Using active directory Admin tools (in powershell) Part 1

Ok so this is from the book and it tells you how to do it
using the GUI starting on page 126 but that’s boring and old hat stuff that
frankly any one going out for this MCSA situation should know any way. So where
going to see what we can cook up by learning how to do this in powershell
again, cause were over achievers that actually want to figure out what we are
doing.

  • Reset user password

    Ok
    this one is easy enough and amazingly easy using server gui, users and
    computers, find the account right click, reset password. Well lets see what we
    have to do in powershell. So google gives us the following info from this TechNet
    article: https://technet.microsoft.com/en-us/library/Ee617261.aspx

      • Set-adaccountpassword  tammywynet -newpassword Password1
      • Uha that don’t work let’s try something else
      • Ok this is working but its asking me for her
        current password and I don’t know what it is. She forgot it. Dang it Tammy. Why
        you wana go and make me learn. And this isn’t in the book at all. 😦
      • Google is no more help. Can this be done in
        powershell? Its looking like unless you’ve just mass created a bunch of users
        or just created an account through powershell that has no password associated that’s
        a no. You could try enabling a locked account and pressing enter and not
        putting any thing in the password field but that doesn’t seem very secure or
        like something Microsoft would have overlooked since its so amazingly basic. I
        guess some things are better left to GUIs.
    • Create and manage user accounts
      • Ok creating a user account this shouldn’t be too
        hard, lets use are friend google and see what we can dig up in TechNet to do to
        create a user account. https://technet.microsoft.com/en-us/library/Ee617253.aspx
        • Ok so New-ADUser and what’s the syntax?
        • Uha yeah this is a lot                                   New-ADUser
          [-Name] <string> [-AccountExpirationDate
          <System.Nullable[System.DateTime]>] [-AccountNotDelegated
          <System.Nullable[bool]>] [-AccountPassword <SecureString>]
          [-AllowReversiblePasswordEncryption <System.Nullable[bool]>] [-AuthType
          {<Negotiate> | <Basic>}] [-CannotChangePassword
          <System.Nullable[bool]>] [-Certificates <X509Certificate[]>] [-ChangePasswordAtLogon
          <System.Nullable[bool]>] [-City <string>] [-Company <string>]
          [-Country <string>] [-Credential <PSCredential>] [-Department
          <string>] [-Description <string>] [-DisplayName <string>]
          [-Division <string>] [-EmailAddress <string>] [-EmployeeID
          <string>] [-EmployeeNumber <string>] [-Enabled
          <System.Nullable[bool]>] [-Fax <string>] [-GivenName
          <string>] [-HomeDirectory <string>] [-HomeDrive <string>]
          [-HomePage <string>] [-HomePhone <string>] [-Initials
          <string>] [-Instance <ADUser>] [-LogonWorkstations <string>]
          [-Manager <ADUser>] [-MobilePhone <string>] [-Office
          <string>] [-OfficePhone <string>] [-Organization <string>]
          [-OtherAttributes <hashtable>] [-OtherName <string>] [-PassThru
          <switch>] [-PasswordNeverExpires <System.Nullable[bool]>]
          [-PasswordNotRequired <System.Nullable[bool]>] [-Path <string>]
          [-POBox <string>] [-PostalCode <string>] [-ProfilePath
          <string>] [-SamAccountName <string>] [-ScriptPath <string>]
          [-Server <string>] [-ServicePrincipalNames <string[]>] [-SmartcardLogonRequired
          <System.Nullable[bool]>] [-State <string>] [-StreetAddress
          <string>] [-Surname <string>] [-Title <string>]
          [-TrustedForDelegation <System.Nullable[bool]>] [-Type <string>]
          [-UserPrincipalName <string>] [-Confirm] [-WhatIf] [<CommonParameters>]
        • Well its really not that much, its just all the fields
          that you can populate to describe a user. We don’t need to do all that atm so
          where going to keep it basic. new-aduser -name RODC -displayname RODC -givenname
          Br0no -Surname Tosaurus
        • Hey it worked! We now have an RODC account with
          a funny user name. Let’s try to set this password because it shouldn’t have one
          since we didn’t use the switch to give it a password. Lets try that command
          from the first bullet.
        • So in this instance set-adaccountpassword rodc
          works but we still need to enable the account. Again, no idea so lets hit TechNet
          up again.
        • Perfect https://technet.microsoft.com/en-us/library/Ee617200.aspx
        • enable-adaccount -identity rodc works great
        • lets verify this, not sure how. Well if I google
          “verifying enabled ad account powershell” it takes me to some long page about a
          script but I have a feeling I can use the basic cmdlet from the first line in
          the script which is get-aduser. So lets try that.
        • Well it initially takes us to a 2008 article so
          lets add 2012 and find the right article: https://technet.microsoft.com/en-us/%5Clibrary/Hh852208(v=WPS.630).aspx
        • Theres a long string in here but I think we just
          need the basics which looks like: Get-aduser -identity rodc
        • As to why some require the switch identity and
          why some don’t is beyond me but whatever it worked. Now this whole string looks
          like this, ignore the part where I was renaming a server. I was attempting to
          create an RODC in powershell but we will get to that later just not on these
          test environs

    photo creating AD account and renaming server_zpsfkg1arha.jpg

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Website Powered by WordPress.com.

Up ↑

%d bloggers like this: