Active Directory with PowerShell: Learn to configure and manage Active Directory using PowerShell in an efficient and smart way

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!

Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!

50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.

Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.

Thousands of reference materials covering every tech concept you need to stay up to date.

Subscribe now

View plans & pricing

Active Directory with PowerShell

Chapter 1. Let's Get Started

Welcome to managing Active Directory using PowerShell. There are lot of good books from Packt Publishing that you might want to refer to improve your PowerShell skills. Assuming that you know the basics of PowerShell, this book further helps you to manage Active Directory using PowerShell. Do not worry if you are not familiar with PowerShell. You can still make use of the content in this book because most of the one-liners quoted in this book are self-explanatory. This chapter will take you through some of the essential tools that are required for managing Active Directory using PowerShell:

The Microsoft Active Directory PowerShell module
The Quest Active Directory PowerShell module
Native PowerShell cmdlets

Details of how to get these tools, install, and configure them are also provided in this chapter. The content in this book completely relies on these tools to query Active Directory, so it is important to install and configure them before you proceed with further chapters in this book.

Though you can install and use these tools on legacy operating systems such as Windows XP, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, and so on, we will focus mostly on using them on the latest versions of operating systems, such as Windows 8.1 and Windows Server 2012 R2. Most of the operations performed on Windows 8.1 and Windows Server 2012 work on its predecessors. Any noticeable differences will be highlighted as far as possible.

Another reason for using the latest versions of operating systems for demonstration is the features list that they provide. When the Microsoft Active Directory PowerShell module was initially introduced with Windows Server 2008 R2, it came with 76 cmdlets. In Windows Server 2012, the number of cmdlets increased from 76 to 135. Similarly, the Windows Server 2012 R2 release has 147 Active Directory cmdlets. Looking at this pattern, it is clear that Microsoft is focusing on bringing more and more functionality into the Active Directory PowerShell module with its new releases. This means the types of actions we can perform with the Microsoft Active Directory module are increasing. Because of these reasons, Windows 8.1 and Windows Server 2012 R2 are being used for demonstration so that you can learn more about managing Active Directory using PowerShell.

To see how many cmdlets a module has, use the following commands once you have the Active Directory PowerShell module installed using the approach that is discussed later in this chapter:

Import-Module ActiveDirectory

First, import the Active Directory module in a PowerShell window. You will see a progress bar as shown in the following screenshot:

Once the module is imported, then you can run the following command to verify how many cmdlets Active Directory module has:

(Get-Command -Module ActiveDirectory).Count

As you can see in the following screenshot, there are 147 cmdlets available in Active Directory module on a Windows Server 2012 R2 server:

Ways to automate Active Directory operations

Active Directory operations can be automated in different ways. You can use C#, VB, command line tools (such as dsquery), VBScript, PowerShell, Perl, and so on. Since this book focuses on using PowerShell, let's examine the methodologies that are widely used to automate Active Directory operations using PowerShell.

There are three ways available to manage Active Directory using PowerShell. Each of these has its own advantages and operating environments:

The Microsoft Active Directory module
The Quest Active Directory PowerShell cmdlets
The native method of PowerShell

Let's dig into each of these and understand a bit more in terms of how to install, configure, and use them.

The Microsoft Active Directory module

As the name indicates, this PowerShell module is developed and supported by Microsoft itself. This module contains a group of cmdlets that you can use to manage Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). The Microsoft Active Directory module is introduced with the Windows Server 2008 R2 operating system and you need to have at least this version of OS to make use of the module. This module comes as an optional feature on Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 and gets installed by default when you install the AD DS or AD LDS server roles, or when you promote them as domain controllers. You can have this module installed on Windows 7 or Windows 8 by installing the Remote Server Administration Tools (RSAT) feature.

This module works by querying Active Directory through a service called Active Directory Web Services (ADWS), which is available in Windows Server 2008 R2 or later operating systems. This means your domain should have at least one domain controller with an operating system such as Windows Server 2008 R2 or above to make the module work.

Don't get disappointed if none of your domain controllers are upgraded to Windows Server 2008 R2. Microsoft has released a component called Active Directory Management Gateway Service that runs as the Windows Server 2008 R2 ADWS service and provides the same functionality on Windows Server 2003 or Windows Server 2008 domain controllers.

You can read more about ADWS and gateway service functionality at http://technet.microsoft.com/en-us/library/dd391908(v=ws.10).aspx

Installing Active Directory

As mentioned earlier, if you promote a Windows Server 2008 R2 or later operating system to domain controller, there is no need to install this module explicitly. It comes with the domain controller installation process.

Installing Active Directory module on Windows 7, Windows 8, and Windows 8.1 is a two-step process. First, we need to install the Remote Server Administration Tool (RSAT) kit for the respective operating system; then we enable the Active Directory module, which is part of RSAT, as a second step.

Installing the Remote Server Administration Tool kit

First, download the RSAT package from one of the following links based on your operating system and install it with administrative privileges:

RSAT for Windows 8.1 http://www.microsoft.com/en-us/download/details.aspx?id=39296
RSAT for Windows 8 http://www.microsoft.com/en-us/download/details.aspx?id=28972
RSAT for Windows 7 with SP1 http://www.microsoft.com/en-us/download/details.aspx?id=7887

Installing the Active Directory module

Once the RSAT package is installed, you need to enable Remote Server Administration Tools | Role Administration Tools | AD DS and AD LDS Tools | Active Directory module for Windows PowerShell via the Turn Windows features on or off wizard that you will find in the Control Panel of the Windows 7 or Windows 8 operating systems.

To install Active Directory module on Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 member servers, there is no need to install additional components. They are already part of the available features and it's just a matter of adding the feature to the operating system. This can be done using PowerShell or a regular GUI approach.

If you want to enable this feature using PowerShell in the aforementioned server operating systems, then use the following commands:

Import-Module ServerManager
Add-WindowsFeature RSAT-AD-PowerShell

The RSAT package comes with the build on Windows Server 2008 R2 and Windows Server 2012. No need to install RSAT explicitly. The Server Manager PowerShell module in these operating systems contains the cmdlet, Add-WindowsFeature, which is used for installing features. In this case, we are installing Active Directory module for the Windows PowerShell feature in the AD DS and AD LDS tools.

If you want to perform this installation on remote servers, you can use the PSRemoting feature in PowerShell. This is the best approach if you want to deploy Active Directory module on all your servers in your environment.

This Active Directory module for Windows PowerShell can be installed using GUI interface as well. You need to use Server Manager to add Active Directory Module for Windows PowerShell using the Add Roles and Features Wizard as shown in following screenshot:

Testing the functionality

After installation, you can verify the functionality of Active Directory module by importing it and running a few basic cmdlets. A cmdlet is a simple command that is used in the Windows PowerShell environment. You can read more about cmdlets at http://msdn.microsoft.com/en-us/library/ms714395(v=vs.85).aspx.

Your installation is successful if you see your domain information after running the Get-ADDomain cmdlet, as shown in the following:

Import-Module ActiveDirectory
Get-ADDomain

Note

One good thing about PowerShell is you can avoid the hassle of typing the whole command in the PowerShell window by using the Tab Expansion feature. You can type part of the command and press the Tab key to autocomplete it. If there are multiple commands (or cmdlets) that match the string you typed, then use Tab multiple times to select the one you need. It's pretty handy because some of the cmdlets in Active Directory are considerably long and it can get really frustrating to type them. Refer to the TechNet page at http://technet.microsoft.com/en-us/library/dd315316.aspx in order to understand how you can use this feature of PowerShell.

Quest Active Directory PowerShell cmdlets

Previously, you learned that Microsoft Active Directory (MS AD) module was introduced with Windows Server 2008 R2. So, how did system administrators manage their Active Directory environments before the introduction of MS AD module? Quest Active Directory PowerShell cmdlets were present at that time to simplify AD operations. This Quest module has a bunch of cmdlets to perform various operations in Active Directory. Even after Microsoft released Active Directory module, many people still use Quest AD cmdlets because of its simplicity and the wide variety of management options it provides.

Quest AD module is part of the Quest ActiveRoles Server product, which is used for managing Active Directory objects. This Quest AD module is also referred to as ActiveRoles Management Shell for Active Directory because it is an integral part of the ActiveRoles product.

Installing Quest

Quest software (now acquired by Dell) allows you to download ActiveRoles Management Shell for free and you can download a copy from https://support.software.dell.com/download-install-detail/5024645. You will find two versions of Quest AD Management Shell in the download page. Be sure to download the latest one: v1.6.0.

While trying to install the MSI, you might get a prompt saying Microsoft .NET Framework 3.5 Service Pack 1 or later is required. You will experience this even if you have .NET framework 4.0 installed on your computer. It seems the MSI is specifically looking for .NET 3.5 SP1. So, ensure that you have .NET Framework 3.5 SP1 installed before you start installing the Quest AD management Shell MSI. You might want to refer to the TechNet article at http://technet.microsoft.com/en-us/library/dn482071.aspx to understand NET Framework 3.5 installation process on Windows Server 2012 R2.

After the completion of MSI, you can start using this module in two ways. You can either search in Program Files for the application with the name ActiveRoles Management Shell for Active Directory or you can add the Quest snap-in into the regular PowerShell window.

It's preferred to add the snap-in directly into existing PowerShell windows rather than opening a new Quest AD Shell when you want to manage Active Directory using Quest cmdlets. Also if you are authoring any scripts based on Quest AD cmdlets, it is best to add the snap-in in your code rather than asking the script users to run it from a Quest AD Shell window.

The Quest AD Snap-in can be added to an existing PowerShell window using the following command:

Add-PSSnapin Quest.ActiveRoles.ADManagement

After adding the snap-in, you can list the cmdlets provided by this snap-in using the following command:

Get-Command -Module Quest.ActiveRoles.ADManagement

Get-Command is the cmdlet used to list cmdlets or functions inside a given module or snap-in after importing them. The version (v1.6.0) of Quest AD Shell has 95 cmdlets. Unlike Microsoft Active Directory module, the number of cmdlets will not change from one operating system to another in Quest AD Shell. The list of cmdlets is the same irrespective of the operating system where the tool is installed.

One advantage of Quest AD Shell is that it doesn't need Active Directory Web services, which is mandatory for Microsoft Active Directory module. Quest AD Shell works with Windows Server 2003-based domain controllers as well without the need to install Active Directory Management Gateway Service.

Testing the functionality

Open a new PowerShell window and try the following commands. The Get-QADRootDSE cmdlet should return your current domain information. All the Quest AD Shell cmdlets will have the word QAD prefixed to the noun:

Add-PSSnapin -Name Quest.ActiveRoles.ADManagement
Get-QADRootDSE

Using the Native method of PowerShell

Both Microsoft AD module and Quest AD module have a dependency and require additional software or components installed. If your environment cannot afford the installation of new components, then you are left with only one option to manage Active Directory using native PowerShell, which uses .NET classes. This doesn't require any extra components to be installed and the only thing required is .NET, which is present by default on any Windows operating system.

To query all computers in the current domain, use a query given in the following command:

([ADSISearcher]"Objectclass=Computer").Findall()

The example shown in the following screenshot might look simple but, as you need to do more with the native method approach, the complexity of the code will increase. Also, you will find less help from the community when querying Active Directory using the native method. Because of these reasons, Microsoft AD module or Quest module are preferred for easy Active Directory operations. Use this approach only if you have no other option.

What you will learn

Manage user and computer accounts using PowerShell

Automate group membership additions, removals, and bulk operations using PowerShell

Perform various query operations against Active Directory to fetch user, computer, and group details in an efficient and faster way

Understand how sites, subnets, and domains are managed

Perform advanced operations such as Domain Controller promotion/demotion

Discover how to automate replication checks, fine grained password policy creation, and FSMO roles transfer/seize using PowerShell

Get to know more about DNS server management, record creation/modification/ deletion, and DNS client management with PowerShell

Find out ways to automate DFSN and DFSR installation and configuration using PowerShell

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!

Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!

50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.

Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.

Thousands of reference materials covering every tech concept you need to stay up to date.

Subscribe now

View plans & pricing

Frequently bought together

$32.99

$54.99

$48.99

Total $ 136.97

Filter reviews by

All

Packt verified reviews

Amazon verified reviews

Michael May 05, 2015

Really liked this book and the samples.In Case i am working with Active Directory since 15 Years and PowerShell since Version 1, still learned something out of this book.

Amazon Verified review

steve alexandris Aug 22, 2017

Probably the most useful book a Windows Sysadmin can buy. It does not go into the deep, otherwise useless, theoretical aspects of powershell and powershell programming. It tells you how to do what you need to do, you pick up the rest by making sense of the patterns in syntax.

D b Jun 09, 2016

Very In depth.

rpm507 Jun 08, 2015

This book does provide insight into AD that helps to resolve problems. Some of the examples worked by inserting local information and others repeated what we were already doing that didn't work. I found the book to be worth the money I paid. I can recommend it to you as long as you can accept those limitations.

Paul G. May 15, 2015

Active Directory with PowerShell held on to PACK Publishing standards - easy to use, readable and understand. Book covers maybe not all the Active Directory aspects but it's worth to take a deeper look. It's not focusing on how PS works and all that but it goes straight to the point - Active Directory managing. Examples and topic gives AD administrators great foundations for everyday tasks just like in cookbook straightforward recipes :). As mentioned before not every topics are covered so lack of AD RMS / DHCP / CA/PKI and others but I hope it will be extended within next release. My Active Directory library gets bigger :)

Active Directory with PowerShell: Learn to configure and manage Active Directory using PowerShell in an efficient and smart way

What do you get with a Packt Subscription?

Active Directory with PowerShell

Chapter 1. Let's Get Started

Ways to automate Active Directory operations

The Microsoft Active Directory module

Installing Active Directory

Installing the Remote Server Administration Tool kit

Installing the Active Directory module

Testing the functionality

Note

Quest Active Directory PowerShell cmdlets

Installing Quest

Testing the functionality

Using the Native method of PowerShell

Summary

Page 1 of 3

Description

Who is this book for?

What you will learn

Product Details

What do you get with a Packt Subscription?

Product Details

Frequently bought together

Table of Contents

Recommendations for you

Customer reviews

Filter reviews by

People who bought this also bought

About the authors

FAQs

Active Directory with PowerShell: Learn to configure and manage Active Directory using PowerShell in an efficient and smart way

What do you get with a Packt Subscription?

The Microsoft Active Directory module

Installing Active Directory

Installing the Remote Server Administration Tool kit

Installing the Active Directory module

Testing the functionality

Note

Quest Active Directory PowerShell cmdlets

Installing Quest

Testing the functionality

Using the Native method of PowerShell

Description

Who is this book for?

What you will learn

Product Details

What do you get with a Packt Subscription?

Product Details

Packt Subscriptions

Frequently bought together

Table of Contents

Recommendations for you

Customer reviews

Filter reviews by

People who bought this also bought

About the authors

FAQs