Managing Active Directory with Windows PowerShell

Managing Active Directory with Windows PowerShell

  • Comments 14

MOW is now posting the details of his Managing Active Directory with Windows PowerShell demo that he performed at my TechEd talk.  This is worthwhile for everyone to review.  For the people at the talk, we covered a huge amount of data in a very short time so it would be worth while to walk through the details.  For everyone else, the point we were making was that while the optimal world is one where every team on the planet has written Cmdlets giving you the best scripting experience, this world will not be delivered in V1.0.  That doesn't mean that you are stuck.  I showed how this was not a problem because Windows PowerShell embraces and extends the existing scripting worlds.  It can do TEXT based scripting, it can do COM based scripting (these along give you the vast bulk of the capabilities of today's scripting worlds but its better because you can leverage our utility and formating cmdlets).  I then made the point that in addition to these, Windows PowerShell also gives you the ability to script against .NET itself giving you access to a very nice, very large, and rapidly growing set of functions.

In V1.0, we don't have Cmdlets for managing Active Directory (AD).  MOW showed how you can leverage Windows PowerShell's ability to script .NET directly to manage AD while still taking advantage of our rich utilities and formating.  Check out Part 1 of the details at:

http://mow001.blogspot.com/2006/06/powershel-and-active-directory-part-1.html

Jeffrey Snover
Windows PowerShell Architect

PSMDTAG:FAQ: How do I manage Active Directory?
PSMDTAG:FAQ: How do I manage AD?
PSMDTAG:PHILOSOPHY: Take advantage of what is available (in this case DOTNET).

Leave a Comment
  • Please add 8 and 8 and type the answer here:
  • Post
  • There are already some Powershell scripts submitted to the TechNet Community-Submitted  Script Centre.

    see

    http://www.microsoft.com/technet/scriptcenter/csc/scripts/ad/sites/index.mspx
  • Part 3 is missing the section on how to set a password for a user.  Does anyone have any idea how this is done?  I tried using SetPassword to no avail.  Please advise.  Example shown below:

    $AD = new-object System.DirectoryServices.DirectoryEntry
    $u = $AD.get_Children().Find("CN=Users")
    $AD = $u.get_Children().add("CN=dietcoke",'User')
    $AD.CommitChanges()
    $NewUser = $u.get_Children().Find("CN=dietcoke")
    $NewUser.InvokeSet("AccountDisabled",$false)
    $NewUser.InvokeSet("SetPassword",...)
  • $NewUser.Invoke("changepassword", "", "testpasswort")

    If u just created this new account then the default password is empty, 2nd param!

    3rd param is new passwort!
  • if u do not know the old password then use
    $NewUser.Invoke("setpassword", "newpassword")
  • Thanks for your input!
  • I want to sync some stuff from a  Unix LDAP to AD, but I can't get the authentication to work with System.DirectoryServices.DirectoryEntry. My UNIX LDAP accepts Anonymous, but apparently in .Net 2 the default ist Secure. Any idea how to change the default to anonymous or to use LDAP user credentials?

    Thanks for your help.

    Ronnie

  • If my users are in local users and groups, not active directory, how can this be done?  How does one create a user account and set the password in powershell onto local host?

    My workstation is on a small LAN without an AD server.

  • Trying the MOW code, but my AD provider doesn't offer any methods for the DirectoryEntry object.  When I do a "get-members", I only see properties, and any call to Get_children fails.

    I am running Vista and the freshly downloaded powershell for Vista.  

    Any ideas?

  • @ James, there were some changes in AD support since then see :

    http://mow001.blogspot.com/2006/09/powershell-rc2-and-active-directory.html

    Greetings /\/\o\/\/

  • I'm wondering if it's possible to generate a list of users in AD who haven't used their account in the last six months excluding anyone who's received a new account in that time.  Currently, we have to manually filter those people out and often miss some.

  • You should use OLDCMP for finding stale user/computer accounts. (JoeWare.net).  I'm managing 40000+ accounts, and during reviews, we haven't missed any.  You can get cute with VBScript and LDAP filter to find stale accounts that have never been used over x number of days, but it can be done.

  • I have a list of computer objects that need their description modified to another list of items.  How would I write a script to find the computer object and then write its description?

    Thanks,

    Mike

  • How can i  find the users domain name using power shell, i have 6 domain in my company.?

    Thanks Sabri

  • PingBack from http://www.hilpers-esp.com/633737-desactivar-usuarios-que-no-se

Page 1 of 1 (14 items)