Namespaces, Providers, and PSDrives
Cmdlets operate against objects in a namespace. A folder on a disk is an example of a
namespace—a hierarchy that can be navigated. Namespaces are created by
providers, which you can think of as drivers. For example, the file
system has a Windows PowerShell provider, as does the registry, so
Windows PowerShell can directly access and manipulate objects in the
namespaces of those providers.
You are certainly familiar with the concept of representing the
namespace of a disk volume with a letter or representing a shared
network folder’s namespace as a mapped drive letter. In Windows
PowerShell, namespaces from any provider can be represented as
PSDrives. Windows PowerShell automatically
creates a PSDrive for each drive letter already defined by
Windows.
Windows PowerShell takes this concept to the next level by
creating additional PSDrives for commonly required resources. For
example, it creates two drives, HKCU and
HKLM, for the HKEY_CURRENT_USER and
HKEY_LOCAL_MACHINE registry hives. Now you can navigate and manipulate
the registry as easily as you can a file system. Type the following in
the Windows PowerShell:
cd hklm:\software
dir
Drives are also created for aliases, the environment,
certificates, functions, and variables. To list the PSDrives that have
been created, type Get-PSDrive.
The Active Directory PowerShell Provider
Windows Server 2008 R2 adds a provider for Active Directory, so
you can navigate Active Directory as easily as you navigate the
folders on a disk volume. To use the Active Directory provider, type
the following command:
cd AD:
The prompt changes to PS AD:\> to
reflect the current directory, which is the top-level node in the
Active Directory namespace, the root directory service entry or
RootDSE. Type dir
to list the partitions of Active Directory.
You can navigate to a partition by typing cd followed by the distinguished name of the
partition. For example, to navigate to the domain partition for the
contoso.com domain, type the following command:
cd "dc=contoso,dc=com"
To navigate to an OU, type cd
followed by either the distinguished name or the relative
distinguished name of the OU. For example, to navigate to the User
Accounts OU, type the following command:
cd "ou=User Accounts"
Tip
TAB EXPANSION
Windows PowerShell supports tab
expansion, also called tab
completion, so that you can type a few letters and then
press Tab to complete your typing. This applies not only to paths,
such as “OU=User Accounts,” but also to cmdlets, parameter names,
object attributes, and methods.
To create a new OU for Contractors in the User Accounts OU, type
the following:
md "ou=Contractors"
Md is an alias for the mkdir function,
which itself is a wrapper around the New-Item
cmdlet. The syntax is familiar to anyone who has used Command Prompt.
But the result is a new OU named Contractors in the User Accounts OU.
The New-Item cmdlet has several forms. Here, the
value of the -Name parameter is “ou=Contractors.”
The parameter name itself is optional. The
-ItemType parameter is not specified, so the
default object class organizationalUnit is
assumed.
Creating a User with Windows PowerShell
You are now ready to create a user in Active Directory by using
the New-ADUser cmdlet. To create a user account
for Mary North, type the following command:
New-ADUser -Name "Mary North"
When you create a new user account, you must specify the
-Name parameter, which is the
ldapDisplayName attribute and is also used for
CN and several other object name
attributes.
Note
BUG ALERT
The description of the New-ADUser cmdlet
in the cmdlet’s Help documentation suggests that the
-sAMAccountName parameter is required. In fact,
it is the -Name parameter that is required. If
you specify only the -Name parameter, the same
value is used for the sAMAccountName attribute
of the new account. This can be problematic because some characters
used in a name, such as a space, should not be used in a pre–Windows
2000 logon name. In addition, the
sAMAccountName attribute has a limited length.
Therefore, although the -sAMAccountName
parameter is not required by New-ADUser, it is
recommended that you include a value for the parameter when you
create a new user.
The user will be created in the default container for users in the domain—by default, the container named
Users. You can create a user in a specific
location by doing one of the following:
-
Using the -Path parameter to specify
the distinguished name of the OU in which to create the user. For
example, to create a user account for Mary North in the User
Accounts OU, type the following command:
New-ADUser -Path "ou=User Accounts,dc=contoso,dc=com" -Name "Mary North"
-SAMAccountName "mary.north"
-
Setting the current directory to an OU by using the Active
Directory provider as described earlier in this lesson.
Other attributes can be configured with the many parameters of
the New-ADUser cmdlet. Type Get-Help New-ADUser -Detailed
for detailed information about the cmdlet and its
parameters. In the practice for this lesson, you create a user and
populate attributes by using the New-ADUser
cmdlet.
You can also create a new account based on a template with the
New-ADUser cmdlet. First you must create an
object reference to the template user account and to the specific
properties you want to copy. You can do this by using the
Get-ADUser cmdlet to load attributes from a
template account in Active Directory or the
New-ADUser cmdlet to create a template in memory
only. For example, to create a reference to the _Sales Template
account created in Lesson 1, type the following command on one
line:
$user = Get-ADUser "CN=_Sales Template,OU=User Accounts,DC=contoso,DC=com"
-Properties MemberOf,Title,Department,Company,PhysicalDeliveryOfficeName
Note that the -Properties parameter
specifies a comma-delimited list of properties that you want to copy
to the new account. Provide the reference as the value of the
-Instance parameter of the
New-ADUser cmdlet. To create a new user account
for Mary North based on the template, type the following
command:
New-ADUser -path "ou=User Accounts,dc=contoso,dc=com" -Instance $user -Name "Mary North"
-SAMAccountName "mary.north"
Note that you can override properties from the template by using
parameters of the New-ADUser cmdlet.
Populating User Attributes
You’ve learned to configure attributes of a new account by using
parameters of the New-ADUser cmdlet. You can also
use the Set-ADUser cmdlet to configure user
attributes. The Set-ADUser cmdlet provides
parameters for the most commonly used attributes. For less commonly
used attributes, the –Add, -Replace, -Clear, and
-Remove parameters provide direct access to all
attributes. There are three methods with which you can specify the
user to be modified.
First, you can use the -Identity parameter
of the cmdlet. For example, to change the email address of Mary North,
type the following command:
Set-ADUser -Identity mary.north -EmailAddress "[email protected]"
The name of the parameter is optional.
Second, you can pipe a user object to
Set-ADUser, as in the following example:
Get-ADUser -Identity mary.north | Set-ADUser -EmailAddress "[email protected]"
When you use either of these two methods, you are changing the
properties of both the in-memory object reference and the object
itself in the directory service. If you plan to change multiple
properties, you can improve performance by making changes in memory,
then committing the changes, all at once, to the directory. This third
method requires that you create a variable representing the user, then
make changes to the variable, and then use the
-Instance parameter of the
Set-ADUser cmdlet to commit the changes. For
example, type the following commands:
$user = Get-ADUser -Identity mary.north
$user.mail = "[email protected]"
Set-ADUser -Instance $user
In the second command, the property is set by using a syntax
called the dot notation. A dot (.) separates the
object from the LDAP name of the property. Notice that the LDAP name,
mail in this example, is sometimes different than
the name of the attribute in the user interface or as referenced by a
parameter name. If you’re not sure of the LDAP name for an attribute,
click the Attribute Editor tab of a user account in the Active
Directory Users And Computers snap-in. The tab is visible when you
select Advanced Features from the View menu. The Attribute Editor shows all attributes of an object,
including their LDAP names and values.
You do not use the same method to set a user’s password.
Instead, you use the Set-ADAccountPassword cmdlet
to change or reset a password. When you change a password, you provide
values for both the old and new passwords. When you reset a password,
you specify the -Reset parameter and provide the
value of only the new password. For example, to reset the password for
Mary North, type the following command:
Set-ADAccountPassword -Identity "mary.north" -Reset
You are prompted to enter the new password.
Windows PowerShell does not allow a cmdlet to receive a secret,
such as a password, in a plain text parameter. It must be passed
securely. Therefore, if you want to include the password in the
command line, it must be converted to a secure string before it can be
used as a password parameter. For example, type the following command
on one line:
Set-ADAccountPassword -Identity "mary.north" -Reset
-NewPassword (ConvertTo-SecureString -AsPlainText "Pa$$w0rd" -Force)
You can also specify the password for a new account by using the
-AccountPassword parameter of the
New-ADUser cmdlet. You would use the same
ConvertTo-SecureString cmdlet, in parentheses as
shown in the example, as the value of the parameter. For example, the
following command (typed on one line) will create an account for Mary
North:
New-ADUser -Path "ou=User Accounts,dc=contoso,dc=com" -Name "Mary North"
-SAMAccountName "mary.north"
-AccountPassword (ConvertTo-SecureString -AsPlainText "Pa$$w0rd" -Force)
-ChangePasswordAtLogon $true -Enabled $true
The account can be enabled by using the
-Enabled parameter because a password is
specified, and the -ChangePasswordAtLogon
parameter ensures that the user will be prompted to change her password the first
time she logs on.
Importing Users from a Database with Windows PowerShell
Although you will not be expected to understand database imports
with Windows PowerShell for the 70-640 examination, learning how to do
so can be a tremendous benefit to your efforts to automate the
creation of users. As you’ll see, it takes only a few lines of
additional code with the powerful cmdlets of Windows
PowerShell.
Assume that you receive an Excel worksheet from the human
resources department with information about newly hired employees.
Excel can save the file as a comma-delimited text file (.csv), which
can be imported by Windows PowerShell. The first line of the .csv file
must have field names that match parameter names of the
New-ADUser cmdlet. Additional lines contain the
values for each user. As a simple example, consider the following .csv
file saved as Newusers.csv:
Newusers.csv
name,sAMAccountName,GivenName,Surname
John Woods,john.woods,Johnathan,Woods
Kim Akers,kim.akers,Kimberly,Akers
Windows PowerShell can import these users with one
command:
import-csv "C:\Users\Administrator\Desktop\newusers.csv" | New-ADUser
You can even add parameters, as in the following example:
import-csv "C:\Users\Administrator\Desktop\newusers.csv" | New-ADUser -organization Contoso
Such parameters will override any values in the .csv file and
will apply to all imported users.
If this doesn’t convince you that Windows PowerShell deserves
its Power moniker, then … well, you’re a tough
customer!
