Microsoft's PowerShell (PS) administration framework developed for systems administration too automating administrative tasks extends far beyond but replacing the venerable command describe shell. No, PS offers much to a greater extent than past times integrating amongst services too applications to render holistic administration of clients too servers alike.
As the underlying framework is updated, new, to a greater extent than powerful functions volition decease available. PS is farther enhanced past times importing modules of back upwards services, such equally Active Directory (AD), which allows admins greater command over the devices too user accounts stored inwards AD, for example. This capability expands to all facets of maintaining the directory services, including controllers too domain services.
Before diving into the cmdlets, at that topographic point are a few requirements that must endure met to ensure that AD cmdlets are available too fully supported:
- Administrative PC amongst Windows Vista installed (or newer)
- Remote Server Administration Tools installed on administrative PC
- Server amongst Windows Server 2008 (or newer)
- Active Directory Domain Services Role installed on server
- Windows Management Framework 3.0 (or newer)
- Switched network (Required for most cmdlets to component division properly)
- Broadband Internet Access (Optional, but recommended)
- Domain Admin credentials
SEE: Windows administrator's PowerShell script kit (Tech Pro Research)
Accessing Active Directory cmdlets
Start past times importing Module Active Directory.
Before beingness able to run whatever of the cmdlets that allow for managing AD, the corresponding module must initiative of all endure imported to the electrical flow PS session. Once this has been done, AD cmdlets volition at 1 time endure loaded too inside your control.
Note: y'all must perform this each fourth dimension PS is run earlier AD-specific cmdlets volition decease available.
1. Create reckoner object
To practice a novel reckoner object inwards a specified organizational unit of measurement (OU), travel inwards the cmdlet:
New-ADComputer -Name "ComputerName" -SamAccountName "ComputerName" -Path "OU=Computers,DC=Domain,DC=com"
specifying the object's cite for both the -Name too -SamAccountName parameter. Do non forget to include the distinguished cite (DN) inwards quotes afterwards the -Path parameter, which designates where the object is to endure created.
This is especially useful when managing multiple sites and/or domains, especially when scripting changes to AD such equally amongst novel problem organisation human relationship creations, which may endure linked to novel hires when on-boarded past times human resources.
2. Create novel safety groups
Enter the cmdlet:
New-ADGroup -Name "Security Group Name" -SamAccountName "SecurityGroupName" -GroupCategory Security -GroupScope Global -DisplayName "Security Group Name" -Path "CN=Groups,DC=Domain,DC=com" -Description "Brief description of the what safety grouping is used for"
This cmdlet aids inwards the creation of such groups, which repose administrative overhead considerably. Managing accounts, too computers is made much easier when applying role-based administration settings to safety groups versus making changes to each too every problem organisation human relationship too object singularly.
3. Create a novel user account
Enter the cmdlet:
New-ADUser -Name "User Account Name" -SamAccountName "UserAccountName" -AccountPassword (ConvertTo-SecureString "password" -AsPlainText -Force) -DisplayName "User Name" -Enabled $True -GivenName "FirstName" -Path "CN=Users,,DC=Domain,DC=com" -Server "controller.domain.com" -Surname "LastName" -UserPrincipalName "username@domain.com"
Creating too managing user accounts decease hand-in-hand when AD serves equally the backend to an organization's centralized infrastructure. Generating novel user accounts tin grow to endure a boring task, given all the numerous parameters too text fields present. And piece non all are required, many are sure useful when populated, such equally e-mail too championship to cite a few.
A whole host of these attributes tin endure configured past times adding the -OtherAttributes parameter too pairing it amongst the attributes y'all wishing to configure, such equally the former: @{title="job_title";mail="username@domain.com"}, for example.
4. Create a novel OU
Enter the cmdlet:
New-ADOrganizationalUnit -Name "OU Name" -Path "DC=Domain,DC=com"
OUs are essential to managing user accounts too reckoner objects on the back-end of the network. Put to a greater extent than or less other way, a properly laid upwards Active Directory volition include a well-designed laid of OUs with, which to compartmentalize all the objects that AD centrally manages, making for an orderly, structured directory too 1 that volition seamlessly lend itself to hardening the network piece keeping it tardily to manage.
Note: Cmdlets get-go amongst "New" connotate the creation of that object. When the labor requires removal of an object, utilization the "Remove" prefix inwards house of "New." Additionally, this industrial plant when y'all demand to modify an object, instead using the "Set" prefix inwards house of "New." The syntax for these cmdlets follow a similar format to that of the New-prefixed cmdlets listed above.
5. Add/remove users or reckoner objects to/from groups
Enter the cmdlet:
Add-ADGroupMember SecurityGroupName -Members Username01 -Server "controller.domain.com" Remove-ADGroupMember SecurityGroupName -Members Username01 -Server "controller.domain.com"
Once user accounts too reckoner objects are created, admins tin take to add together them to existing safety groups for added repose of management. By executing this cmdlet, the -Members parameter listing the accounts to endure added volition gain membership to the safety group. When adding multiple accounts, these may endure separated past times a comma on a unmarried line. Additionally, the -Server parameter though optional, volition specify which domain controller to connect to for processing the changes. To take members from a group, utilization the Remove-ADGroupMember cmdlet which follows a similar syntax.
6. Obtain the locally stored password from a reckoner object
Enter the cmdlet:
Get-AdmPwdPassword -ComputerName "computer.domain.net"
For organizations that cause got implemented Microsoft's fantabulous (and free) Local Administrator Password Solution (LAPS), at that topographic point is a cmdlet that tin take grip of the password stored inwards the reckoner object inside AD too display it inwards 1 easy-to-retrieve measuring versus scouring the database for each object to runway downwardly the ms-mcs-AdmPwd attribute.
7. Joining a reckoner to a domain
Enter the cmdlet:
Add-Computer -DomainName "domain.com" -Credential Domain\Username -Restart -Force
Joining a reckoner to the domain is 1 of the most mutual tasks information technology pros perform, tens of thousands of times inwards their career lifetime. And piece the labor solely takes a few minutes per machine, it tin endure run from PS to streamline too amongst a few tweaks, the entire procedure may fifty-fifty endure fully automated. Just scream back that the cmdlet—as detailed inwards a higher house —will prompt the admin for their password to consummate the domain bring together earlier rebooting the device.
8. Enable/Disable users, computers, or service accounts
Enter the cmdlet:
Enable-ADAccount -Identity "ComputerName" Disable-ADAccount -Identity "Username"
It is fairly obvious what this cmdlet does. It enables (or disables) a user account, reckoner object, or service problem organisation human relationship managed past times AD to allow (or prevent) the user or reckoner problem organisation human relationship from beingness authenticated amongst or to on the network.
9. Unlock user accounts
Enter the cmdlet:
Unlock-ADAccount -Identity "Username"
It is oftentimes noted past times statistical analysis that information technology spends inwards ordinate amount of fourth dimension resolving aid desk calls relating to unlocking user's accounts too resetting their passwords. The latter is covered inwards a higher house amongst the Set-ADUser cmdlet, however, the one-time is this specific cmdlet. This basically applies to accounts inwards which users cause got exceeded their password retry counters too cause got effectively locked their problem organisation human relationship from beingness used. Once unlocked, AD functionality (including authenticating the account) is made available again.
10. Locate disabled reckoner or user accounts
Enter the cmdlet:
Search-ADAccount -AccountDisabled | FT Name,ObjectClass
The Search-ADAccount cmdlet tin endure used for to a greater extent than than exactly finding disabled accounts. There are many parameters that may endure invoked to effectively search AD too study dorsum matching results. However, to highlight its functionality, I decided to decease amongst the disabled accounts since it is an of import too useful cmdlet to know.
To trammel searches to a particular OU, the -SearchBase parameter followed past times the DN of the path volition endure necessary. Additionally, to focus these results on a particular controller, the -Server attribute followed past times the Fully Qualified Domain Name (FQDN) should endure appended equally well.
11. Repair a broken trust betwixt a customer too the domain
Enter the cmdlet:
Test-ComputerSecureChannel -Server "controller.domain.com"
A broken channel, equally PS refers to it, occurs when the customer reckoner has a broken trust human relationship betwixt the domain. It volition cease to authenticate domain logins since the customer too domain no longer cause got the channel setup, acting equally a link betwixt the two. The cmdlet inwards a higher house tests this human relationship against the domain controller to verify that the link soundless exists. If not, adding the -Repair parameter resets this link betwixt the two, reestablishing the channel.
This is past times no agency intended to endure an exhaustive listing of all the cmdlets available to systems or domain administrator's, but rather a listing of cmdlets that are normally used daily to care accounts, modify objects, too larn relevant information used to resolve issues that comport upon productivity.
Also see
- PowerShell: The smart person's guide (TechRepublic)
- Microsoft Windows 10 Apr 2018 update: How to modify the Command Prompt default to PowerShell (TechRepublic)
- Microsoft PowerShell at 1 time available on Linux equally an Ubuntu snap (ZDNet)
- 10 PowerShell cmdlets to speed network troubleshooting (TechRepublic)
- 10 PowerShell cmdlets y'all tin utilization instead of CMD commands (TechRepublic)
- 10 to a greater extent than PowerShell cmdlets y'all tin utilization instead of CMD commands (TechRepublic)
- Microsoft delivers PowerShell Core for Windows, Linux, macOS (ZDNet)