Installing Active Directory together with Creating a New Forest
The initial labor is to install Active Directory Domain Services (AD DS) role. AD DS is installed past times running the next PowerShell command:
Figure 1
Running the script below completes the installation of the offset domain controller inwards a novel Active Directory Forest.
Import-Module ADDSDeployment
Install-ADDSForest `
-CreateDnsDelegation:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainName "LanzTek.local" `
-DomainNetbiosName "LANZTEK" `
-ForestMode "Win2012" `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-SysvolPath "C:\Windows\SYSVOL" `
-Force:$true
This script is helpful inwards a Server centre installation where you lot create non guide maintain direct access to the Windows graphical interface to install AD DS.
Only 2 cmdlets: Import-Module together with Install-ADDSForest are used inwards this script. The Import-Module adds the ADDSDeployment module to the electrical flow session making all the cmdlets associated amongst that module available equally long equally the session remains open. In PowerShell 3.0 together with above, installed modules are automatically imported to a session when a cmdlet that corresponds to a item module is used.
The Install-ADDSForest cmdlet installs AD DS on a Windows Server 2012 R2 server together with creates a novel Active Directory woods configuration. Let’s review the Install-ADDSForest parameters used inwards this script:
-CreateDnsDelegation:$false – Because the domain controller is also going to live configured equally a DNS server, this parameter is used to signal whether a DNS delegation references this novel DNS server together with its cite space.
-DatabasePath “C:\Windows\NTDS” – Specifies the place of the Active Directory database.
-DomainMode “Win2012R2″ – Defines the domain functional grade for the offset domain inwards the novel forest. This parameter tin live either a string or an integer value. The next options are supported:
* Windows Server 2012 R2: Win2012R2 or 6
* Windows Server 2012: Win2012 or 5
* Windows Server 2008 R2: Win2008R2 or 4
* Windows Server 2008: Win2008 or 3
* Windows Server 2003: Win2003 or 2
-DomainName “LanzTek.local” – This is the fully qualified domain cite for the source domain inwards the forest.
-DomainNetbiosName “LANZTEK” – Designates the NetBIOS cite for the source domain. Even if you lot create non computer program to utilization whatever NetBIOS applications, this parameter must live configured amongst a valid unmarried label cite that contains no to a greater extent than than xv characters. If the NetBIOS cite is to a greater extent than than xv characters, the woods installation fails.
-ForestMode “Win2012″ – This parameter defines the woods functional grade for the novel forest. It supports the same value options equally the DomainName parameter.
-InstallDns:$true – Specifies that the DNS Server service volition live installed inwards this domain controller. By default, a novel Active Directory Integrated DNS zone is created amongst the cite of the domain. In this case, lanztek.local.
-LogPath “C:\Windows\NTDS” – Specifies the place of AD DS log files.
-NoRebootOnCompletion:$false - Indicates whether to reboot the server after completion. H5N1 reboot is necessary for the novel domain controller to larn fully functional.
-SysvolPath “C:\Windows\SYSVOL” – Specifies the place of the Sysvol folder. H5N1 sysvol networkshare is automatically created within the Sysvol folder equally portion of the AD DS installation process.
-Force:$true – This parameter mutes whatever normal alarm that is generated during the installation.
Active Directory Module for Windows PowerShell
After running the script, an Active Directory module for Windows PowerShell is installed on the domain controller. This module is automatically imported into a PowerShell session whatever fourth dimension you lot endeavor to utilization i of its cmdlets. By using implicit remoting, this module tin live imported into a Windows customer or a Windows Server figurer that does non guide maintain active directory installed together with from at that spot you lot could perform remote management of active directory. This module is also available equally portion of the Remote server Administration Tools that tin live installed on Windows seven or Windows 8 clients equally good equally fellow member servers running Windows server 2008 R2, Windows 2012 or Windows 2012 R2. The AD module uses the Active Directory Web Services (ADWS) service to communicate together with create create the active directory. Incidentally, the Active Directory Administrative Center (ADAC) is a graphical interface that sits on top of Windows PowerShell thus it also needs ADWS to function.Active Directory PowerShell Drive (PSDrive) Provider
The Active Directory module includes a PSDrive provider that allows you lot to hold off through the content of the directory inwards a means that is real like to how you lot navigate the file system. Importing the AD module maps a drive named AD: to the domain to which you lot are currently logged on. This drive provides a safety framework for executing the cmdlets. Each fourth dimension you lot execute an active directory cmdlet, PowerShell automatically uses the credentials together with domain of the currently mapped PSDrive. Without this functionality you lot would demand to travel inwards credentials every fourth dimension you lot run an active directory cmdlet or script. To regard the content of the AD PSDrive, run this command: Get-ChildItem AD:
Figure 2
The output shows all the active directory partitions. From there, you lot tin navigate deeper into whatever of these partitions to verify configurations or brand changes to AD objects. For example, let’s hold off into the domain sectionalization past times executing this command:
Get-ChildItem AD:\"dc=lanztek,dc=local"
Figure 3
To regard exclusively the users accounts within the Users container, run:
Get-ChildItem AD:\"cn=users,dc=lanztek,dc=local" | ? {$_.objectClass -eq "user"}
Figure 4
Now, let’s say that nosotros desire to brand a alter on the Administrator concern human relationship past times modifying the subdivision belongings value. This command volition create the trick:
Set-ItemProperty -Path AD:\"cn=Administrator,cn=users,dc=lanztek,dc=local" `
-Name "Department" -Value "Information Technology"
-Name "Department" -Value "Information Technology"
Figure 5
On the previous command the –path is used to dot to the place of the Administrator concern human relationship within the Users container. The –Name parameter indicates the belongings to modify, inwards this illustration the department, together with hold out the –Value parameter indicates the subdivision label or designation for that user.
Using this command is possible to verify the change:
Get-ADUser administrator -Properties * | Format-List DistinguishedName,Name,Department
Figure 6
As nosotros could regard inwards the preceding examples, it is possible to create create the active directory past times having direct access to the AD PSDrive. However, using the Active Directory module for Windows PowerShell cmdlets is a to a greater extent than pragmatic approach to automate many AD management tasks.
Creating together with Enabling AD User Accounts
Let’s start past times creating a user concern human relationship using the New-ADUser cmdlet: New-ADUser -Name "Will Lanz" -SamAccountName "wlanz"`
-GivenName "Will" -Surname "Lanz" -DisplayName "Will Lanz"`
-UserPrincipalName "will@lanztek.local"` -Path "OU=Sales,DC=lanztek,DC=local"
-Department "IT"
This command creates a user concern human relationship inwards the Sales Organizational Unit on the lanztek.local domain. However, no password has been entered together with the concern human relationship would live disabled. To verify that the concern human relationship was created, run this command:-GivenName "Will" -Surname "Lanz" -DisplayName "Will Lanz"`
-UserPrincipalName "will@lanztek.local"` -Path "OU=Sales,DC=lanztek,DC=local"
-Department "IT"
Get-ADUser wlanz
Figure 7
Let’s create a password together with enable the wlanz concern human relationship past times executing the code below:
Set-ADAccountPassword -Identity wlanz -Reset -NewPassword`
(ConvertTo-SecureString -AsPlainText "Pa$$w0rd" -Force)
Enable-ADAccount -Identity wlanz
It is of import to notice that for safety reasons PowerShell does non transcend a plaintext password to active directory without encryption. The –NewPassword parameter must shop its value equally an encrypted string. In this case, the ConvertTo-SecureString cmdlet is used to convert the patently text password to a secure string. The –AsPlainText parameter specifies that the patently text string “Pa$$w0rd” must live converted to a secure string. This ensures that the text volition live encrypted together with deleted from the figurer retention after it is no longer needed. The –Force parameter is used inwards conjunction amongst the –AsPlainText parameter to confirm the encrypting process.(ConvertTo-SecureString -AsPlainText "Pa$$w0rd" -Force)
Enable-ADAccount -Identity wlanz
To verify that the concern human relationship has been enabled, run this command again:
Get-ADUser wlanz
Figure 8
Creating a user concern human relationship together with enabling it after may live necessary inwards some situations, only inwards many cases you lot may desire to create together with enable the concern human relationship equally portion of the same process. Let’s create that adjacent past times running these commands:
New-ADUser -Name "Vito Corleone" -SamAccountName "Vcorleone" `
-GivenName "Vito" -Surname "Corleone" -DisplayName "Vito Corleone" `
-UserPrincipalName "vito@lanztek.local" -Enabled $true `
-Path "OU=Sales,DC=lanztek,DC=local" -Department "Sales" `
-AccountPassword (ConvertTo-SecureString "Pa$$w0rd"`
-AsPlainText -Force)
In the preceding code nosotros used the New-ADUser cmdlet again, only this fourth dimension 2 parameters –AccountPassword together with –Enabled were added to securely configure a password together with to enable the account.-GivenName "Vito" -Surname "Corleone" -DisplayName "Vito Corleone" `
-UserPrincipalName "vito@lanztek.local" -Enabled $true `
-Path "OU=Sales,DC=lanztek,DC=local" -Department "Sales" `
-AccountPassword (ConvertTo-SecureString "Pa$$w0rd"`
-AsPlainText -Force)
Managing Multiple AD User Accounts
Hundreds together with fifty-fifty thousands of user accountants tin live created together with managed inwards Active Directory amongst a few lines of code. Let’s demonstrate this physical care for past times importing the user names together with properties from a comma-separated value (CSV) file. Let’s say that you lot demand to create several user accounts, you lot tin generate a CSV file amongst all the accounts’ information together with utilization the Import-CSV cmdlet to import together with and thus pipage that information to the New-ADUser cmdlet. The New-ADUser cmdlet picks upwards all the parameters names together with values from the PowerShell pipeline together with creates the user accounts inwards the directory. The figure below shows the CSV file used inwards our demonstration.
Figure 9
As you lot tin see, the column headers check parameter names available amongst the New-ADUser cmdlet.
Once the CSV file is ready, running the next script volition create all the user accounts inwards the directory.
Import-Csv -Path c:\scripts\users\users.csv |
foreach {New-ADUser -Name $_.name -Enabled $true `
-AccountPassword (ConvertTo-SecureString $_.password `
-AsPlainText -Force) `
-SamAccountName $_.samAccountName -City $_.city `
-Department $_.Department -EmployeeID $_.EmployeeID `
-Path "OU=sales,DC=lanztek,DC=local"}
The Foreach is used hither to loop through the information i row at a time. For each row, a novel AD user concern human relationship is created past times the New_ADUser cmdlet. The scripts direct PowerShell to create the user accounts inwards the Sales Organizational Unit on the lanztek.local domain.foreach {New-ADUser -Name $_.name -Enabled $true `
-AccountPassword (ConvertTo-SecureString $_.password `
-AsPlainText -Force) `
-SamAccountName $_.samAccountName -City $_.city `
-Department $_.Department -EmployeeID $_.EmployeeID `
-Path "OU=sales,DC=lanztek,DC=local"}
Let’s verify that the user accounts were created inwards the Sales OU past times executing this code:
Get-ADUser -Filter * -SearchBase "OU=sales,dc=lanztek,dc=local" |
Format-table Name,Distinguishedname,Enabled -AutoSize
Format-table Name,Distinguishedname,Enabled -AutoSize
Figure 10
Once the user accounts are created, many managing together with maintenance tasks tin live automated using Windows PowerShell. For example, the figure inwards a higher house shows that at that spot are nine accounts inwards the Sales OU. Let’s say that nosotros desire to movement all these users to the Finance OU. This code volition consummate the task:
Get-ADUser -Filter * -SearchBase "OU=sales,dc=lanztek,dc=local" |
Move-ADObject -TargetPath "OU=Finance,DC=lanztek,DC=local"
There may live other AD objects inwards the Sales OU, only the preceding code uses the Get-ADUser cmdlet to push clitoris exclusively the user accounts from the Sales OU together with pipage the results to the Move-ADObject cmdlet. The Move-ADObject cmdlet inwards plough executes the relocation of the accounts to the Finance OU.Move-ADObject -TargetPath "OU=Finance,DC=lanztek,DC=local"
By using the user accounts properties it is possible to rapidly discovery users inwards the directory that run across specific criteria on the PowerShell search. For example, nosotros desire to discovery AD users who piece of work inwards the Operations subdivision together with alive either inwards Denver or Dallas. The code to search for the information is:
Get-ADUser -Filter `
'(city -eq "denver" -or urban center -eq "Dallas") -and (department –eq "operations")' `
-properties * | Select-Object Name,Department,City
Here are the results:'(city -eq "denver" -or urban center -eq "Dallas") -and (department –eq "operations")' `
-properties * | Select-Object Name,Department,City
Figure 11
Managing AD users together with Groups is also to a greater extent than efficient amongst PowerShell. Let’s say that nosotros desire to discovery all the users who piece of work inwards the Operations subdivision together with add together them to a grouping named Operations. See the code below:
$OpsUsers = Get-ADUser -Filter 'department -eq "Operations"'
Add-ADGroupMember -Identity operations -Members $OpsUsers
The –Members parameter of the Add-ADGroupMember does non guide maintain pipeline input. To drib dead roughly that inconvenience, the $OpsUsers variable is created to collect all the users who piece of work inwards the Operations department. Then nosotros transcend that variable straight to the –Members parameter to add together those users to the Operations group.Add-ADGroupMember -Identity operations -Members $OpsUsers
This code volition verify the membership of the Operations group:
Get-ADGroupMember -Identity Operations |
FT name,DistinguishedName -AutoSize
FT name,DistinguishedName -AutoSize
