Using Active Directory Admin tools (in PowerShell) Part 2

Create or manage groups

This is pretty straight forward activity that we can find a lot of info about online. I feel like at this point we basically understand how PowerShell works and the lab environs are not exactly helpful so we may come back to this and add screen shots after we get back into a working test environment at CED Solutions, fingers crossed that that actually happens. Also instead of listing the full syntax for the cmdlets I’ve simply posted the links to the TechNet articles which I did less of last time so you can check that out for yourself!

So the first thing when trying to answer any question is clearly to do a search for the answer. So I searched for “create a group PowerShell” and came up with an interesting post. This is lifted from a blog and it’s pretty basic straight forward helpful info for someone such as my nubbins self that’s trying to learn this stuff: Create an Active Directory Group with PowerShell

In Windows Server 2012 R2 or Windows Server 2008 R2, use the New-ADGroup cmdlet.To create a new global group in the default Users folder of Active Directory called “Finance”:NEW-ADGroup -name “Finance” -groupscope Global If it needs to exist in different path in Active Directory, specify the path by its distinguished name:NEW-ADGroup -name “Finance” -groupscope Global -path “OU=Offices,DC=Contoso,DC=local”

However there’s more on this topic that I’m aware of so ill add links to the TechNet articles of some of the cmdlets listed in case we want more info on the full syntax of the cmdlets discussed. Using these commands in context and in order should provide for a more complete understanding of the given topic in PowerShell as well. Hard to tell if these will work without testing tho

  • New-AdGroup
  • New-AdGroup -name “McNubbinzzfailsauce” -Groupscope Global

  • Add-AdGroupmember
  • At this point I’m starting to wonder if there a shorter version/alias or like abberviations for some of these. There doesn’t appear to be any reference articles pointing to that but there is a great thread about this if you don’t mind cussing 🙂 Help on Add-Groupmember

  • Add-AdGroupmember -identity McNubbinzzfailsauce -Members RODC
  • Remove-AdGroupmember
  • Remove-AdGroupmember -identity McNubbinzzfailsauce -members RODC

  • Remove-AdGroup
  • Remove-AdGroup -identity McNubbinzzfailsauce

Create or manage computer accounts

This is basically the same as creating user accounts like we did in the previous post so the screen shot there is still applicable but its robots instead of actual human users. However sometimes computers do use user accounts for services and so forth so what evs, you get the idea. Also some of these have potential prompt for credential sets in the syntax but I’m not good enough at reading the TechNet articles to know if its required without actually trying it however if it does I’m assuming that it will look exactly like the credential prompt show in screen shot shown in the last post.

So this is basic creation of accounts sort of thing. What about managing and viewing computer accounts? What if we want to see all the accounts listed in our directory and then pipe them to a webpage? Well we would use get-adcomputer and then spell it out from there. Note that this would be kind of harmful if you were to run this in an enterprise environment with lots of computer accounts because duh there’s lots of them and it’s not a prepopulated csv or database, your actually pulling on a harddrive your actually querying against a live database. So what I’m saying is probably don’t do this during regular business hours unless you’re playing Chaos Monkey

  • Get-AdComputer

  • Get-AdComputer | ConvertTo-html | out-file C:usersadministratordesktopgertallsuprcompootrs111onnetwrk.htm

Ok so that’s that we should now have a locally hosted website that shows all of the computers on our network that if needed could be placed in a shared file for network users to view or actually hosted in proper format for web viewing. Also I’m pretty sure that syntax should work but you know, testing probs. So let’s dig around and see what all is out there as far as information on viewing computer info besides what we already know that was displayed in the videos mentioned previously. So I came across this little ditty on a hardware vendors website/forums and I found it quite confusing as get-Qadcomputer doesn’t seem to be a built in PowerShell command so maybe it’s an add on software package from the hardware vendor? It seems to come up quite often. Interesting, but not important cause it’s not on the test right? Here’s an example of a complete syntax displayed on the sites

Get-QADComputer | Get-Member Remove-ADComputer

Create or manage organizational units and containers

Ok cool, so wtf is an OU and how is it different than a group? Well according to Someolddude1’s internet blog it’s something like this:

Groups have SIDs, can be placed on access control lists, and can contain other groups (even the same type of group referred to as group nesting). Organizational units do not have SIDs, can’t be placed on an access control list, and cannot be placed into a group. Instead, organizational units are used to organize users, groups, and computers within Active Directory. This organization is used to grant delegation and deploy configuration and security settings through group policy. Moving forward it is ideal to use the best practice for group nesting, as it is easiest to manage and provides the best security environment for Active Directory. Of course organizational units can be nested into other organizational units and often are. Just remember the two main reasons for organizational units and the design and deployment of them will be clear.

Still doesn’t make sense to me. Why do I care if something has a SID (security identifier), what’s an access control list, and why would I not want something placed into a group or are groups inside of OU’s? Also so I can’t put a group into an OU and it acquires these things? I’m lost at this point and I’m not going to lie about it because it’s better to ask questions and figure it out rather than try to be the cool pretentious kid that doesn’t figure it out cause he’s too busy pretending to know everything.

Well there’s also this TechNet article and after reading it I think what I’m understanding here is that groups are placed into OUs which are created to organize sites or different lines of business and then groups are placed inside of them? Maybe this is correct. Hard to be sure. I suppose we could ask the question on TechNet forums but someone has already done that too. This is more helpful info which seems to tell me my assumption is correct. So I can link GPs to groups within OUs but not to the OUs themselves. Not sure why this is designed this way but whatever.

This also brings up another interesting question. What about the default user’s container that’s built into AD that you can’t attach GPO’s to. What’s that called and is it an OU, a group or neither? I feel like this is really basic stuff that I should know by now that I don’t. I asked someone that past the 70-410 test in class and they didn’t really seem to know either. It was in the middle of trying out some stuff listed on a Toms Hardware article about PowerShell, which is a fantastic reference by the way. I cant seem to find this information any where. Some one should really consider creating a table that shows an AD tree and has names boxed in with arrows pointing to the folders in the tree so you can get a better idea of WTF is going on with all that. As soon as I figure it out ill let you know. : )

Connect to one or several domains or domain controllers in the same instance of ADAC

This is actually really easy to do using PowerShell and we are going to dip into some things we learned in the PowerShell tutorials from Microsoft on this one as well as the next one. However the books descriptor is kind of vague so we are going to explore a couple of options as to how we might do this. The GUI method is fairly straight forward. You simply right click in the management console and go. You can also open a local PowerShell session and if you just want to run a PowerShell prompt so you can use a PowerShell on a machine in a local type of fashion use the command

  • Enter-PsSession

  • Enter-pssession RODC

    This takes us directly to whatever machine we named RODC and if you type hostname at the prompt you should see the name of the computer you connected to returned.

  • Or if you want to run code on your machine and send to a computer you use the -computername switch if it’s available with the cmdlet you’re using and for more info on this switch check out this article about the ComputerName switch

    You could also use these to query any computer or targeted computers on your domain

  • Get-AdComputer The syntax below should get you any computer on the network running bits or if you target specific machines it will do that as well. Again use caution running this against every computer on an enterprise domain. Also throwing in a new command in here with the Get-Service cmdlet. The filter switch in the case below is going to search all computers. If you used the -identity switch you could simply target computers. So the compound |’d structure works like this, you all the computers, you have that data then it searches each of those computers for the service name bits or in the second case you should get a really huge list of every service running on every AD computer sorted by name and status then you could out put it to html if you wanted. #epic haha

    • Get-AdComputer -filter * |get-service -name bits
    • Get-AdComputer -filter * |get-service | select -property name, status

    Filter active directory data

The most obvious source of “active directory data” kind of vague term as active directory is nothing but data is the event log. If you’ve ever worked in support, development, walked through an IT department, pushed a computer and then expected it to work your probably familiar with this thing called an event log that tells you where shit went wrong. After you know what went wrong then you can figure out how to fix it. Yay! This really is a pretty critical part of an operating system as far as anyone in the field is concerned. Obviously a standard computer user has no need to dive into an event log but we are not average users are we? Cool. Now that that’s established.

  • Get-Eventlog

  • Get-eventlog -logname system (-newest 5) |convertto-html| out-file c:usersadministratordesktopbooyatribsorgserverprobs.htm
  • Ahhh sukisuki now we got a website called booyatribsorgserverprobs with our recent eventlog errors. Hopefully we can take a look at those and get our stuff togeather.

  • So this is also kind of cool, we can sort
  • Get-eventlog -logname system newest 5 |select -property event ID, timewritten, message | Sort -timewritten -descending

  • We could also use Get-GPO to output some or all of our GPOs since this is also “active directory data” that is obviously filterable and you can also do whatever you want in terms of |ing this data to a location or file type as previously discussed. While its not really applicable to this section I suppose you could also write a “what if script” and see what would happen if you applied certain GPOs to users/computers and then send that to website…..but that’s outside of our scope? So maybe we should stick with some thing basic that pulls all GPO’s
  • Get-GPO -all -Domain

Failover Clustering. Why arent you important?

Clustering has been a major part of designing and supporting an effective architecturally
sound high availability environment for a long time and from what I understand it’s
not a large part of the MCSA testing. However that fact is somewhat irrelevant to
me, being a seeker of knowledge and skills rather than simply obtaining certificates.
Thus the concept of learning to design and
implement technology that is a large part of a real world application of
Windows Server 2012 is very appealing to me. I realize this may seem silly as
im unemployed and hoping to possibly get a job at some point and that
certifications certainly do improve the odds of that. But whatever I’m a scholar

you have never heard of Failover Clustering you may be wondering what the basic
premise of the technology is. A failover cluster is a group of independent
computers (known as nodes for our purposes) that work together to increase
availability and scalability of clustered roles (  We (implying both IT professionals and desktop
users in corporate environments, well really even Google users) rely on FoC for
high availability for almost any critical applications such as Exchange Server
and Sql that require connections to non-local information systems (meaning not
stored on the local machines hard disk). In the past we used multiple physical
servers usually connected to a single storage unit that was also disk fault
tolerant using a raid array and SCSI connected hard disks. There have not been
many updates to this basic premise however the technology is now easier to use
than ever thanks to technology known as virtualization and branded by Microsoft
as Hyper-V. Now we have physical hard disks configured in fault tolerant arrays
hosting virtualized hard disk’s known as VHD or VHDx files that are also set up
in a fault tolerant array. This provides for two layers of information fail
over support, if a physical hard disk crashes we have a physical back up of the
data and if a virtual disk becomes corrupt we also have a failover copy of that
information as well.  This allows
administrators to provide uptimes approaching 99.99% for critical applications
in order to meet the high standards of today’s business needs.      

clustering configurations:

Fig 1.


Fig 2.



Clustered nodes can be connected using physical hardware or
virtualized hardware. A basic example (fig.1) would include three computers
each with 3 NIC cards, one talking to the other nodes in the cluster, one to
the database known as a cluster shared volume or CSV for short or the quorum
resource) containing the information about the cluster configuration (and one
taking incoming traffic from the network. One downside to this model was that
if the quorum disk failed, so did the cluster. A legacy two node cluster could
not function without it. So if just the disk failed but both nodes remained,
the cluster would cease to function.  The
data on the quorum resource (CSV) includes a set of cluster configuration
information plus records (Sometimes called checkpoints) of the most recent
changes made to that configuration. A node coming online after an outage can
use the quorum resource as the definitive source for recent changes in the
configuration. It is also possible to set up fail over nodes in a configuration
using multiple local volumes and skipping the CSV (fig. 2). This also has
benefits but requires more replication across servers to ensure that every node
has a similar database.  The point of  this being that in case one of the nodes fails
for some reason one of the other two nodes would notice a problem with the
faulty node and seamlessly pick up the role that node was hosting (which machine
picks it up is determined by using something called quorum votes, more on this
later).  This will obviously cause an
increase in network traffic to the node picking up the role which is certainly something
to consider when designing hardware specifications to ensure a functional level
of NLB (Network Load Balancing). However the node may or may not have been a
node that was previously hosting that role for the rest of the network and in
that case the hardware impact would be less critical. Clustered nodes should be
heavily monitored in a proactive fashion to verify that they are working and
general best practice is considered to be using a Microsoft product known as
System Center that alerts network administrators to any potential issues that
may occur resulting in a node fail over situation. However this product costs
as well so budget restraints could be a factor. If you are using System Center
and a node fails for some reason an administrator is automatically notified of
the failure while System Center attempts to resolve the issue (service is hung,
the machine freezes, ect.). If System Center fails to resolve the issue the
administrator can then machine can be restart, rebuild or take whatever action
is necessary to repair the node and as mentioned previously, the role will be
shifted to another node as long as the cluster is properly configured.

of this sounds very confusing for several reasons however a primary reason being
that there are two layers of technology involved, a virtualized layer, known as a guest cluster, that set
up almost exactly like a physical layer that’s sitting inside a server install that’s on a physical server. If
you’re like me you may need a more relatable explanation or visualization of
this. So here’s a picture (in-case you havent seen it) of something some genius programmer created. You can
play the video game Doom from a laptop while actually inside the videogame. So
its like playing doom doom. Maybe that helps? If your playing the game its
really obvious which layer of the game your interacting with. Like sitting at a
server interacting with Hyper-V machines that are essentially set up the same
way you would set up a physical machine.


So where kind of left with more than a few questions here
but me being a part of the omfg wtf r u doing here nubsauce train to fail town
users group and basically taking educated guesses as to how this technology
works only enables me to talk about a few things. Besides the fact that entire
technical manuals could be written on the subject not to mention the countless
technet articles and youtube videos on the subject. Maybe in the future I’ll add
addendums/updates to this post but for now we will ramble on as we can. One of
the obvious things is how the servers know that they are functioning? The most
basic way that the servers know that the other servers are still online is
through the use of something called a “heartbeart” the way that I understand
this technology is fairly basic. A server pings the other server on their
private network and says hey you still there and the server responds with something
like “yeah bro im still here stop buggin me bro”and this happens every second. If
this fails then the process of quorum voting comes into play. This seems like a
very mysterious process that involves a bunch of math and im not exactly sure
how the servers are self-aware (see HAL) enough to assume that they have the
extra processing power or know that another node would have enough processing
power but apparently they are able to do this without much trouble (aside from programmer
and technological explanation headaches). There is a default setting that Microsoft
has configured in Failover Cluster Manager as well as a few custom options
however the default is obviously recommended unless you’re a mathematician or
something because im convinced that the process involved in quorum voting is
nothing short of wizard magic, same for dns resolution.

So if your computational status is anything like my nubsauce
w/ x-tra Polynesian self and are convinced that computers are full of wizard
magic and mystery math then you’ll probably get really excited by the notion of
the appropriately named High Availability Wizard. This marvelous device will
help you set up and configure failover clustering as such:

In the High
Availability Wizard, you can choose from the generic options described in the
previous note, or you can choose from the following services and applications:

  • DFS Namespace Server:
        Provides a virtual view of shared folders in an organization. When a user
        views the namespace, the folders appear to reside on a single hard disk.
        Users can navigate the namespace without needing to know the server names
        or shared folders that are hosting the data.
  • DHCP Server:
        Automatically provides client computers and other TCP/IP-based network
        devices with valid IP addresses.
  • Distributed Transaction Coordinator (DTC): Supports distributed applications that perform
        transactions. A transaction is a set of related tasks, such as updates to
        databases, that either succeed or fail as a unit. 
  • File Server:
        Provides a central location on your network where you can store and share
        files with users.
  • Internet Storage Name Service (iSNS) Server: Provides a directory of iSCSI targets.
  • Message Queuing:
        Enables distributed applications that are running at different times to
        communicate across heterogeneous networks and with computers that may be
  • Other Server:
        Provides a client access point and storage only. Add an application after
        completing the wizard.
  • Print Server:
        Manages a queue of print jobs for a shared printer.
  • Remote Desktop Connection Broker (formerly TS Session Broker): Supports session
        load balancing and session reconnection in a load-balanced remote desktop
        server farm. RD Connection Broker is also used to provide users access to
        RemoteApp programs and virtual desktops through RemoteApp and Desktop
  • Virtual Machine:
        Runs on a physical computer as a virtualized computer system. Multiple
        virtual machines can run on one computer.
  • WINS Server:
        Enables users to access resources by a NetBIOS name instead of requiring
        them to use IP addresses that are difficult to recognize and remember

As noted in Technet article:

are also a few youtube videos that display how to walk through this wizard but
some of them aren’t in English. If interested google is ur friend. But heres a
few that I liek any way.
– good info, skip the 3rd party nonsense.
– hommie sounds like the Pastor Rod Parsley and talks to the beat of Ghetto D so
if your into that and wana go to choych watch this. Also in a more serious
sense it was very helpful for understanding quorum voting.


And that friends, is the basic understanding of how ive
wasted time studying failover clustering. 15 pages of the book im cureently
reading  (×4760&kpid=2691053148375)
. Several days of actual studification of online resources.


Update: so this is cool but i cant get it to frame into this post correctly so click the link and figure out how to watch it if your interested–Clustering-enhancement-in-Windows-Server-2012/player?format=flash

These guys really know what they are talking about they have a useful way of speaking, meaning its actually understandable. 

update 2: for more info on the fail over cluster wizard or check out some powershell commands regarding fail over clustering check out this page…..and this one for a great basic definition

Update 3: the more flashcards I make the more info I come across! good times any way. This is seems like some basic info from Microsoft with lots of info on fail over clustering. So far it doesnt seem as useful in a pratical sense as the powershell videos but proably worth watching none the less Server 2012 Jumpstart

Website Powered by

Up ↑