Upload
vu-kim-hieu
View
224
Download
0
Embed Size (px)
Citation preview
8/10/2019 10325A_05
1/22
Module 5
Automating
Active DirectoryAdministration
8/10/2019 10325A_05
2/22
Module Overview
Use the AD: drive in Windows PowerShell
Identify Active Directory cmdlets in Windows PowerShell
Perform key Active Directory management tasks related tousers, groups, computers, and organizational units, bymeans of Windows PowerShell cmdlets
8/10/2019 10325A_05
3/22
Lesson 1: Active Directory Automation Overview
Identify prerequisites for using the Microsoft ActiveDirectory cmdlets in a domain
Explain the purpose and use of the AD: drive
List the cmdlets included in the ActiveDirectory module
8/10/2019 10325A_05
4/22
Active Directory Administration
Nearly all Active Directory administration in PowerShell isaccomplished using the ActiveDirectory module.
This module is installed on all Domain Controllers. It is alsoincluded as part of the Remote Server Administration Tools(RSAT) for Windows 7.
The ActiveDirectory module includes cmdlets that facilitate
virtually every activity in Active Directory administration. Its cmdlets provide the functionality that powers the graphical
Active Directory Administrative Center console.
Its cmdlets communicate with a web service that is a part ofActive Directory in Windows Server 2008 R2.
This same web service can be added to Windows Server 2003and Windows Server 2008 by downloading and installing theActive Directory Management Gateway Service.
The web service needs to be installed to only a singleDomain Controller in your local site.
8/10/2019 10325A_05
5/22
Adding a Module
The Import-Module cmdlet
Can be used to load any external module into PowerShell.
Uses the following syntax to add the ActiveDirectory module:
Using this cmdlet imports the module into only the currently-running session. You will need to import it in each session.
After it is loaded, the module adds a set of commands foradministering Active Directory. You can retrieve the list ofcommands using:
The Remove-Module cmdlet will unload the module fromthe current session.
Import-Module ActiveDirectory
Get-Command module ActiveDirectory
8/10/2019 10325A_05
6/22
The AD: Drive
Adding the ActiveDirectory module also adds a PSDriveprovider.
This provider maps the AD: drive to your logon domain.
The main purpose of this drive is to provide a security contextfor executing cmdlets.
When you run an Active Directory cmdlet, it will
automatically use the credentials and domain of thecurrent AD: drive.
This eliminates the need to supply credentials for eachcommand.
You can map other drives to other domains and credentials.Cmdlets will run using the credentials associated with thecurrent drive.
To use a different domain or set of credentials, change to thecorrect mapped drive, and then begin running cmdlets.
8/10/2019 10325A_05
7/22
Demonstration: The AD: Drive
Learn how to import the ActiveDirectory module and usethe AD: drive
8/10/2019 10325A_05
8/22
Tip for Earlier Versions of Windows
Be Aware: The Active Directory cmdlets are designed to beused on Windows Server 2008 R2 and Windows 7 only
This means that other operating systems cannot directlyinstall and use the cmdlets
However, these older operating systems can indirectlyusethe cmdlets of another host
The process to use another hosts cmdlets is called implicitremoting, and will be covered later in this course
8/10/2019 10325A_05
9/22
Lesson 2: Managing Users and Groups
Use Windows PowerShell cmdlets to retrieve, create,enable, disable, modify, move, and remove Active
Directory users and groups
Use Windows PowerShell cmdlets to reset Active Directoryuser account passwords
8/10/2019 10325A_05
10/22
Discussion: User and Group Cmdlets
Which cmdlets are available to manage users and groups?
Which parameters accept pipeline input when you arecreating a new user? Adding a member to a group?
8/10/2019 10325A_05
11/22
Filtering
It is generally a bad idea to query every object in ActiveDirectory at once
Doing so is computationally expensive
Doing so can impact your Domain Controllers performance
Most Active Directory cmdlets have defined a mandatoryparameter called filter
This filter parameter limits the number of records that thecmdlet will work with
It can accept wildcards and PowerShell-style criteria:
Get-ADUser -Filter 'Name -like "*SvcAccount"'Get-ADUser -Filter {Name -eq "GlenJohn"}
8/10/2019 10325A_05
12/22
Demonstration: Managing Users and Groups
Review how to manage users and groups from within theshell
8/10/2019 10325A_05
13/22
Lab A: Managing Users and Groups
Exercise 1: Retrieving a Filtered List of Users from ActiveDirectory
Exercise 2: Resetting User Passwords and AddressInformation
Exercise 3: Disabling Users That Belong to a SpecificGroup
Estimated time: 30 minutes
Logon information
Virtual machine LON-DC1
Logon user name Contoso\Administrator
Password Pa$$w0rd
8/10/2019 10325A_05
14/22
Lab Scenario
You are an Active Directory administrator and want tomanage your users and groups via PowerShell.
You recently upgraded your domain controller to WindowsServer 2008 R2 and want to try the new PowerShell ActiveDirectory cmdlets that came with it.
In order to handle internal tasks more quickly and be
prepared to automate them, you want to learn how to findinformation in Active Directory. You also want toaccomplish basic tasks such as resetting users' passwords,disabling users, and moving objects in Active Directory.
8/10/2019 10325A_05
15/22
Lab Review
Which common Active Directory cmdlet parameter is usedto limit search results to matches based on attributes?
Which common Active Directory cmdlet parameter is usedto specify the attributes that you want in your queryresults?
How do you add the Active Directory functionality to your
PowerShell session?
L 3 M i C t d Oth
8/10/2019 10325A_05
16/22
Lesson 3: Managing Computers and OtherDirectory Objects
Use Windows PowerShell cmdlets to retrieve and modifyActive Directory computer accounts
Use Windows PowerShell cmdlets to retrieve and viewActive Directory fine-grained password policies
Use Windows PowerShell cmdlets to retrieve computeraccount information, including operating system version,
service pack version, and last logon timestamp
8/10/2019 10325A_05
17/22
Computer and Other Objects
The ActiveDirectory cmdlet can also interact with objectsother than users, such as:
Computer objects
Groups
Fine-grained password policies
The cmdlets Get-ADComputer, New-ADFineGrainedPasswordPolicy, and many others interactwith these objects in ways that are similar to working withusers
Remember to pipe objects to Get-Member or Format-List * to
see which objects are available
Spend time with the help for the ActiveDirectorymodules cmdlets to see which administrative
actions are exposed
8/10/2019 10325A_05
18/22
Demonstration: Computer and Other Objects
Learn how to manage computer and other directoryobjects from within the shell
L b B M i C t d Oth Di t
8/10/2019 10325A_05
19/22
Lab B: Managing Computers and Other DirectoryObjects
Exercise 1: Listing All Computers That Appear to BeRunning a Specific Operating System According to Active
Directory Information
Exercise 2: Creating a Report Showing All Windows Server2008 R2 Servers
Exercise 3: Discovering Any Organizational Units That
Arent Protected Against Accidental Deletion
Estimated time: 20 minutes
Logon information
Virtual machine LON-DC1
Logon user name Contoso\Administrator
Password Pa$$w0rd
8/10/2019 10325A_05
20/22
Lab Scenario
As an Active Directory administrator, in addition tomanaging users and groups you also need to monitor the
servers in your organization.
Active Directory contains details identifying servers, andyou want to be able to use those details to discoverservers and generate reports.
To meet new security policies, your company has decidedto put more stringent password policies in place. You needto create fine-grained password policies for yourorganization and heard that PowerShell is the only way todo so.
As a senior IT administrator responsible for a team, youwant to make sure that your team members dontaccidentally delete important information in ActiveDirectory. You want to use a new feature for OUs thatprevents them from accidental deletion.
8/10/2019 10325A_05
21/22
Lab Review
How can you see a list of all attributes that are availablefor an Active Directory object?
Which parameter can be used to limit the total number ofobjects returned in an Active Directory query?
8/10/2019 10325A_05
22/22
Module Review and Takeaways
On which operating systems are the Active Directorycmdlets available?
Which module contains the Active Directory cmdlets?
What is the purpose of an Active Directory PSDrive?
Which drive must be active in order to use New-PSDrive to
map a new drive to Active Directory?
Class Discussion
Common issues related to Active Directory