Ezine 169 - Preparing PowerShell to Script Active Directory
Ezine 169 - Preparing PowerShell to Script Active Directory
The purpose of this week's ezine is to prepare PowerShell for interrogating and
modifying users in Active Directory. (Example 2b now corrected)
Topics for Preparing PowerShell to Script Active Directory
♣
Recently I painted a few rooms in my house; the hardest part was the
preparation, washing the walls, filling the holes and putting on the
undercoat. It is the same when scripting Active Directory with PowerShell,
preparation is the key. You need to download PowerShell, install the
QAD snap-ins and set the execution policy. Once you have completed
this one-off preparation, the QAD cmdlets make scripting Active Directory
so much easier than using VBScript.
My ultimate goal is to reset passwords for a bunch of users using
PowerShell with the QAD snap-in.
However, as the saying goes, 'There is many slip between cup and lip'.
What I mean is if my readers aren't prepared, or misunderstand an
instruction then I can see them creating a PowerShell script that changes
the password for ALL their users. This would result in serious
embarrassment on a production network, especially if the network
administrator cannot remember the new password!
I hope that you now understand why my mission will be a two stage process.
These are my objectives for this week, firstly to install the QAD snap-ins.
Secondly, to create 'safe' scripts which merely get information
about the users, or set values only
in the insignificant 'Description' field.
Next week's mission will be to change passwords.
Readers will be at different stage in their PowerShell career, I want
provide a checklist for the complete beginner, those with experience could
skip the first step(s).
a) Download, then install both PowerShell and .Net Framework (from
Microsoft's site)
Note: XP, Vista, and Windows Server 200x each
requires a different version of PowerShell.
b) Download the
QAD
(Quest Active Directory) cmdlets.
c) Before you can run any cmdlets, adjust the script execution policy, type this
at the PowerShell command-line:
set-ExecutionPolicy remotesigned
d) 'Wire-up' the QAD cmdlets with the command:
add-PSSnapin
quest.activeroles.admanagement
e) Now your QAD cmdlets are available, and ready for action.
If you have not used PowerShell before, here are step-by-step
instructions to execute commands.
Method 1 (Quick)
- Launch PowerShell
- Copy the code into memory
(For instance, from Example 1 below)
- Right-click on the PowerShell symbol
- Edit --> Paste
- Press enter to execute the code
- See screenshot to the right
Method 2 (Best)
- Prepare to run cmdlets with this PowerShell command:
set-ExecutionPolicy RemoteSigned
- Copy the code below into a text file.
- Save the file with a .ps1 extension, for example: MyOu.ps1
- In PowerShell, navigate to where you saved MyOu.ps1
- Issue this command:
.\network
(dot backslash filename)
This week's featured command is Get-QADUser. Let us assume that you
have achieved objective 1, now this all you need to do before running my
script:
a) Connect to Active Directory, best would be to logon at a domain controller
in a test network. (Virtual PC?)
b) Find the variable $OU in my script; then amend its value to reflect
your domain and your Organizational Unit. You many need a little
extra work in creating an OU and a handful of users.
Example 1 - List Users in a Named OU
# PowerShell script to list
Active Directory users in a named OU
# Author: Guy Thomas
# Version 1.4
July 2008 tested on PowerShell v 1.0
$OU = "YourDomName/YourOu"
get-QADUser -SearchRoot $OU
Note 1: -SearchRoot is the key parameter which
connects to Active Directory.
Note 2: You did change the value of $OU -
didn't you? Also Remember that these QAD cmdlets don't exist in the initial PowerShell
install, they are only available after you successfully run: add-PSSnapin
quest.activeroles.admanagement. If your script does not work refer
back to Objective 1.
Example 2a - How to Discover the Names of a User Properties
These QAD cmdlets are designed to fit seamlessly into PowerShell, for
example we can apply our trusty interrogation techniques such as, get-help
get-QADUser.
# PowerShell script to list a User's
Properties
# Author: Guy Thomas
# Version 1.1 July 2008 tested on PowerShell v 1.0
get-Help get-QADUser
Note 1: I suggest you try my parallel learning
technique and match the user properties revealed by QADUser, with the
property sheet that you see in Active Directory Users and Computers.
Calculating IP Address
ranges is a black art, which many network managers solve by creating custom
Excel spreadsheets. IPAT cracks this problem of allocating IP addresses
in networks in two ways:
For Mr Organized there is a nifty subnet
calculator, you enter the network address and the subnet mask, then IPAT
works out the usable addresses and their ranges.
For Mr Lazy IPAT
discovers and then displays the IP addresses of existing computers.
Download the Free IP Address Tracker
Example 2b - How to List a User's Property (Corrected version)
As with many of my scripts, there are two learning threads in this example, a real-life
objective (Listing user properties) and also learning PowerShell
techniques
(Piping and word-wrap).
# PowerShell script to list users
and their descriptions
# Author: Guy Thomas
# Version 1.1 July 2008 tested on PowerShell v 1.0
$OU = "YourDomName/YourOu"
get-QADUser -SearchRoot $OU
`
| format-Table FirstName, LastName,
description -auto
Note 1: The unusual backtick symbol (`) means, wrap the
command to the next line.
Note 2: The pipe symbol (|) is PowerShell's
signature tune; it means push the output of the first clause (get-QADUser) into this
next command (format-Table).
Challenges: If I were you I would take a timeout to add
values to your user's property sheet, e.g. LastName, Description, also
manager and location.
The second part of my challenge is to put into practice what we learned with get-help QADUser,
namely to add different fields from my example 2b, for example, Company or Office.
Calculating IP Address
ranges is a black art, which many network managers solve by creating custom
Excel spreadsheets. IPAT cracks this problem of allocating IP addresses
in networks in two ways:
For Mr Organized there is a nifty subnet
calculator, you enter the network address and the subnet mask, then IPAT
works out the usable addresses and their ranges.
For Mr Lazy IPAT
discovers and then displays the IP addresses of existing computers.
Download the Free IP Address Tracker
My objectives here are two fold, firstly, to practice scripting Active
Directory in a relatively harmless fashion. Changing a user's
property called 'Description' is less intrusive than changing their password.
Secondly, if we add a known description to just a few test users then we
have a handle to filter Active Directory. Just to emphasise that the benefit of having a description is that we have an extra control to prevent a rogue script changing everybody's
password. Next week I want to create a script which says, 'If
Description = xyz, then change the password'.
# PowerShell script to change a
user's description
# Author: Guy Thomas
# Version 1.1
July 2008 tested on PowerShell v 1.0
clear-host
$OU = "YourDomName/YourOu"
get-QADUser -SearchRoot
$OU `
| set-QADUser -Description "Supremo" `
| FT FirstName,
LastName, description, company, office -auto
Note 1: Never miss a chance to learn a PowerShell
verb, mostly you employ, 'get', but observe that here we also employ the more
useful 'set'.
Note 2: See how I reinforce the idea of piping (|)
the output of 'set' becomes the input of FT, which stands for
format-Table.
Note 3: Clear-Host is both optional and cosmetic,
it merely clears the screen.
Challenge: You could try changing two, or more properties with the
same set command, for example, set-QADUser -Description "Supremo"
-Company "Our Company"
If you are looking for handy network utilities, try some of the free downloads at
Tools4Ever
Summary of Preparing PowerShell to Script Active Directory
Before you can manipulate Active Directory objects such as users, you must
prepare the ground by downloading and installing the QAD snap-ins.
Once you have completed this one-off task scripting Active Directory with
PowerShell becomes incredibly easy.
If you like this page then please share it with your friends
See more PowerShell QAD Scripts
• PowerShell Home •
Quest QAD •
QADUser •
QADGroup •
QADComputer
•
Export-CSV •
Import CSV •
QAD Password •
Add-PSSnapin
•
Get-AdUser -filter •
Windows
PowerShell •
Windows PowerShell .Net
Please email me if you have a better example script. Also please report any factual mistakes, grammatical errors or broken links, I will be happy to correct the fault.
Download my ebook:
Getting Started with PowerShell - only $9.25
You get 36 topics organized into these 3 sections:
1) Getting Started
2) Real-life tasks
3) Examples of Syntax.
In addition to the ebook, you get a PDF version of this Introduction to PowerShell ebook It runs to 120
pages of A4.
|
