Archive for March 22nd, 2007

PowerShell cmdlets for AD

I got a hold of the PowerShell cmdlets for AD which Quest started releasing: PowerGUI Community: AD PowerShell CMDLETS

I think that the project is a great idea! It allows to script against AD without learning the schema and ADSI and gives a much nicer command-line environment. I found that although the current set of cmdlets was still somewhat limited I still could use them to work with users and groups, change properties, change group membership, provision new user accounts, etc. – so they already provide some value in doing day-to-day AD management tasks.

Just FYI here are a few blog posts that provide an overview of using the native ADSI capabilities of PowerShell to manage AD:

To me something like this (taken from Ben’s post) looks more like an application code than like a command line (this code creates a user account):

$username = ‘benp’
#Bind to OU
$adminsOU = New-Object System.DirectoryServices.DirectoryEntry("LDAP://OU=admins,DC=umpadom,DC=com")
#Create the user
$user = $adminsOU.psbase.get_children().add(‘CN=’ + $username,'User')
#Commit Changes
#Set the SAMAccountName
#Commit Changes

So I was eager to give what Quest produced in their beta 1 a try:

I installed the setup and got an “ActiveRoles Management Shell for Active Directory (beta)” shortcut added to my Start menu. This turned out to be a normal PowerShell console with the Quest.ActiveRoles.ADManagement PowerShell snapin already added.

Running “get-command *QAD*” gave me the list of commands available (QAD is the prefix which all the commands are using) so I tried a few of these.

I started with just getting a list of users in my lab:

PS C:\> Get-QADUser

Type         LogonName        DN
----         ---------        --
user         Administrator    CN=Administrator,CN=Users,DC=e2007,DC=local
user         Guest            CN=Guest,CN=Users,DC=e2007,DC=local
user         SUPPORT_388945a0 CN=SUPPORT_388945a0,CN=Users,DC=e2007,DC=local
user         IUSR_E2K7        CN=IUSR_E2K7,CN=Users,DC=e2007,DC=local
user         IWAM_E2K7        CN=IWAM_E2K7,CN=Users,DC=e2007,DC=local
user         ASPNET           CN=ASPNET,CN=Users,DC=e2007,DC=local
user         krbtgt           CN=krbtgt,CN=Users,DC=e2007,DC=local
user         jlennon          CN=John Lennon,CN=Users,DC=e2007,DC=local
user         pmccartney       CN=Paul McCartney,CN=Users,DC=e2007,DC=local
user         rstarr           CN=Ringo Starr,CN=Users,DC=e2007,DC=local
user         gharrison        CN=George Harrison,CN=Users,DC=e2007,DC=local
user         Mbx1             CN=Mbx1,CN=Users,DC=e2007,DC=local
user         Mbx2             CN=Mbx2,CN=Users,DC=e2007,DC=local
user         Mbx3             CN=Mbx3,CN=Users,DC=e2007,DC=local
user         Mbx4             CN=Mbx4,CN=Users,DC=e2007,DC=local
user         helpdesk         CN=helpdesk,CN=Users,DC=e2007,DC=local

Getting the list of computers (I only have one in the lab ;)):

PS C:\> Get-QADComputer

Type             LogonName            DN
----             ---------            --
computer     E2K7$                    CN=E2K7,OU=Domain Controllers,DC=e2007,DC=local

Getting only the guys with a certain property set:

PS C:\> Get-QADUser -Company Beatles

Type         LogonName              DN
----         ---------              --
user         jlennon                CN=John Lennon,CN=Users,DC=e2007,DC=local
user         pmccartney             CN=Paul McCartney,CN=Users,DC=e2007,DC=local
user         rstarr                 CN=Ringo Starr,CN=Users,DC=e2007,DC=local
user         gharrison              CN=George Harrison,CN=Users,DC=e2007,DC=local

Piping them into “Set” to change a property

PS C:\> Get-QADUser -Company Beatles | Set-QADUser -City Liverpool
PS C:\> Get-QADUser -Company Beatles | ft Name, City

Name            City
----            ----
John Lennon     Liverpool
Paul McCartney  Liverpool
Ringo Starr     Liverpool
George Harrison Liverpool

Bulk-provisioning with a one-liner using a csv file:

PS C:\> import-csv 'C:\ARPS4AD.csv' | %{new-qadUser -organizationalUnit 'e2007.local/Demo' -name ($_.'First Name' + ' ' + $_.'Last Name') -samAccountName $_.'Logon name' -city $ -title $_.'Job title' -department $_.department}

PS C:\> Get-QADUser -OrganizationalUnit e2007.local/demo | ft Name, City, Department, Title

Name              City      Department  Title
----              ----      ---------- -----
Ryuichi Sakamoto  Tokyo     Marketing  Manager
Adrie Fortuyn     Amsterdam Sales      Senior Executive
Lelani Asad       New York  Marketing  Manager
Shunji Iwai       Tokyo     Sales      Senior Executive
Haruki Murakami   Tokyo     Accounting Manager
Olivia Barcelonas Nw York   Accounting Manager
Alva Sheldon      Amsterdam Accounting Manager
Nyoko Takuya      Tokyo     Sales      Deputy Head
Jannetje Dirksdr  Amsterdam Sales      Senior Executive
Anke Brittany     Amsterdam Marketing  Manager
Jeroen Herijgers  Amsterdam Marketing  Senior Executive
Dai San           Tokyo     Sales      Senior Executive
Ronald Boyraz     Amsterdam Marketing  Manager
Hisa Hiko         Tokyo     Sales      Manager
Belinda Brestner  New York  Sales      Senior Executive
Haruko Chan       Tokyo     Sales      Manager
Hoshi Kimura      Tokyo     Marketing  Senior Executive
Lotta Buhler      New York  Marketing  Senior Executive
Oktay Haasjes     Amsterdam Sales      Senior Executive
Hoshiko Kanji     Tokyo     Sales      Manager
Jun'ko Katakana   Tokyo     Accounting Manager

Creating a new group:

PS C:\> New-QADGroup -Name Tokyo -SamAccountName Tokyo -OrganizationalUnit e2007.local/demo -Type Security -Scope Global

Type  LogonName DN
----  --------- --
group Tokyo     CN=Tokyo,OU=Demo,DC=e2007,DC=local

Adding users based on their location:

PS C:\> Add-QADGroupMember e2007.local/Demo/Tokyo -Member (Get-QADUser -City Tokyo)

I liked the progress the team is making. I was involved in some of the discussions around the project and it s nice to start seeing the outcome!

Now I need to try to get them show up in PowerGUI… I’ll let you knowhow it goes…

My Recent Tweets


The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

© 2007-2014 Dmitry Sotnikov

March 2007
    Apr »


Get every new post delivered to your Inbox.

Join 93 other followers

%d bloggers like this: