Pass the results of the Get-ADUser command you just used to the Set-ADUser command, and
set the following values:
Office: Bellevue
StreetAddress: 2345 Main St.
City: Bellevue
State: WA
Country: US
PostalCode: 95102

Results: After this exercise, you should be able to reset passwords and modify attributes for a
filtered list of Active Directory users.
Lab A: Exercise 3: Disabling Users That Belong to a Specific Group Scenario

Your organization has recently terminated a project at work called “CleanUp” and you need to
disable all users that belong to the Active Directory group corresponding to the project.

The main tasks for this exercise are as follows:

1. Retrieve a list of all Active Directory groups.
2. Retrieve a specific Active Directory group named “CleanUp.”
3. Retrieve a list of members in the Active Directory group named “CleanUp.”
4. Disable the members of the Active Directory group named “CleanUp.”

� Task 1: Retrieve a list of all Active Directory groups

1. Read the documentation and examples for the Get-ADGroup cmdlet.
2. Retrieve a list of all Active Directory groups by using the Get-ADGroup cmdlet.

� Task 2: Retrieve a specific Active Directory group named “CleanUp”

• Retrieve the Active Directory group named “CleanUp” by using the Get-
ADGroup cmdlet.

� Task 3: Retrieve a list of members in the Active Directory group named “CleanUp”
1. Read the help documentation and examples for the Get-ADGroupMember cmdlet.
2. Use the Get-ADGroup and Get-ADGroupMember cmdlets to retrieve a list of the members
in the Active Directory group named “CleanUp.”
� Task 4: Disable the members of the Active Directory group named “CleanUp”
1. Read the help documentation and examples for the Disable-ADAccount cmdlet.
2. Use the Disable-ADAccount cmdlet with the WhatIf parameter and the list of members of
the Active Directory group named “CleanUp” to see what would happen if you were to disable
the members in that group.
3. Repeat the last command without the WhatIf parameter to actually disable the group
members.

Results: After this exercise, you should know how to retrieve groups from Active Directory,
view their membership, and disable user accounts.
Lab B: Managing Computers and Other
Directory Objects
Estimated time: 20 minutes
As an Active Directory administrator, in addition to managing users and groups, you need to
monitor the servers in your organization. Active Directory contains details identifying servers,
and you want to use those details to discover servers and generate reports. To meet new security
policies, your company has decided to put more stringent password policies in place. You need
to create fine-grained password policies for your organization and heard that PowerShell was the
only way to do so. Also, as a senior IT administrator responsible for a team, you want to make
sure that your team members don’t accidentally delete important information in Active
Directory. You want to use a new feature for organizational units OUs that prevents them from
accidental deletion.

Lab Setup
Before you begin the lab you must:
1. Start the AD virtual machine and log on with the following credentials:
• Username: NEWHORIZONS\administrator
• Password: Passw0rd
2. Open Windows PowerShell. All PowerShell commands will be run within the Windows
PowerShell console.
Lab B: Exercise 1: Listing All Computers That Appear to Be Running a Specific Operating
System According to Active Directory Information

Scenario
As an Active Directory administrator, in addition to managing users and groups you also need to
monitor the servers in your organization. Active Directory contains details identifying servers,
and you want to use those details to discover servers.

The main tasks for this exercise are as follows:

1. Import the Active Directory module.
2. List all of the properties for one AD computer object.
3. Find any properties containing operating system information on an AD computer.
4. Retrieve all computers running a specific operating system.

� Task 1: Import the Active Directory module

• Import the Active Directory module into your current PowerShell session.

� Task 2: List all of the properties for one AD computer object

1. Read the help documentation and examples for the Get-ADComputer cmdlet.
2. Show all properties for one computer from Active Directory using the Get-
ADComputer cmdlet with the -filter, Properties, and ResultSetSize parameters

� Task 3: Find any properties containing operating system information on an AD

computer
• Get one computer from Active Directory and show all properties containing operating system
information.
� Task 4: Retrieve all computers running a specific operating system
1. Get a list of all computers running “Windows Server 2008 R2” using Get-
ADComputer with the -filter parameter.
2. Repeat the last command but include the OperatingSystem property in the objects that are
returned.

Results: After this exercise you should be able to retrieve AD computers that match specific
criteria and indicate which properties you want to retrieve for those computers.
Lab B: Exercise 2: Creating a Report Showing All Windows Server 2008 R2 Servers

Scenario
Now that you can discover servers in your organization using Active Directory, your manager
would like you to generate a report showing all Windows Server 2008 R2 servers in your
organization.

The main tasks for this exercise are as follows:

1. Retrieve all computers running Windows Server 2008 R2.
2. Generate an HTML report showing only the computer name, SID, and operating system
details.
3. Generate a CSV file showing only the computer name, SID, and operating system details.

� Task 1: Retrieve all computers running Windows Server 2008 R2

• Retrieve all AD computers running the Windows Server 2008 R2 operating system. Include the
OperatingSystem, OperatingSystemHotfix,
OperatingSystemServicePack, and OperatingSystemVersion properties in the computer
objects that you retrieve.

� Task 2: Generate an HTML report showing only the computer name, SID, and operating
system details
1. Read the help documentation and examples for the ConvertTo-Html and Out- File cmdlets
so that you understand how they work.
2. Rerun the command from Task 1 to retrieve Windows Server 2008 R2 servers. Generate an
HTML table fragment by passing the results to the ConvertTo-
Html cmdlet. Don’t forget to use the Fragment parameter.
3. Rerun the command from Task 1 to retrieve Windows Server 2008 R2 servers. Generate an
HTML file by passing the results to the ConvertTo-Html and Out-
File cmdlets. Name the resulting file C:\OSList.htm.
4. Use PowerShell to open the C:\OSList.htm file in Internet Explorer.
� Task 3: Generate a CSV file showing only the computer name, SID, and operating
system details
1. Read the help documentation and examples for the Export-Csv cmdlet so that you understand
how it works.
2. Rerun the command from Task 1 to retrieve Windows Server 2008 R2 servers.
Use Select-Object to select only the Name, SID, and OperatingSystem* attributes.
3. Pass the results of the last command to Export-Csv to create a CSV file containing the results.
Name the resulting file C:\OSList.csv.
4. Use PowerShell to open the C:\OSList.csv file in Notepad.

Results: After this exercise, you should be able to generate HTML and CSV documents
containing information you retrieved using PowerShell commands.
Lab B: Exercise 3: Discovering Any Organizational Units That Aren’t Protected Against
Accidental Deletion

Scenario
As a senior IT administrator responsible for a team, you want to make sure that your team
members don’t accidentally delete important information in Active Directory. You know about
the new feature for OUs that prevents them from accidental deletion and you want to monitor the
OUs in your environment to ensure that they are appropriately protected.
The main tasks for this exercise are as follows:
1. Retrieve all organizational units.
2. Retrieve organizational units that are not protected against accidental deletion.

� Task 1: Retrieve all organizational units

1. Read the help documentation and examples for the Get-ADOrganizationalUnit cmdlet to
learn how it works.
2. Get a list of all organizational units in AD. Include the ProtectedFromAccidentalDeletion
property in the results.

� Task 2: Retrieve organizational units that are not protected against accidental deletion
• Use the Get-ADOrganizationalUnit cmdlet to get a list of all organizational units whose
ProtectedFromAccidentalDeletion property is set to false.

Results: After this exercise, you should be able to use the Active Directory cmdlets to retrieve
organizational units from Active Directory.