Microsoft Official Course

Module 4

Automating Active Directory

Domain Services Administration
Module Overview

Using Command-line Tools for AD DS

Administration
Using Windows PowerShell for AD DS
Administration
• Performing Bulk Operations with Windows
PowerShell
Lesson 1: Using Command-line Tools for AD DS
Administration

Benefits of Using Command-line Tools for AD DS

Administration
What Is Csvde?
What Is Ldifde?
• What Are DS Commands?
Benefits of Using Command-line Tools for
AD DS Administration
Command-line tools allow you to automate
AD DS administration

Benefits of using command-line tools:

• Faster implementation of bulk operations
• Customized processes for AD DS administration
• AD DS administration on server core
What Is Csvde?
Export

csvde.exe

filename.csv Import AD DS

Use csvde to export objects to a .csv file:

• -f filename 
• -d RootDN
• -p SearchScope
• -r Filter
• -l ListOfAtrributes
Use csvde to create objects from a .csv file:
csvde –i –f filename –k
What Is Ldifde?
Export

ldifde.exe

filename.ldif Import AD DS

Use ldifde to export objects to a LDIF file:

• -f filename
• -d RootDN
• -r Filter
• -p SearchScope
• -l ListOfAttributes
• -o ListOfAttributes
Use ldifde to create, modify, or delete objects:
ldifde –i –f filename –k
 What Are DS Commands?
Windows Server 2012 includes command-line tools
that are suitable for use in scripts
• Examples
• To modify the department of a user account, type:
Dsmod user "cn=Joe Healy,ou=Managers,
dc=adatum,dc=com" –dept IT

• To display the email of a user account, type:

Dsget user "cn=Joe Healy,ou=Managers,
dc=adatum,dc=com" –email

• To delete a user account, type:

Dsrm "cn=Joe Healy,ou=Managers,dc=adatum,dc=com"

• To create a new user account, type:

Dsadd user "cn=Joe Healy,ou=Managers,dc=adatum,dc=com"
Lesson 2: Using Windows PowerShell for
AD DS Administration
Using Windows PowerShell Cmdlets to Manage User
Accounts
Using Windows PowerShell Cmdlets to Manage Groups
Using Windows PowerShell Cmdlets to Manage
Computer Accounts
• Using Windows PowerShell Cmdlets to Manage OUs
Using Windows PowerShell Cmdlets to
Manage User Accounts

Cmdlet Description
New-ADUser Creates user accounts
Set-ADUser Modifies properties of user accounts
Remove-ADUser Deletes user accounts
Set-ADAccountPassword Resets the password of a user account
Set-ADAccountExpiration Modifies the expiration date of a user account
Unlock-ADAccount Unlocks a user account after it has become
locked after too many incorrect login attempts
Enable-ADAccount Enables a user account
Disable-ADAccount Disables a user account

New-ADUser "Sten Faerch" –AccountPassword (Read-Host

–AsSecureString "Enter password") ‑Department IT
 Using Windows PowerShell Cmdlets to
Manage Groups
Cmdlet Description
New-ADGroup Creates new groups
Set-ADGroup Modifies properties of groups
Get-ADGroup Displays properties of groups
Remove-ADGroup Deletes groups
Add-ADGroupMember Adds members to groups
Get-ADGroupMember Displays membership of groups
Remove-ADGroupMember Removes members from groups
Add-ADPrincipalGroupMembership Adds group membership to objects
Get-ADPrincipalGroupMembership Displays group membership of objects
Remove- Removes group membership from an
ADPrincipalGroupMembership object

New-ADGroup –Name "CustomerManagement" –Path

"ou=managers,dc=adatum,dc=com" –GroupScope Global
–GroupCategory Security

Add-ADGroupMember CustomerManagement –Members "Joe"

 Using Windows PowerShell Cmdlets to
Manage Computer Accounts
Cmdlet Description
New-ADComputer Creates new computer accounts
Set-ADComputer Modifies properties of computer
accounts
Get-ADComputer Displays properties of computer
accounts
Remove-ADComputer Deletes computer accounts
Test-ComputerSecureChannel Verifies or repairs the trust
relationship between a computer and
the domain
Reset-ComputerMachinePassword Resets the password for a computer
account
New-ADComputer –Name LON-SVR8 -Path
"ou=marketing,dc=adatum,dc=com" -Enabled $true

Test-ComputerSecureChannel -Repair
 Using Windows PowerShell Cmdlets to
Manage OUs
Cmdlet
New-ADOrganizationalUnit
Set-ADOrganizationalUnit
Get-ADOrganizationalUnit
Remove-ADOrganizationalUnit
New-ADOrganizationalUnit
Set-ADOrganizationalUnit
Get-ADOrganizationalUnit
Description
Creates organizational units
Modifies properties of organizational
units
Views properties of organizational units
Deletes organizational units
Creates organizational units
Modifies properties of organizational
units
Views properties of organizational units

New-ADOrganizationalUnit –Name Sales

–Path "ou=marketing,dc=adatum,dc=com"
–ProtectedFromAccidentalDeletion $true
Lesson 3: Performing Bulk Operations with
Windows PowerShell

What Are Bulk Operations?

Demonstration: Using Graphical Tools to Perform
Bulk Operations
Querying Objects with Windows PowerShell
Modifying Objects with Windows PowerShell
Working with CSV Files
• Demonstration: Performing Bulk Operations with
Windows PowerShell
What Are Bulk Operations?

• A bulk operation is a single action that changes

multiple objects

• The process for performing a bulk operation is:

1. Define a query
2. Modify the objects defined by the query
• You can perform bulk operations by using:
• Graphical tools
• Command-line tools
• Scripts
Demonstration: Using Graphical Tools to
Perform Bulk Operations

In this demonstration, you will see how to:

• Create a query for all users
• Configure the Company attribute for all users
• Verify that the Company attribute has been modified
Querying Objects with Windows PowerShell

Show all the properties for a user account:

Parameter Description
Get-ADUser
SearchBase Administrator -Properties
Defines the AD DS path to begin*searching.
SearchScope Defines at what level below the SearchBase a search should be
Show all the user accounts in the Marketing OU and all its subcontainers:
performed.
ResultSetSize Defines how many objects to return in response to a query.
 
Properties Defines which object properties to return and display.
Get-ADUser –Filter * -SearchBase
"ou=Marketing,dc=adatum,dc=com" -SearchScope subtree
Show all of the user accounts
Operator
with a last logon date older than
Description
a specific date:
-eq Equal to
  -ne Not equal to
-lt
Get-ADUser -Filter Less than -lt "January 1, 2012"}
{lastlogondate
-le user accounts
Show all of the Less in
than or equal
the to
Marketing department that
have a last logon
-gt date older thanthan
Greater a specific date:
-ge Greater than or equal to
-like Uses wildcards for pattern matching
Get-ADUser -Filter {(lastlogondate -lt "January 1, 2012") and
(department -eq "Marketing")}
Modifying Objects with Windows PowerShell

Use the pipe character ( | ) to pass a list of objects to a

cmdlet for further processing

Get‑ADUser ‑Filter {company ‑notlike "*"} |

Set‑ADUser ‑Company "A. Datum"

Get‑ADUser ‑Filter {lastlogondate ‑lt "January 1,

2012"} | Disable‑ADAccount

Get-Content C:\users.txt | Disable-ADAccount

Working with CSV Files

The first line of a .csv file defines the names of the

columns
FirstName,LastName,Department
Greg,Guzik,IT
Robin,Young,Research
Qiong,Wu,Marketing

A foreach loop processes the contents of a .csv that

have been imported into a variable

$users=Import-CSV C:\users.csv
Foreach ($i in $users) {
Write-Host "The first name is:" $i.FirstName
}
Demonstration: Performing Bulk Operations with
Windows PowerShell

In this demonstration, you will see how to:

• Configure a department for users
• Create an OU
• Run a script to create new user accounts
• Verify that new user accounts were created
Lab: Automating AD DS Administration by Using
Windows PowerShell
Exercise 1: Creating User Accounts and Groups by
Using Windows PowerShell
Exercise 2: Using Windows PowerShell to Create User
Accounts in Bulk
• Exercise 3: Using Windows PowerShell to Modify
User Accounts in Bulk

Logon Information
Virtual machines 20410B‑LON‑DC1
20410B‑LON‑CL1
User name Adatum\Administrator
Password Pa$$w0rd
Estimated Time: 45 minutes
Lab Scenario

A. Datum Corporation is a global engineering and manufacturing

company with a head office based in London, England. An IT office
and a data center are located in London to support the London
location and other locations. A. Datum has recently deployed a
Windows Server 2012 infrastructure with Windows 8 clients.
You have been working for A. Datum for several years as a
desktop support specialist. In this role, you visited desktop
computers to troubleshoot application and network problems.
You have recently accepted a promotion to the server support
team. One of your first assignments is configuring the
infrastructure service for a new branch office.
As part of configuring a new branch office, you need to create
user and group accounts. Creating multiple users with graphical
tools is inefficient, so, you will be using Windows PowerShell.
Lab Review

By default, are new user accounts enabled or

disabled when you create them by using the
NewADUser cmdlet?
• What file extension do Windows PowerShell
scripts use?
Module Review and Takeaways

• Review Questions