User account management is, for many administrators, technicians, and help desk people, an everyday activity. Today some of my students suggested names for user accounts and an organizational unit as I was demonstrating some Active Directory administration in PowerShell version 2.0 on Windows Server 2008 R2. Evidently, several of my students are either John Hughes fans, or perhaps a Ben Stein fans? Regardless, here are a few tips on Active Directory management in PowerShell version 2.0. Yes, one of the user accounts is named “Ferris Bueller” after the movie which is engrained in the brains of these students.
One of the great features of PowerShell version 2.0 is that if you have imported the Active Directory module (Import-Module ActiveDirectory), there are several cmdlets available for working with AD DS or AD LDS directly and an AD: provider allow easy navigation through the directory.
For example, to navigate into the directory at the domain 777.wernerconsulting.com, you could use:
Within that context, creating a new object such as an organizational unit can be done relative to that location. Note that I had misspelled the last name of the titular character from the aforementioned film. We’ll fix that later.
The New-ADOrganizationalUnit cmdlet can accept just the name part of the relative distinguished name of the OU without the need for the OU= tag. The Set-Location cmdlet (aliased as cd) however does need the actual RDN “ou=beuler.” Now, within this OU, other cmdlets can refer to that OU implicitly. For example, we could create a user account as follows.
new-aduser “Ferris Bueller”
Note that this basic user account does not have a password assigned, it is not enabled, and most of the exciting attributes which could be assigned have been left alone. Although this cmdlet accepts a few dozen parameters to specify attribute values at the time of creation, including the -OtherAttributes parameter which takes an associative array (hashtable) value, we have used the simple form here.
Before using subsequent cmdlets to make that user account useable and productive, let’s go up a level and fix the name of the OU.
rename-adobject “ou=Beuler,dc=777,dc=wernerconsulting,dc=com” -NewName Bueller
The “cd ..” navigates up a level in the directory just as it would in the registry, a certificate store, the file system, or via other hierarchical providers. The Rename-ADObject cmdlet is the one which does the real work of renaming the OU. Once that’s done we used cd again to get back into the cozy OU where the user account hangs out. Note that there is no need for quotation marks around the ou=bueller because there are no spaces or other crazy punctuation in that name.
Next, let’s make this user account useful by resetting its password and enabling the account.
Set-ADAccountPassword “Ferris Bueller” -reset
Set-ADAccountControl ‘Ferris Bueller’ -enabled $true
In the style used above, the Set-ADAccountPassword was given only the name of the user account and the -Reset parameter, therefore this cmdlet prompted for the new password. The -NewPassword parameter could be used with a SecureString value instead. If you are not resetting the password, but just changing it, the -OldPassword parameter must also be included.
The Set-ADAccountControl cmdlet allows management of a number of account control aspects of accounts, however we simply used the -Enabled parameter to make the account usable.
There is so much more that is possible with PowerShell version 2.0 and its various modules. If you can’t take a day off like our fictitious friend Ferris, at least spend some time getting to know this new flavor of the shell which comes with Windows Server 2008 R2 and Windows 7 and is downloadable for several older versions of Windows.