We have made significant improvements in ADSI support in the upcoming release of Windows PowerShell RC2. In this and future blogs, I will talk about how to use Windows PowerShell for ADSI Scripting. Windows Scripting Guide 2000 provided scripting examples with VBS. The content for this blog is adapted from Windows 2000 Scripting guide.
ADSI Scripting with Windows PowerShell
Active Directory management is all about management of directory objects from creation to deletion. There are four main categories of tasks in active directory management
We will take a look at how to do these tasks using Windows PowerShell Scripts.
Creating Directory Service Objects
Creating Active Directory objects involves four basic steps:
The goal of the three scripts in this section is to create an OU named HR (Human Resources department), a user account named MyerKen in the HR OU, and a group named Atl-Users, also in the HR OU.
Creating an OU
The following script creates an OU named HR in the na.fabrikam.com domain. All mandatory attributes of an OU are automatically assigned a value by Active Directory. Therefore, the step that sets mandatory attributes does not appear in this script
To carry out this task, the script performs the following steps:
Creating an OU
$objDomain = [ADSI]"LDAP://localhost:389/dc=NA,dc=fabrikam,dc=com"
$objOU = $objDomain.Create("organizationalUnit", "ou=HR")
Creating a User Account
The following script creates a user account named MyerKen in the OU named HR. The HR OU is located in the na.fabrkam.com domain. To carry out this task, the script performs the following steps:
HR is the OU that was created by running the previous script
Using an uppercase letter for the first letter of the last and first name is not necessary. However, the case is preserved when the object is saved to Active Directory. Therefore, users will be able to distinguish the last name from the first name when searching Active Directory.
There is no need to capitalize the first letter of the last and first name for this attribute’s value because, typically, users do not perform user account searches on the sAMAccountName attribute.
$objOU = [ADSI]"LDAP://localhost:389/ou=HR,dc=NA,dc=fabrikam,dc=com"
$objUser = $objOU.Create("user", "cn=MyerKen")
Creating a Group
The following script creates a global group named Atl-Users in the OU named HR, located in the na.fabrikam.com domain. To carry out this task, the script performs the following steps:
By default, the script creates a global group.
Like creating a user account, creating a security group requires a single mandatory attribute, sAMAccountName.
$objGroup = $objOU.Create("group", "cn=Atl-Users")
Important observations about the scripts in this section are:
We will look into other tasks in future blog postings.
PSMDTAG:FAQ: How to create directory Services objects
PSMDTAG:FAQ: How to create ADSI objects?