IT tutorials
 
Applications Server
 

Administering with Windows PowerShell and Active Directory Administrative Center (part 3)

6/17/2013 9:39:01 PM
- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire

Namespaces, Providers, and PSDrives

Cmdlets operate against objects in a namespace. A folder on a disk is an example of a namespace—a hierarchy that can be navigated. Namespaces are created by providers, which you can think of as drivers. For example, the file system has a Windows PowerShell provider, as does the registry, so Windows PowerShell can directly access and manipulate objects in the namespaces of those providers.

You are certainly familiar with the concept of representing the namespace of a disk volume with a letter or representing a shared network folder’s namespace as a mapped drive letter. In Windows PowerShell, namespaces from any provider can be represented as PSDrives. Windows PowerShell automatically creates a PSDrive for each drive letter already defined by Windows.

Windows PowerShell takes this concept to the next level by creating additional PSDrives for commonly required resources. For example, it creates two drives, HKCU and HKLM, for the HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE registry hives. Now you can navigate and manipulate the registry as easily as you can a file system. Type the following in the Windows PowerShell:

cd hklm:\software
dir

Drives are also created for aliases, the environment, certificates, functions, and variables. To list the PSDrives that have been created, type Get-PSDrive.

The Active Directory PowerShell Provider

Windows Server 2008 R2 adds a provider for Active Directory, so you can navigate Active Directory as easily as you navigate the folders on a disk volume. To use the Active Directory provider, type the following command:

cd AD:

The prompt changes to PS AD:\> to reflect the current directory, which is the top-level node in the Active Directory namespace, the root directory service entry or RootDSE. Type dir to list the partitions of Active Directory.

You can navigate to a partition by typing cd followed by the distinguished name of the partition. For example, to navigate to the domain partition for the contoso.com domain, type the following command:

cd "dc=contoso,dc=com"

To navigate to an OU, type cd followed by either the distinguished name or the relative distinguished name of the OU. For example, to navigate to the User Accounts OU, type the following command:

cd "ou=User Accounts"

Tip

TAB EXPANSION

Windows PowerShell supports tab expansion, also called tab completion, so that you can type a few letters and then press Tab to complete your typing. This applies not only to paths, such as “OU=User Accounts,” but also to cmdlets, parameter names, object attributes, and methods.

To create a new OU for Contractors in the User Accounts OU, type the following:

md "ou=Contractors"

Md is an alias for the mkdir function, which itself is a wrapper around the New-Item cmdlet. The syntax is familiar to anyone who has used Command Prompt. But the result is a new OU named Contractors in the User Accounts OU. The New-Item cmdlet has several forms. Here, the value of the -Name parameter is “ou=Contractors.” The parameter name itself is optional. The -ItemType parameter is not specified, so the default object class organizationalUnit is assumed.

Creating a User with Windows PowerShell

You are now ready to create a user in Active Directory by using the New-ADUser cmdlet. To create a user account for Mary North, type the following command:

New-ADUser -Name "Mary North"

When you create a new user account, you must specify the -Name parameter, which is the ldapDisplayName attribute and is also used for CN and several other object name attributes.

Note

BUG ALERT

The description of the New-ADUser cmdlet in the cmdlet’s Help documentation suggests that the -sAMAccountName parameter is required. In fact, it is the -Name parameter that is required. If you specify only the -Name parameter, the same value is used for the sAMAccountName attribute of the new account. This can be problematic because some characters used in a name, such as a space, should not be used in a pre–Windows 2000 logon name. In addition, the sAMAccountName attribute has a limited length. Therefore, although the -sAMAccountName parameter is not required by New-ADUser, it is recommended that you include a value for the parameter when you create a new user.

The user will be created in the default container for users in the domain—by default, the container named Users. You can create a user in a specific location by doing one of the following:

  • Using the -Path parameter to specify the distinguished name of the OU in which to create the user. For example, to create a user account for Mary North in the User Accounts OU, type the following command:

    New-ADUser -Path "ou=User Accounts,dc=contoso,dc=com" -Name "Mary North"
       -SAMAccountName "mary.north"
  • Setting the current directory to an OU by using the Active Directory provider as described earlier in this lesson.

Other attributes can be configured with the many parameters of the New-ADUser cmdlet. Type Get-Help New-ADUser -Detailed for detailed information about the cmdlet and its parameters. In the practice for this lesson, you create a user and populate attributes by using the New-ADUser cmdlet.

You can also create a new account based on a template with the New-ADUser cmdlet. First you must create an object reference to the template user account and to the specific properties you want to copy. You can do this by using the Get-ADUser cmdlet to load attributes from a template account in Active Directory or the New-ADUser cmdlet to create a template in memory only. For example, to create a reference to the _Sales Template account created in Lesson 1, type the following command on one line:

$user = Get-ADUser "CN=_Sales Template,OU=User Accounts,DC=contoso,DC=com"
   -Properties MemberOf,Title,Department,Company,PhysicalDeliveryOfficeName

Note that the -Properties parameter specifies a comma-delimited list of properties that you want to copy to the new account. Provide the reference as the value of the -Instance parameter of the New-ADUser cmdlet. To create a new user account for Mary North based on the template, type the following command:

New-ADUser -path "ou=User Accounts,dc=contoso,dc=com" -Instance $user -Name "Mary North"
   -SAMAccountName "mary.north"

Note that you can override properties from the template by using parameters of the New-ADUser cmdlet.

Populating User Attributes

You’ve learned to configure attributes of a new account by using parameters of the New-ADUser cmdlet. You can also use the Set-ADUser cmdlet to configure user attributes. The Set-ADUser cmdlet provides parameters for the most commonly used attributes. For less commonly used attributes, the –Add, -Replace, -Clear, and -Remove parameters provide direct access to all attributes. There are three methods with which you can specify the user to be modified.

First, you can use the -Identity parameter of the cmdlet. For example, to change the email address of Mary North, type the following command:

Set-ADUser -Identity mary.north -EmailAddress "mary.north@contoso.com"

The name of the parameter is optional.

Second, you can pipe a user object to Set-ADUser, as in the following example:

Get-ADUser -Identity mary.north | Set-ADUser -EmailAddress "mary.north@contoso.com"

When you use either of these two methods, you are changing the properties of both the in-memory object reference and the object itself in the directory service. If you plan to change multiple properties, you can improve performance by making changes in memory, then committing the changes, all at once, to the directory. This third method requires that you create a variable representing the user, then make changes to the variable, and then use the -Instance parameter of the Set-ADUser cmdlet to commit the changes. For example, type the following commands:

$user = Get-ADUser -Identity mary.north
$user.mail = "mary.north@contoso.com"
Set-ADUser -Instance $user

In the second command, the property is set by using a syntax called the dot notation. A dot (.) separates the object from the LDAP name of the property. Notice that the LDAP name, mail in this example, is sometimes different than the name of the attribute in the user interface or as referenced by a parameter name. If you’re not sure of the LDAP name for an attribute, click the Attribute Editor tab of a user account in the Active Directory Users And Computers snap-in. The tab is visible when you select Advanced Features from the View menu. The Attribute Editor shows all attributes of an object, including their LDAP names and values.

You do not use the same method to set a user’s password. Instead, you use the Set-ADAccountPassword cmdlet to change or reset a password. When you change a password, you provide values for both the old and new passwords. When you reset a password, you specify the -Reset parameter and provide the value of only the new password. For example, to reset the password for Mary North, type the following command:

Set-ADAccountPassword -Identity "mary.north" -Reset

You are prompted to enter the new password.

Windows PowerShell does not allow a cmdlet to receive a secret, such as a password, in a plain text parameter. It must be passed securely. Therefore, if you want to include the password in the command line, it must be converted to a secure string before it can be used as a password parameter. For example, type the following command on one line:

Set-ADAccountPassword -Identity "mary.north" -Reset
   -NewPassword (ConvertTo-SecureString -AsPlainText "Pa$$w0rd" -Force)

You can also specify the password for a new account by using the -AccountPassword parameter of the New-ADUser cmdlet. You would use the same ConvertTo-SecureString cmdlet, in parentheses as shown in the example, as the value of the parameter. For example, the following command (typed on one line) will create an account for Mary North:

New-ADUser -Path "ou=User Accounts,dc=contoso,dc=com" -Name "Mary North"
   -SAMAccountName "mary.north"
   -AccountPassword (ConvertTo-SecureString -AsPlainText "Pa$$w0rd" -Force)
   -ChangePasswordAtLogon $true -Enabled $true

The account can be enabled by using the -Enabled parameter because a password is specified, and the -ChangePasswordAtLogon parameter ensures that the user will be prompted to change her password the first time she logs on.

Importing Users from a Database with Windows PowerShell

Although you will not be expected to understand database imports with Windows PowerShell for the 70-640 examination, learning how to do so can be a tremendous benefit to your efforts to automate the creation of users. As you’ll see, it takes only a few lines of additional code with the powerful cmdlets of Windows PowerShell.

Assume that you receive an Excel worksheet from the human resources department with information about newly hired employees. Excel can save the file as a comma-delimited text file (.csv), which can be imported by Windows PowerShell. The first line of the .csv file must have field names that match parameter names of the New-ADUser cmdlet. Additional lines contain the values for each user. As a simple example, consider the following .csv file saved as Newusers.csv:

Newusers.csv

name,sAMAccountName,GivenName,Surname
John Woods,john.woods,Johnathan,Woods
Kim Akers,kim.akers,Kimberly,Akers

Windows PowerShell can import these users with one command:

import-csv "C:\Users\Administrator\Desktop\newusers.csv" | New-ADUser

You can even add parameters, as in the following example:

import-csv "C:\Users\Administrator\Desktop\newusers.csv" | New-ADUser -organization Contoso

Such parameters will override any values in the .csv file and will apply to all imported users.

If this doesn’t convince you that Windows PowerShell deserves its Power moniker, then … well, you’re a tough customer!

 
Others
 
- Administering with Windows PowerShell and Active Directory Administrative Center (part 2)
- Administering with Windows PowerShell and Active Directory Administrative Center (part 1)
- SharePoint 2010 : Service Applications - Consuming another Farm's Service
- SharePoint 2010 : Service Applications - Publishing a SharePoint service
- SharePoint 2010 : Service Applications - Establishing a trust relationship between two farms
- Installing Exchange Server 2007 : Implementing Active Directory from Scratch (part 3) - Configuring Active Directory Sites and Services, Configuring a Global Catalog Server
- Installing Exchange Server 2007 : Implementing Active Directory from Scratch (part 2) - Installing the Service Pack, Installing the First Domain Controller for a New Domain
- Installing Exchange Server 2007 : Implementing Active Directory from Scratch (part 1) - Installing Windows Server 2003
- BizTalk Server 2009 : Playing By The Rules? Use The Business Rule Engine - How Does the BRE Work?
- BizTalk Server 2009 : Playing By The Rules? Use The Business Rule Engine - The Business Rule Composer
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
programming4us programming4us
 
Popular tags
 
Video Tutorail Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS