Using Active Directory Admin tools (in PowerShell) Part 2

Create or manage groups

This is pretty straight forward activity that we can find a lot of info about online. I feel like at this point we basically understand how PowerShell works and the lab environs are not exactly helpful so we may come back to this and add screen shots after we get back into a working test environment at CED Solutions, fingers crossed that that actually happens. Also instead of listing the full syntax for the cmdlets I’ve simply posted the links to the TechNet articles which I did less of last time so you can check that out for yourself!

So the first thing when trying to answer any question is clearly to do a search for the answer. So I searched for “create a group PowerShell” and came up with an interesting post. This is lifted from a blog and it’s pretty basic straight forward helpful info for someone such as my nubbins self that’s trying to learn this stuff: Create an Active Directory Group with PowerShell

In Windows Server 2012 R2 or Windows Server 2008 R2, use the New-ADGroup cmdlet.To create a new global group in the default Users folder of Active Directory called “Finance”:NEW-ADGroup -name “Finance” -groupscope Global If it needs to exist in different path in Active Directory, specify the path by its distinguished name:NEW-ADGroup -name “Finance” -groupscope Global -path “OU=Offices,DC=Contoso,DC=local”

However there’s more on this topic that I’m aware of so ill add links to the TechNet articles of some of the cmdlets listed in case we want more info on the full syntax of the cmdlets discussed. Using these commands in context and in order should provide for a more complete understanding of the given topic in PowerShell as well. Hard to tell if these will work without testing tho

  • New-AdGroup
  • New-AdGroup -name “McNubbinzzfailsauce” -Groupscope Global

  • Add-AdGroupmember
  • At this point I’m starting to wonder if there a shorter version/alias or like abberviations for some of these. There doesn’t appear to be any reference articles pointing to that but there is a great thread about this if you don’t mind cussing 🙂 Help on Add-Groupmember

  • Add-AdGroupmember -identity McNubbinzzfailsauce -Members RODC
  • Remove-AdGroupmember
  • Remove-AdGroupmember -identity McNubbinzzfailsauce -members RODC

  • Remove-AdGroup
  • Remove-AdGroup -identity McNubbinzzfailsauce

Create or manage computer accounts

This is basically the same as creating user accounts like we did in the previous post so the screen shot there is still applicable but its robots instead of actual human users. However sometimes computers do use user accounts for services and so forth so what evs, you get the idea. Also some of these have potential prompt for credential sets in the syntax but I’m not good enough at reading the TechNet articles to know if its required without actually trying it however if it does I’m assuming that it will look exactly like the credential prompt show in screen shot shown in the last post.

So this is basic creation of accounts sort of thing. What about managing and viewing computer accounts? What if we want to see all the accounts listed in our directory and then pipe them to a webpage? Well we would use get-adcomputer and then spell it out from there. Note that this would be kind of harmful if you were to run this in an enterprise environment with lots of computer accounts because duh there’s lots of them and it’s not a prepopulated csv or database, your actually pulling on a harddrive your actually querying against a live database. So what I’m saying is probably don’t do this during regular business hours unless you’re playing Chaos Monkey

  • Get-AdComputer

  • Get-AdComputer | ConvertTo-html | out-file C:usersadministratordesktopgertallsuprcompootrs111onnetwrk.htm

Ok so that’s that we should now have a locally hosted website that shows all of the computers on our network that if needed could be placed in a shared file for network users to view or actually hosted in proper format for web viewing. Also I’m pretty sure that syntax should work but you know, testing probs. So let’s dig around and see what all is out there as far as information on viewing computer info besides what we already know that was displayed in the videos mentioned previously. So I came across this little ditty on a hardware vendors website/forums and I found it quite confusing as get-Qadcomputer doesn’t seem to be a built in PowerShell command so maybe it’s an add on software package from the hardware vendor? It seems to come up quite often. Interesting, but not important cause it’s not on the test right? Here’s an example of a complete syntax displayed on the sites

Get-QADComputer | Get-Member Remove-ADComputer

Create or manage organizational units and containers

Ok cool, so wtf is an OU and how is it different than a group? Well according to Someolddude1’s internet blog it’s something like this:

Groups have SIDs, can be placed on access control lists, and can contain other groups (even the same type of group referred to as group nesting). Organizational units do not have SIDs, can’t be placed on an access control list, and cannot be placed into a group. Instead, organizational units are used to organize users, groups, and computers within Active Directory. This organization is used to grant delegation and deploy configuration and security settings through group policy. Moving forward it is ideal to use the best practice for group nesting, as it is easiest to manage and provides the best security environment for Active Directory. Of course organizational units can be nested into other organizational units and often are. Just remember the two main reasons for organizational units and the design and deployment of them will be clear.

Still doesn’t make sense to me. Why do I care if something has a SID (security identifier), what’s an access control list, and why would I not want something placed into a group or are groups inside of OU’s? Also so I can’t put a group into an OU and it acquires these things? I’m lost at this point and I’m not going to lie about it because it’s better to ask questions and figure it out rather than try to be the cool pretentious kid that doesn’t figure it out cause he’s too busy pretending to know everything.

Well there’s also this TechNet article and after reading it I think what I’m understanding here is that groups are placed into OUs which are created to organize sites or different lines of business and then groups are placed inside of them? Maybe this is correct. Hard to be sure. I suppose we could ask the question on TechNet forums but someone has already done that too. This is more helpful info which seems to tell me my assumption is correct. So I can link GPs to groups within OUs but not to the OUs themselves. Not sure why this is designed this way but whatever.

This also brings up another interesting question. What about the default user’s container that’s built into AD that you can’t attach GPO’s to. What’s that called and is it an OU, a group or neither? I feel like this is really basic stuff that I should know by now that I don’t. I asked someone that past the 70-410 test in class and they didn’t really seem to know either. It was in the middle of trying out some stuff listed on a Toms Hardware article about PowerShell, which is a fantastic reference by the way. I cant seem to find this information any where. Some one should really consider creating a table that shows an AD tree and has names boxed in with arrows pointing to the folders in the tree so you can get a better idea of WTF is going on with all that. As soon as I figure it out ill let you know. : )

Connect to one or several domains or domain controllers in the same instance of ADAC

This is actually really easy to do using PowerShell and we are going to dip into some things we learned in the PowerShell tutorials from Microsoft on this one as well as the next one. However the books descriptor is kind of vague so we are going to explore a couple of options as to how we might do this. The GUI method is fairly straight forward. You simply right click in the management console and go. You can also open a local PowerShell session and if you just want to run a PowerShell prompt so you can use a PowerShell on a machine in a local type of fashion use the command

  • Enter-PsSession

  • Enter-pssession RODC

    This takes us directly to whatever machine we named RODC and if you type hostname at the prompt you should see the name of the computer you connected to returned.

  • Or if you want to run code on your machine and send to a computer you use the -computername switch if it’s available with the cmdlet you’re using and for more info on this switch check out this article about the ComputerName switch

    You could also use these to query any computer or targeted computers on your domain

  • Get-AdComputer The syntax below should get you any computer on the network running bits or if you target specific machines it will do that as well. Again use caution running this against every computer on an enterprise domain. Also throwing in a new command in here with the Get-Service cmdlet. The filter switch in the case below is going to search all computers. If you used the -identity switch you could simply target computers. So the compound |’d structure works like this, you all the computers, you have that data then it searches each of those computers for the service name bits or in the second case you should get a really huge list of every service running on every AD computer sorted by name and status then you could out put it to html if you wanted. #epic haha

    • Get-AdComputer -filter * |get-service -name bits
    • Get-AdComputer -filter * |get-service | select -property name, status

    Filter active directory data

The most obvious source of “active directory data” kind of vague term as active directory is nothing but data is the event log. If you’ve ever worked in support, development, walked through an IT department, pushed a computer and then expected it to work your probably familiar with this thing called an event log that tells you where shit went wrong. After you know what went wrong then you can figure out how to fix it. Yay! This really is a pretty critical part of an operating system as far as anyone in the field is concerned. Obviously a standard computer user has no need to dive into an event log but we are not average users are we? Cool. Now that that’s established.

  • Get-Eventlog

  • Get-eventlog -logname system (-newest 5) |convertto-html| out-file c:usersadministratordesktopbooyatribsorgserverprobs.htm
  • Ahhh sukisuki now we got a website called booyatribsorgserverprobs with our recent eventlog errors. Hopefully we can take a look at those and get our stuff togeather.

  • So this is also kind of cool, we can sort
  • Get-eventlog -logname system newest 5 |select -property event ID, timewritten, message | Sort -timewritten -descending

  • We could also use Get-GPO to output some or all of our GPOs since this is also “active directory data” that is obviously filterable and you can also do whatever you want in terms of |ing this data to a location or file type as previously discussed. While its not really applicable to this section I suppose you could also write a “what if script” and see what would happen if you applied certain GPOs to users/computers and then send that to website…..but that’s outside of our scope? So maybe we should stick with some thing basic that pulls all GPO’s
  • Get-GPO -all -Domain contoso.org

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Powered by WordPress.com.

Up ↑

%d bloggers like this: