UNIT 4 LAB INSTRUCTIONS: ADMINISTERING ACTIVE DIRECTORY WITH POWERSHELL

OVERVIEW

The Active Directory database is the primary source of data about network objects within a
Windows domain. It is used to provision computers and users and configure access to resources
in a Windows network. In this lab, you will learn to query Active Directory and perform
common administrative tasks using PowerShell.

OBJECTIVES

8.3. Query the Active Directory database to locate information

8.4. Provision users, groups, and computer in Active Directory

PREREQUISITES

 A virtual machine running the Windows 7 Operating system

 A virtual machine running the Windows 8.1 or later operating system
 A virtual machine running the Windows Server 2012 R2 or later operating system

SCENARIO

Your organization is investigating the use of the command line and scripting for network
administration. Active Directory is a key component of your network and you need to be able to
use PowerShell for administration. You have decided to investigate the PowerShell features
available for managing Active Directory in your lab environment.

TASKS

EXPLORING ACTIVE DIRECTORY COMMANDS

PowerShell comes with a module with commands for managing Active Directory. The module is
named ActiveDirectory. On a Windows server machine, the Active Directory module is installed
as part of the Active Directory installation. On a client machine, you need to download and
install the Remote Server Administration tools from Microsoft’s website or import the module
into a PowerShell session. Once the module is installed, you need to import the module into the
current session. This step is not required on systems that have dynamic module loading turned
on (Windows 8.1 and Windows Server 2012 R2 or newer. On these systems, modules are
loaded dynamically when a user attempts to use one of its commands.
To import the Active Directory Module, perform the following:
1. Logon to the DC1 Virtual machine as corp\administrator
2. Open a PowerShell session with admin rights.
3. Type the following in PowerShell:

Import-Module ActiveDirectory
UNIT 4 LAB INSTRUCTIONS: ADMINISTERING ACTIVE DIRECTORY WITH POWERSHELL

4. You should see some information flashing at the top of the screen and then the
command prompt is displayed again.
5. Type the following to view the commands in the Active Directory module:

Get-Command -Module ActiveDirectory

6. You should see the screen shown in Figure 1 below.

Figure 1 - Partial listing of commands in AD Module

7. We will explore some of these commands in the following tasks.

UNIT 4 LAB INSTRUCTIONS: ADMINISTERING ACTIVE DIRECTORY WITH POWERSHELL

CREATING ORGANIZATIONAL UNITS

Your organization has the Active Directory OU structure shown in

Figure 2. Organizational Units are used to organize object in Active
Directory for ease of location and for delegation of administrative
control and application of group policies. You wish to replicate the
OUs in your lab environment using PowerShell.

To create an organizational unit (OU), perform the following:

1. Logon to the DC1 virtual machine as the corp\administrator
2. Open a PowerShell session with admin rights.
Figure 2 - Corp.net OU Structure
3. Import the Active Directory module if not already imported.
4. Type the following command to create the SC OU:

New-ADOrganizationalUnit -Name SC

5. The command provides no feedback except the lack of an error. Type the following to
verify the OU was created:

Get-ADOrganizationalUnit -Filter *

6. You should see the output in Figure 3 below.

Figure 3 - Output from the Get-ADOrganizationalUnit command

7. Note the DistinguishedName property; this indicates the location of the object within
AD. When the location is not specified using the path parameter then the object will be
placed at the root of the domain.
8. To create an organizational unit using the path parameter type the following:

New-ADOrganizationalUnit -Name Greenville -Path "OU=SC,DC=Corp,DC=net"

9. This creates an OU named Greenville in the SC OU.

UNIT 4 LAB INSTRUCTIONS: ADMINISTERING ACTIVE DIRECTORY WITH POWERSHELL

10. To create the Users and Workstations OUs in the Greenville OU type the following:

"Users", "Workstations" | % { New-ADOrganizationalUnit -Name $_ -Path

"OU=Greenville,OU=SC,DC=Corp,DC=net"}

11. The % symbol is an alias for the Foreach-Object cmdlet.

12. Verify that all the OUs have been created using the following command:

Get-ADOrganizationalUnit -Filter * | Format-Table Name,DistinguishedName

13. You should see the output shown in Figure 4 below.

Figure 4 - Verifying OU creation

14. Create the remaining OUs shown in Figure 2.

CREATING USERS

Your supervisor (Mr. Azevedo) has requested you to create an account in your domain for him
that has administrative rights.
Use the following procedure to create a user account using PowerShell:
1. On the DC1 virtual machine logon as corp\administrator
2. Open PowerShell with administrative rights.
3. Type the following to import the Active Directory commands (this is not necessary on
Windows Server 2012 R2 and later).
Import-Module ActiveDirectory
4. Create a new user with the following settings:
a. First name: Kevin
b. Initials: D
c. Last name: Azevedo
d. Full name: Kevin Azevedo
e. User logon name: kazevedo@corp.net
f. User logon name (pre-Windows200): kazevedo
g. Display Name: Kevin Azev
h. Name: Kevin Azevedo
i. Location: Users OU in the Greenville OU
UNIT 4 LAB INSTRUCTIONS: ADMINISTERING ACTIVE DIRECTORY WITH POWERSHELL

5. Before we can create the user, we must create a password that is a secure string and
assign it to a variable. To do this type the following:

$passwd = ConvertTo-SecureString -AsPlainText “Password1” -Force

6. Our password is now a secure string in the $passwd variable.

7. Type the following command to create this user:
New-ADUser –Name “Kevin Azevedo” –GivenName Kevin –Surname Azevedo –
UserPrincipalName kazevedo@corp.net –SamAccountName kazevedo –DisplayName
“Kevin Azevedo” -Path “OU=Users,OU=Greenville,OU=SC,DC=corp,DC=net” -
AccountPassword $passwd -Enabled $True
8. Verify the user was created by typing the following command in PowerShell:
Get-ADUser kazevedo
Use the following procedure to give the user administrative rights to your domain:
9. Type the following command in PowerShell
Add-ADGroupMember –identity “Domain Admins” –members kazevedo
10. Verify the user was added to the Domain Admins group by typing the following
command:
Get-ADGroupMember –identity “Domain Admins”

11. Create the following users in the Users OU in Columbia using the procedure above; do
not give them Domain Admin rights.
Last Name Full Name Logon Name Logon Name Password
First
(Pre-W2K)
Name
Grant Stoome Grant Stoome gstoome@corp.net gstoome Password1
Hiram Cheap Hiram Cheap hcheap@corp.net hcheap Password1
Hugh Jasse Hugh Jasse hjasse@corp.net hjasse Password1
Ivana Tinkle Ivana Tinkle itinkle@corp.net itinkle Password1
Jerry Atric Jerry Atric jatric@corp.net jatric Password1
Table 1- Corp.net Columbia Users

CREATING GROUPS

In order to control access to network resources efficiently and effectively, groups are necessary.
When assigning access to resources security groups are required. To ensure that excessive
group creation is not required, you need to know when to create groups with a specific scope.
UNIT 4 LAB INSTRUCTIONS: ADMINISTERING ACTIVE DIRECTORY WITH POWERSHELL

Groups are generally created for each department, location, and the entire organization. In this
step, we will create a group for SC, each city in the SC OU and the entire organization.
To create a Global Security group to represent the Greenville location within the Greenville OU,
perform the following:
1. Logon to the DC1 virtual machine with and administrative account.
2. Open a PowerShell session with admin rights.
3. Type the following in PowerShell:

New-ADGroup -Name Greenville -Path "OU=Greenville,OU=SC,DC=Corp,DC=Net" -

GroupCategory Security -GroupScope Global

4. To verify the group was created type the following in PowerShell:

Get-ADGroup Greenville

5. You should see the output in Figure 5 below.

Figure 5 - Verifying Group creation

6. Use the information above to create the groups in Table 2 below.

Group Name Type Scope Location
Charlotte Security Global Charlotte OU
Columbia Security Global Columbia OU
SC Security Global SC OU
Table 2 - Corp.net groups

ADDING MEMBERS TO GROUPS

Once you have created groups you will want to add members to these groups.
To add the user kazevedo to the Greenville group, perform the following:
1. In a PowerShell session, type the following:

Add-ADGroupMember -Identity Greenville -Members kazevedo

UNIT 4 LAB INSTRUCTIONS: ADMINISTERING ACTIVE DIRECTORY WITH POWERSHELL

2. Type the following to verify the user was added:

Get-ADGroupMember -Identity Greenville

3. You should see the output in Figure 6 below.

Figure 6 - Verifying the addition of a user to a group

4. Add the following members to the associated groups shown in Table 3 below. Note, you
can add multiple members to a group with a single command.
Group Members
SC Greenville, Charlotte, Columbia
Columbia All the users in the Users OU in Columbia
Table 3 - Group Membership

QUERYING ACTIVE DIRECTORY

Once users, groups, and computers have been provisioned, they still need to be maintained. It
is often helpful to manage multiple users simultaneously. For example, you may need to reset
the password of users at a specific location because you think they may have been
compromised or you may need to install software on all of the Windows 7 computers in your
domain. At these times, it is helpful to be able to query Active Directory for the specific users or
computers and then pipe the output to a command to perform the required task. PowerShell
has several commands that can be used to query for objects in Active Directory.

QUERYING FOR AD OBJECTS

To perform the tasks in this section you need a PowerShell session with access to the Active
Directory module.

1. To list all the users in the domain type the following:

Get-ADUser -Filter *
UNIT 4 LAB INSTRUCTIONS: ADMINISTERING ACTIVE DIRECTORY WITH POWERSHELL

2. You should see the output shown in Figure 7 below.

Figure 7 - Partial output of search

3. You can tell your search to start in a particular location using the SearchBase parameter.
4. To list all of the users in the SC OU and below type the following:

Get-ADUser -Filter * -SearchBase “OU=SC,DC=Corp,DC=net”

UNIT 4 LAB INSTRUCTIONS: ADMINISTERING ACTIVE DIRECTORY WITH POWERSHELL

5. You should see the output shown in Figure 8 below.

Figure 8 - Partial output of user search

6. You can specify that the search limits the results to only the OU and not descend into
child OUs.
7. To list the users in the SC OU only type the following (you can use 1 or the keyword
OneLevel):

Get-ADUser -Filter * -SearchBase “OU=SC,DC=Corp,DC=net” -SearchScope 1

8. The default value for SearchScope is 2 or subtree which will search the OU and all OUs
below it. SearchScope 0 or Base can be used to test if an object exists.
9. You can also use the Filter parameter to filter the output based on the value of a user
property.
10. To find all users that have logon names (samaccountname property) that start with the
letter “h”, type the following:

Get-ADUser -Filter "samaccountname -Like 'h*'"

UNIT 4 LAB INSTRUCTIONS: ADMINISTERING ACTIVE DIRECTORY WITH POWERSHELL

11. You should see the output in Figure 9 below.

Figure 9 - Users whose logon name starts with 'h'

12. To list the users whose first name (givenname property) is Ivana, type the following:

Get-ADUser -Filter "givenname -EQ 'Ivana'"

13. You should see the output in Figure 10 below.

14. You can use the techniques with the following commands to find other objects:
a. Get-ADGroup  search for groups
b. Get-ADOrganizationalUnit  search for organizational units
c. Get-ADComputer  search for computer accounts
d. Get-ADObject  search for other AD objects