IT tutorials
 
Technology
 

Active Directory 2008 : Automating the Creation and Management of Groups (part 2)

8/13/2013 9:47:06 AM
- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

8. Deleting Groups with DSRm

DSRm can be used to delete a group or any other Active Directory object. The basic syntax of DSRm is:

dsrm ObjectDN ... [-subtree [-exclude]] [-noprompt] [-c]

The object is specified by its distinguished name in the ObjectDN parameter. You are prompted to confirm the deletion of each object unless you specify the -noprompt parameter. The -c parameter puts DSRm into continuous operation mode, in which errors are reported, but the command keeps processing additional objects. Without the -c switch, processing halts on the first error.

The -subtree parameter causes DSRm to delete the object and all child objects. The -subtree -exclude option deletes all child objects, but not the object itself.

To delete the Public Relations group, type:

dsrm "CN=Public Relations,OU=Marketing,DC=contoso,DC=com"

You can also delete a group in the Active Directory Users And Computers snap-in by right-clicking the group and choosing the Delete command.

Note

KNOW THE IMPACT BEFORE DELETING A GROUP

When you delete a group, you are removing a point of management in your organization. Be certain that you have evaluated the environment to verify that no permissions or other resources rely on the group. Deleting a group is a serious action with potentially significant consequences. When you delete a group, you remove its SID. Re-creating the group with the same name does not restore permissions, because the new group’s SID is different from that of the original group.

It is recommended that, before you delete a group, you record its membership and remove all members for a period of time to determine whether the members lose access to any resources. If anything goes wrong, simply re-add the members. If the test succeeds, delete the group.

9. Managing Groups with Windows PowerShell

Windows PowerShell makes it easy to manage groups. The following cmdlets work with Active Directory group objects:

  • New-ADGroup Creates a group.

  • Remove-ADGroup Deletes a group.

  • Get-ADGroup Retrieves an object reference to a group.

  • Set-ADGroup Configures properties of a group.

  • Add-ADGroupMember Adds a member to a group.

  • Remove-ADGroupMember Removes a member from a group.

  • Get-ADGroupMember Enumerates the members of a group. The -recursive parameter enumerates members of nested groups.

Practice Automating the Creation and Management of Groups

Practice Automating the Creation and Management of Groups

In this practice, you use DS commands, CSVDE, LDIFDE, and Windows PowerShell to perform group management tasks. Before performing the exercises in this practice, you need to create the following objects in the contoso.com domain:

  • A first-level OU named Groups

  • A first-level OU named User Accounts

  • User objects in the User Accounts OU for Linda Mitchell, Scott Mitchell, Jeff Ford, Mike Fitzmaurice, Mike Danseglio, April Stewart, and Tony Krijnen

In addition, delete any groups with the following names: Finance, Accounting.

EXERCISE 1 Manage Groups with Windows PowerShell

In this exercise, you use Windows PowerShell to create a group.

  1. Log on to SERVER01 as Administrator.

  2. Open Active Directory Module For Windows PowerShell. Type the following command on one line:

    New-ADGroup -Path "OU=Groups,DC=contoso,DC=com" -Name "PowerShell Experts"
   -sAMAccountName "PowerShell Experts" -GroupCategory Security -GroupScope Global

  3. Open the Active Directory Users And Computers snap-in. Select the Groups OU and confirm that the PowerShell Experts group was created.

  4. Switch to Windows PowerShell. Type the following command on one line:

    Add-ADGroupMember -Identity "PowerShell Experts"
   -Members "CN=Mike Danseglio,OU=User Accounts,DC=contoso,DC=com"

  5. Type the following command:

    Get-ADGroupMember -Identity "PowerShell Experts"

  6. Type the following command:

    Get-Command *ADGroup*

EXERCISE 2 Create a Group with DSAdd

In this exercise, you use DSAdd to create a group. DSAdd can create a group, and even populate its membership, with a single command.

  1. Type the following command on one line. Then press Enter.

    dsadd group "CN=Finance,OU=Groups,DC=contoso,DC=com" -samid Finance -secgrp
yes -scope g

  2. Open the Active Directory Users And Computers snap-in and confirm that the group was created successfully. If the Active Directory Users And Computers snap-in was open prior to performing step 2, refresh the view.

EXERCISE 3 Import Groups with CSVDE

  1. Open Notepad and type the following two lines. Note that the second line is wrapped for readability in this text.

    objectClass,sAMAccountName,DN,member

group,Accounting,"CN=Accounting,OU=Groups,DC=contoso,DC=com",
    "CN=Linda Mitchell,OU=User Accounts,DC=contoso,DC=com;
    CN=Scott Mitchell,OU=User Accounts,DC=contoso,DC=com"

  2. Save the file to your Documents folder with the name “Importgroups.csv” (including the quotes so that Notepad doesn’t add a .txt extension).

  3. Open Command Prompt, and type the following command:

    csvde -i -f "%userprofile%\documents\importgroups.csv"

  4. Switch to the Active Directory Users And Computers snap-in, refresh the view of the Groups OU, and check to confirm that the group was created successfully.

EXERCISE 4 Modify Group Membership with LDIFDE

CSVDE cannot modify the membership of existing groups, but LDIFDE can. In this exercise, you use LDIFDE to modify the group membership of the Accounting group you imported in Exercise 3, “Import Groups with CSVDE.”

  1. Open Notepad and type the following lines:

    dn: CN=Accounting,OU=Groups,DC=contoso,DC=com
changetype: modify
add: member
member: CN=April Stewart,OU=User Accounts,dc=contoso,dc=com
member: CN=Mike Fitzmaurice,OU=User Accounts,dc=contoso,dc=com
-

dn: CN= Accounting,OU=Groups,DC=contoso,DC=com
changetype: modify
delete: member
member: CN=Linda Mitchell,OU=User Accounts,dc=contoso,dc=com
-

    Be sure to include the dashes after each block and the blank line between the two blocks.

  2. Save the file to your Documents folder as “MembershipChange.ldf” (including the quotes so that Notepad doesn’t add a .txt extension).

  3. Switch to Command Prompt.

  4. Type the following command and press Enter:

    ldifde -i -f "%userprofile%\documents\membershipchange.ldf"

  5. Using the Active Directory Users And Computers snap-in, confirm that the membership of the Accounting group changed according to the instructions of the LDIF file. It should now include April Stewart, Mike Fitzmaurice, and Scott Mitchell.

EXERCISE 5 Modify Group Membership with DSMod

In this exercise, you add a user and a group to the Finance group, using the DSMod command.

  1. Switch to Command Prompt.

  2. Type the following command on one line to change the membership of the Finance group:

    dsmod group "CN=Finance,OU=Groups,DC=contoso,DC=com"
   -addmbr "CN=Tony Krijnen,OU=User Accounts,DC=contoso,DC=com"
   "CN=Accounting,OU=Groups,DC=contoso,DC=com"

  3. In the Active Directory Users And Computers snap-in, confirm that the membership of the Finance group consists of Tony Krijnen and the Accounting group.

EXERCISE 6 Confirm Group Membership with DSGet and Windows PowerShell

Evaluating effective group membership is difficult with the Active Directory Users And Computers snap-in but easy with the DSGet command in Windows PowerShell. In this exercise, you look at both the full membership of a group and the group memberships of a user.

  1. Switch to Command Prompt.

  2. List the direct members of the Accounting group by typing the following command and then pressing Enter:

    dsget group "CN=Accounting,OU=Groups,DC=contoso,DC=com" -members

  3. List the direct members of the Finance group by typing the following command and then pressing Enter:

    dsget group "CN=Finance,OU=Groups,DC=contoso,DC=com" -members

  4. List the full list of members of the Finance group by typing the following command and then pressing Enter:

    dsget group "CN=Finance,OU=Groups,DC=contoso,DC=com" -members -expand

  5. List the direct group membership of Scott Mitchell by typing the following command and then pressing Enter:

    dsget user "CN=Scott Mitchell,OU=User Accounts,DC=contoso,DC=com" -memberof

  6. List the full group membership of Scott Mitchell by typing the following command and then pressing Enter:

    dsget user "CN=Scott Mitchell,OU=User Accounts,DC=contoso,DC=com" -memberof
-expand

  7. Switch to Active Directory Module For Windows PowerShell, type the following command, and then press Enter:

    Get-ADGroupMember "Finance" -recursive | Select sAMAccountName

    Select is an alias for the Select-Object cmdlet, which takes the objects in the pipeline and selects one or more properties of the objects. Used here, it makes the output of the Get-ADGroupMember cmdlet more readable. Try it without the pipe and the Select cmdlet to see the difference.
 
Others
 
- Active Directory 2008 : Automating the Creation and Management of Groups (part 1)
- Managing Exchange Server 2010 Features for Mobile Devices (part 8) - Understanding and Using WebReady Document Viewing
- Managing Exchange Server 2010 Features for Mobile Devices (part 7) - Understanding and Configuring Remote File Access
- Managing Exchange Server 2010 Features for Mobile Devices (part 6) - Understanding and Configuring Direct File Access
- Managing Exchange Server 2010 Features for Mobile Devices (part 5) - Understanding and Using Remote Device Wipe
- Managing Exchange Server 2010 Features for Mobile Devices (part 4) - Understanding and Using Exchange ActiveSync Mailbox Policy - Assigning Exchange ActiveSync Mailbox Policies
- Managing Exchange Server 2010 Features for Mobile Devices (part 3) - Understanding and Using Exchange ActiveSync Mailbox Policy - Optimizing Exchange ActiveSync Mailbox Policies
- Managing Exchange Server 2010 Features for Mobile Devices (part 2) - Understanding and Using Exchange ActiveSync Mailbox Policy - Creating Exchange ActiveSync Mailbox Policies
- Managing Exchange Server 2010 Features for Mobile Devices (part 1) - Understanding and Using Autodiscover, Understanding and Using Direct Push
- Monitoring Microsoft Lync Server 2010 : Installing the Lync Server 2010 Management Pack (part 2)
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Technology FAQ
- Is possible to just to use a wireless router to extend wireless access to wireless access points?
- Ruby - Insert Struct to MySql
- how to find my Symantec pcAnywhere serial number
- About direct X / Open GL issue
- How to determine eclipse version?
- What SAN cert Exchange 2010 for UM, OA?
- How do I populate a SQL Express table from Excel file?
- code for express check out with Paypal.
- Problem with Templated User Control
- ShellExecute SW_HIDE
programming4us programming4us