Professional Documents
Culture Documents
Unit 4 Lab Instructions: Administering Active Directory With Powershell
Unit 4 Lab Instructions: Administering Active Directory With Powershell
Unit 4 Lab Instructions: Administering Active Directory With Powershell
OVERVIEW
The Active Directory database is the primary source of data about network objects within a
Windows domain. It is used to provision computers and users and configure access to resources
in a Windows network. In this lab, you will learn to query Active Directory and perform
common administrative tasks using PowerShell.
OBJECTIVES
PREREQUISITES
SCENARIO
Your organization is investigating the use of the command line and scripting for network
administration. Active Directory is a key component of your network and you need to be able to
use PowerShell for administration. You have decided to investigate the PowerShell features
available for managing Active Directory in your lab environment.
TASKS
PowerShell comes with a module with commands for managing Active Directory. The module is
named ActiveDirectory. On a Windows server machine, the Active Directory module is installed
as part of the Active Directory installation. On a client machine, you need to download and
install the Remote Server Administration tools from Microsoft’s website or import the module
into a PowerShell session. Once the module is installed, you need to import the module into the
current session. This step is not required on systems that have dynamic module loading turned
on (Windows 8.1 and Windows Server 2012 R2 or newer. On these systems, modules are
loaded dynamically when a user attempts to use one of its commands.
To import the Active Directory Module, perform the following:
1. Logon to the DC1 Virtual machine as corp\administrator
2. Open a PowerShell session with admin rights.
3. Type the following in PowerShell:
Import-Module ActiveDirectory
UNIT 4 LAB INSTRUCTIONS: ADMINISTERING ACTIVE DIRECTORY WITH POWERSHELL
4. You should see some information flashing at the top of the screen and then the
command prompt is displayed again.
5. Type the following to view the commands in the Active Directory module:
New-ADOrganizationalUnit -Name SC
5. The command provides no feedback except the lack of an error. Type the following to
verify the OU was created:
Get-ADOrganizationalUnit -Filter *
7. Note the DistinguishedName property; this indicates the location of the object within
AD. When the location is not specified using the path parameter then the object will be
placed at the root of the domain.
8. To create an organizational unit using the path parameter type the following:
10. To create the Users and Workstations OUs in the Greenville OU type the following:
CREATING USERS
Your supervisor (Mr. Azevedo) has requested you to create an account in your domain for him
that has administrative rights.
Use the following procedure to create a user account using PowerShell:
1. On the DC1 virtual machine logon as corp\administrator
2. Open PowerShell with administrative rights.
3. Type the following to import the Active Directory commands (this is not necessary on
Windows Server 2012 R2 and later).
Import-Module ActiveDirectory
4. Create a new user with the following settings:
a. First name: Kevin
b. Initials: D
c. Last name: Azevedo
d. Full name: Kevin Azevedo
e. User logon name: kazevedo@corp.net
f. User logon name (pre-Windows200): kazevedo
g. Display Name: Kevin Azev
h. Name: Kevin Azevedo
i. Location: Users OU in the Greenville OU
UNIT 4 LAB INSTRUCTIONS: ADMINISTERING ACTIVE DIRECTORY WITH POWERSHELL
5. Before we can create the user, we must create a password that is a secure string and
assign it to a variable. To do this type the following:
11. Create the following users in the Users OU in Columbia using the procedure above; do
not give them Domain Admin rights.
Last Name Full Name Logon Name Logon Name Password
First
(Pre-W2K)
Name
Grant Stoome Grant Stoome gstoome@corp.net gstoome Password1
Hiram Cheap Hiram Cheap hcheap@corp.net hcheap Password1
Hugh Jasse Hugh Jasse hjasse@corp.net hjasse Password1
Ivana Tinkle Ivana Tinkle itinkle@corp.net itinkle Password1
Jerry Atric Jerry Atric jatric@corp.net jatric Password1
Table 1- Corp.net Columbia Users
CREATING GROUPS
In order to control access to network resources efficiently and effectively, groups are necessary.
When assigning access to resources security groups are required. To ensure that excessive
group creation is not required, you need to know when to create groups with a specific scope.
UNIT 4 LAB INSTRUCTIONS: ADMINISTERING ACTIVE DIRECTORY WITH POWERSHELL
Groups are generally created for each department, location, and the entire organization. In this
step, we will create a group for SC, each city in the SC OU and the entire organization.
To create a Global Security group to represent the Greenville location within the Greenville OU,
perform the following:
1. Logon to the DC1 virtual machine with and administrative account.
2. Open a PowerShell session with admin rights.
3. Type the following in PowerShell:
Get-ADGroup Greenville
Once you have created groups you will want to add members to these groups.
To add the user kazevedo to the Greenville group, perform the following:
1. In a PowerShell session, type the following:
4. Add the following members to the associated groups shown in Table 3 below. Note, you
can add multiple members to a group with a single command.
Group Members
SC Greenville, Charlotte, Columbia
Columbia All the users in the Users OU in Columbia
Table 3 - Group Membership
Once users, groups, and computers have been provisioned, they still need to be maintained. It
is often helpful to manage multiple users simultaneously. For example, you may need to reset
the password of users at a specific location because you think they may have been
compromised or you may need to install software on all of the Windows 7 computers in your
domain. At these times, it is helpful to be able to query Active Directory for the specific users or
computers and then pipe the output to a command to perform the required task. PowerShell
has several commands that can be used to query for objects in Active Directory.
To perform the tasks in this section you need a PowerShell session with access to the Active
Directory module.
Get-ADUser -Filter *
UNIT 4 LAB INSTRUCTIONS: ADMINISTERING ACTIVE DIRECTORY WITH POWERSHELL
3. You can tell your search to start in a particular location using the SearchBase parameter.
4. To list all of the users in the SC OU and below type the following:
6. You can specify that the search limits the results to only the OU and not descend into
child OUs.
7. To list the users in the SC OU only type the following (you can use 1 or the keyword
OneLevel):
8. The default value for SearchScope is 2 or subtree which will search the OU and all OUs
below it. SearchScope 0 or Base can be used to test if an object exists.
9. You can also use the Filter parameter to filter the output based on the value of a user
property.
10. To find all users that have logon names (samaccountname property) that start with the
letter “h”, type the following:
12. To list the users whose first name (givenname property) is Ivana, type the following:
14. You can use the techniques with the following commands to find other objects:
a. Get-ADGroup search for groups
b. Get-ADOrganizationalUnit search for organizational units
c. Get-ADComputer search for computer accounts
d. Get-ADObject search for other AD objects