We have made significant improvements in ADSI support in the upcoming release of Windows PowerShell RC2.  In this and future blogs, I will talk about how to use Windows PowerShell for ADSI Scripting.  Windows Scripting Guide 2000 provided scripting examples with VBS. The content for this blog is adapted from Windows 2000 Scripting guide.

 

ADSI Scripting with Windows PowerShell

 

 

 

Active Directory management is all about management of directory objects from creation to deletion.   There are four main categories of tasks in active directory management

 

  1. Create
  2. Modify
  3. Read
  4. Delete

 

 

We will take a look at how to do these tasks using Windows PowerShell Scripts.  

 

 

Creating Directory Service Objects

 

 

Creating Active Directory objects involves four basic steps:

  1. Connect to the Active Directory container that will store the new object.
  2. Create the object.
  3. Set the object’s mandatory attributes, if necessary.
  4. Commit the new object to Active Directory.

The goal of the three scripts in this section is to create an OU named HR (Human Resources department), a user account named MyerKen in the HR OU, and a group named Atl-Users, also in the HR OU.

 

Creating an OU

 

The following script creates an OU named HR in the na.fabrikam.com domain. All mandatory attributes of an OU are automatically assigned a value by Active Directory. Therefore, the step that sets mandatory attributes does not appear in this script

To carry out this task, the script performs the following steps:

  1. Connect to the na.fabrikam.com domain container.
  2. Create an OU object named HR.
  3. Commit the new OU to Active Directory.

 Creating an OU

 

$objDomain = [ADSI]"LDAP://localhost:389/dc=NA,dc=fabrikam,dc=com"

$objOU = $objDomain.Create("organizationalUnit", "ou=HR")

$objOU.SetInfo()

 

Creating a User Account

The following script  creates a user account named MyerKen in the OU named HR. The HR OU is located in the na.fabrkam.com domain. To carry out this task, the script performs the following steps:

  1. Connect to the HR OU container in the na.fabrikam.com domain.

HR is the OU that was created by running the previous script

  1. Create a user account named MyerKen.

Using an uppercase letter for the first letter of the last and first name is not necessary. However, the case is preserved when the object is saved to Active Directory. Therefore, users will be able to distinguish the last name from the first name when searching Active Directory.

  1. Set the sAMAccountName mandatory attribute to the value myerken.

There is no need to capitalize the first letter of the last and first name for this attribute’s value because, typically, users do not perform user account searches on the sAMAccountName attribute.

  1. Commit the new user account to Active Directory.

Creating a User Account

 

$objOU = [ADSI]"LDAP://localhost:389/ou=HR,dc=NA,dc=fabrikam,dc=com"

$objUser = $objOU.Create("user", "cn=MyerKen")

$objUser.Put("sAMAccountName", "myerken")

$objUser.SetInfo()

 

Creating a Group

The following script creates a global group named Atl-Users in the OU named HR, located in the na.fabrikam.com domain. To carry out this task, the script performs the following steps:

  1. Connect to the HR OU container in the na.fabrikam.com domain.
  2. Create a group named Atl-Users.

By default, the script creates a global group.

  1. Set the sAMAccountName mandatory attribute to a value of Atl-Users.

Like creating a user account, creating a security group requires a single mandatory attribute, sAMAccountName.

  1. Commit the new group account to Active Directory.

Creating a Group

 

$objOU = [ADSI]"LDAP://localhost:389/ou=HR,dc=NA,dc=fabrikam,dc=com"

$objGroup = $objOU.Create("group", "cn=Atl-Users")

$objGroup.Put("sAMAccountName", "Atl-Users")

$objGroup.SetInfo()

 

Important observations about the scripts in this section are:

  • They perform the same basic steps: They connect to an Active Directory container, create an object, set the object’s mandatory attributes (if necessary), and commit the object to Active Directory.
  • They use the same method (Create) without regard to the class of the object being created.
  • The script parameters are the only parts of the scripts that are different. Each script contains the class name (organizationalUnit, user, and group) identifying the type of object to create and the object’s corresponding attributes (the new object’s name and the user’s and group’s mandatory sAMAccountName attribute).

 

We will look into other tasks in future blog postings.

 

Arul Kumaravel

Development Manager

Windows PowerShell

Microsoft Corporation

 

PSMDTAG:FAQ: How to create directory Services objects

PSMDTAG:FAQ: How to create ADSI objects?