1. Using the Active Directory Module in Windows Server 2008 R2
The Active Directory Module for Windows Server 2008
R2 includes more than 70 commands you can use to easily create and
manipulate Active Directory objects.
Tip
The Active Directory Module is not available for
Windows Server 2008 at this writing. It is available only on Windows
Server 2008 R2.
You can use this as a feature after you have promoted
a Windows Server 2008 R2 server to a domain controller and imported the
module with the following two commands:
PS C:\> import-module servermanager
PS C:\> add-windowsfeature rsat-ad-powershell
Success Restart Needed Exit Code Feature Result
------- -------------- --------- --------------
True No NoChan... {}
PS C:\>
After it’s added, you need to launch Active Directory Module for Windows PowerShell via the Administrative Tools menu with administrative permissions.
Note
You do not have access to the extended commands in a normal PowerShell window.
The following table shows some of the usages of these
objects. As long as you can create a distinguished name (DN), these
commands are quite simple to use.
Tip
You have access to the same help with all of these commands. For example, you can enter get-help command, get-help command -full, and get-help command -examples. You can also tab through the commands by typing get-ad, or set-ad, or new-ad, and then pressing Tab to tab through the available commands.
| PowerShell Commands to Create AD Objects | Comments |
|---|
Create an OU.
new-adorganizationalunit -name
ou-name -path dn
PS C:\> new-adorganizationalunit
-name ITAdmins -path
"dc=pearson,dc=pub"
| The new-adorganizationalunit cmdlet creates new OUs. It requires a name and a path.
The example creates an OU named ITAdmins in the pearson.pub domain. |
Create a user.
new-aduser -samaccountname
username -name username -path
"dn"
PS C:\> new-aduser
-samaccountname Dawn
-name Dawn -path
ou=itadmins,dc=pearson,dc=pub
| You can create a new user with the new-aduser cmdlet.
The example creates a user named Dawn in the itadmins OU.
Note
If any of the properties have spaces, they must be enclosed in quotes.
|
Move a user.
get-aduser username |
move-adobject -targetpath dn
PS C:\> get-aduser Dawn |
move-adobject -targetpath
ou=sales, dc=pearson,dc=pub
| You can move a user with the move-adobject cmdlet.
The example first gets the user named Dawn with the get-aduser cmdlet, and then it pipes the result to the move-adobject cmdlet.
The move-adobject specifies the target OU using the DN and moves the user to the Sales OU. |
2. Creating and Manipulating Objects in Windows Server 2008
If you’re not running Windows Server 2008 R2, you can
still create and manipulate objects with Windows PowerShell, but there
is a little more coding. The following examples show how to create an
OU, create a user, and move the user.
Creating an OU with PowerShell
You can use the following script to create an OU.
$objdom = [adsi]""
$objou = $objdom.create("organizationalunit", "ou = IT Admins")
$objou.setinfo()
The lines in the script are explained in the following table.
| PowerShell Commands to Create AD Objects | Comments |
|---|
| $objdom = [adsi]"" | Creates an object named $objdom and populates it with the value of the current domain. |
$objou = $objdom.
create("organizationalunit",
"ou = IT Admins")
| Creates an object named $objou and populates it using the $objdom.create method. This method needs two parameters: the type of object (organizationalunit in this case) and the name of the object after ou=.
Note
Both parameters in the create method must be enclosed in quotes.
|
| $objou.setinfo() | The setinfo method actually creates the object. |
Creating a User with PowerShell
The following code shows how you can create a user in a domain, and the table explains this code:
$objou = [adsi]("LDAP://ou=it admins, dc=pearson, dc=pub")
$objuser = $objou.create("user", "cn=Sally Pearson")
$objuser.put( "samaccountname", "Sally" )
$objuser.setinfo()
| Code | Explanation |
|---|
$objou = [adsi]("LDAP://
ou=it admins, dc=pearson,
dc=pub")
| The first line creates an object pointing to the target OU using the ADSI helper.
Note
LDAP must be entered in all capital letters.
|
$objuser = $objou.
create("user", "cn=Sally
Pearson")
| The $objou.create method identifies the object as a user object and then gives the common name (cn). This results in a distinguished name for the user of
"cn = Sally Johnson" ou=it admins,
dc=pearson, dc=pub"
|
$objuser.put
( "samaccountname",
"Sally" )
| You can add any properties for the user that are desired with the put method. This line adds the samaccountname for the user. |
| $objuser.setinfo() | The setinfo method creates the object using the properties and settings identified in the previous lines.
Figure 1
shows the user created in the OU as a result of the previous script
used to create the OU, and the script used to create the user. |
Moving Objects with PowerShell
You can use the following three lines to move an object in Active Directory, and the following table explains this code:
$obj = [adsi]("LDAP://cn=sally pearson,ou=it admins,dc=pearson,dc=pub")
$target = [adsi]("LDAP://ou=sales,dc=pearson,dc=pub")
$obj.MoveTo($target)
| Code | Explanation |
|---|
$obj = [adsi]("LDAP://
cn=sally pearson,ou=it
admins,dc=pearson,dc=pub")
| The first line identifies the object that you want to move and places it into the object named $objuser.
Note
LDAP must be all uppercase.
Tip
Although the example uses the DN of a user object, you can use the DN of any object that you want to move.
|
$target = [adsi]("LDAP://
ou=sales,dc=pearson,dc=pub")
| The next line identifies the DN of the new location and places it in the object $target. |
| $obj.MoveTo($target) | You can then use the moveto method of the $objuser object. The $target parameter identifies where it will be moved. |
