Archive for the 'ARS' Category

Interview with AD cmdlets product manager

Guys from PowerScripting Podcast have just published the episode they did with Bob Bobel – Quest’s Product Manager for AD cmdlets, ActiveRoles Server and a few other products.

Bob managed to see the potential behind the idea of PowerShell-enabling his commercial products and releasing free AD cmdlets to the community back in 2006 (which seems a loooong time ago!) – so in a sense myself and others were having a lot of fun at his expense. πŸ˜‰

  • Does PowerShell make any money for Quest?
  • Will AD cmdlets go on once Microsoft ships their cmdlets in Windows Server 2008 R2?
  • How many developers are working on AD cmdlets?

Learn that and much more from this podcast.

Tags: , , , , , , , ,


New AD cmdlets demo

Robert Bobel who is Quest’s Product Manager for ActiveRoles Server (AD management, rules, roles, provisioning, approval workflow tool) and AD cmdlets has just posted his new demo of both of his products working separately and together.

He gives a quick introduction to ActiveRoles, then switches to the PowerShell command-line, explores the AD (gets users, groups, etc.), performs bulk operations like provisioning users from csv file, etc.

Then he demonstrates the integration of the free PowerShell command-line with the commercial application and shows how his PowerShell scripts can go through automated policy enforcement and approval workflows.

To see the demo just go to the Quest’s PowerShell page and click the Product in Action picture in the AD cmdlets section.

Also, if you have not seen a more detailed webcast of AD management with PowerShell which Bob and I gave a few months ago – the recording is still available for you to grab.

Tags: , , , , , , , , ,

AD PowerShell Webcast in 3 hours

Just a reminder that Quest is giving Webcast: Active Directory Management Made Easy with PowerShell in about 3 hours from now.

Tags: , , , , , , , , , ,

Webcast: Active Directory Management Made Easy with PowerShell

On July 12 I will be co-presenting (with Bob Bobel – Quest’s Senior Product Manager for Active Directory products) at a webcast:

Webcast: Active Directory Management Made Easy with PowerShell

When: Thursday, July 12, 2007 – 10 a.m. PDT/1 p.m. EDT

In this session, we will talk about using Windows PowerShell to manage Active Directory. We’ll cover different approaches ranging from ADSI to AD cmdlets, and demo the features that are backwards-compatible with Windows 2000/2003 and the ones unique to Windows Server 2008 (e.g. Server Core and Read Only Domain Controller).

In the first half of the session, we will also highlight how you can customize and extend provisioning with Quest ActiveRoles Server through PowerShell. In the second half of the session, we’ll demo how you can use PowerGUI to build custom administrative consoles for PowerShell enabled systems, such as Active Directory, IIS, Exchange and Operations Manager.

Register at the webcast page

As you can see from the description besides the general introduction to PowerShell and AD cmdlets you will get exposed to Quest commercial products as well – which can still be pretty handy if you are planning using PowerShell to manage AD in enterprise infrastructure.

You can register here (you might want to pre-register and login in advance because I think those webcasts have limited number of connections).

Tags: , , , , , , , , , ,

Why is Quest doing free PowerShell stuff?

I love conspiracy theories and here’s the one from me. In his Registration-Free AD Cmdlets post Jeffrey raises questions on why Quest is providing AD cmdlets for free, and what is the commercial thinking behind this. He makes a great point that a commercial vendor like Quest needs to make money and whatever is not making money for a vendor might not be viewed as a long-term investment on which you can rely. So here’s the truth: Quest is making money on the free PowerShell cmdlets. And here’s how:

  1. Indirectly as a marketing tool: Quest gets a lot of money selling Active Directory migration and management tools and AD cmdlets are getting us even better brand-recognition in this target market. I think Tyler got it.
  2. Directly to upsell: Letting us sell our flagship AD management product – Quest ActiveRoles Server.

I think everything is more or less clear with the former, so let me explain more about the latter.

<commercial product pitch section>

We’ve been very successful selling ActiveRoles Server for normal UI-based operations. Basically, it substitutes Active Directory Users and Computers and makes all AD management go through its proxy. The proxy brings a lot of additional value:

  • Role-based delegation: you don’t have to give your helpdesk staff – you don’t have to give them native AD permissions, instead you can do that through proxy and in a very efficient fashion (e.g. “allow to reset passwords for locked-out accounts if the user office is ‘New York'”).
  • Full auditing: any changes made to AD are audited providing full change history for any object.
  • Automated policy enforcement: specify policies on what your AD objects need to be and have them applied to any change (e.g. when a user gets deprovisioned the account is actually not deleted but disabled, moved to a special OU, membership gets cleared, email forwarding gets set to the manager, etc.)
  • (My favorite feature) Approval workflows: if certain changes need to be approved (e.g. group membership in some privileged groups) the change won’t get into effect until the person in charge reviews and approves.

Now here comes the conspiracy part: if you have the (free) AD cmdlets and the (commercial) ActiveRoles Server – you can make the cmdlets use all these benefits for your cmdline and PowerShell scripts. All you need to do is initialize your session with Connect-QADService -proxy and all your PowerShell code will go through this policy/approval/etc. engine.

  AD cmdlets AD cmdlets with Quest ActiveRoles Server
PowerShell command-line for Active Directory
+ +
Auditing for all changes +
Role-based delegation (e.g. for helpdesk scenarios) +
Automated policy enforcement +
Approval workflows +

Here’s a slide that illustrates the architecture:

AD cmdlets and Quest ActiveRoles Server

We believe that this commercial functionality brings tremendous value. I know that PowerShell is magnitudes more readable than VBScript with ADSI. However, wouldn’t you want to have a safety net around your AD automatically applied to all your scripts? Wouldn’t you want to get “flight recorder” automatically working for all your scripts so you know what they are actually doing? Wouldn’t you want to have all your corporate policies, standards, and approvals applied to scripts and command-line? We are seeing that enterprises answer yes to all of the above and here’s why for them we find our product a great fit.

This has been that way for UI administration and VBScripts for quite some time. Now it’s time to move to PowerShell!

</commercial product pitch section>


Longhorn RDP Airlift Slides

Here are the slides I was showing on the Longhorn Airlift AD PowerShell session:


Overall the session went well. I was surprised that a big part of the audience was not that familiar with PowerShell as such but everyone seemed pretty interested and I saw people taking notes during the session.

We used Longhorn Beta 3 for the demos and everything went surprisingly well. I even demoed experimental cmdlets for granular password policies.

P.S. In case you get the DVD and listen to the session or just were there. During the demo I completely forgot to mention that the new-account.ps1 script I was showing while demonstrating the ADSI approach is from Adam Bell. Thanks to Adam for providing that on his blog!

Tags: , , , , , , , , , , , , , ,

AD cmdlets and domain statistics

So for all those who still does not believe PowerShell is taking manageability to a new level πŸ˜‰ here’s a quick test: can you get basic statistics from your environment using “legacy” technologies such as VBScrip, WMI, ADSI, etc.? Here’s the list of “stuff” you might want to get: number of users, number of locations your company has (and their list), number of departments (and the list), titles, groups, etc. – the list can go on and on – I think you get the idea. Anyone?

With PowerShell you can do that with literally one line commands! And I’ve got an email from one of AD cmdlets team members – Andrei Polevoi – today with some cool examples of how he was using PowerShell to get the info.

Number of users:
PS C:\> (get-QADUser).count

List all departments:
PS C:\> get-qaduser -department * -sl 50000 | select Department | sort -property Department | Get-Unique -asstring

Get number of departments:
PS C:\> $dpts = get-qaduser -department * -sl 50000 | select Department | sort -property Department | Get-Unique -asstring
PS C:\> $dpts.count

PS C:\> $all_cities = get-qaduser -city * -sl 50000 | select City | sort -property City | Get-Unique -asstring
PS C:\> $all_cities.count

PS C:\> $all_titles = get-qaduser -Title * -sl 5000 | select Title | sort -property Title | Get-Unique -asstring
PS C:\> $all_titles.count

PS C:\> (get-qadgroup).count

I bet your VBScripts were slightly more complex? πŸ˜‰

PowerShell just brings AD manageability to the whole new level!


The posts on this blog are provided β€œas is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

Β© 2007-2014 Dmitry Sotnikov

May 2023

%d bloggers like this: