Learning PowerShell in Degrees – Creating Template OUs



Effective systems management has myriad methodologies, yet if we reduce management techniques into the trichotomy of imperative graphical management, interactive command line management, and highly scripted automation, where do you spend most of your time? What is your preferred way to manage systems? It may largely depend on what you are trying to do. Certainly if there are tasks you perform often, some degree of scripting, verging on full automation, can become essential.

But even within the realm of scripting, it can rapidly become apparent that we’re working in a spectrum. When I’m working in the realm of software development, I tend to take a certain approach to tool building within the context of the current development. With IT management, I take another, at least slightly different tack. Take, for example, the management of Active Directory. Falling into the graphical imperative “do this once, now” motif is common. But if you’re going to do something more than once, the gravity of Windows PowerShell takes over (unless I’m managing Active Directory from UNIX or a phone).

During a class on Windows Server 2008/2008R2, we were discussing creation of organizational units, user accounts, groups, changing group membership, using template user accounts, and delegation of administrative control. All of these operations can be performed in various graphical user interface (GUI) tools. Alternately, they could be performed interactively at a command prompt (cmd.exe), in a batch file (.BAT), using a classic Windows scripting environment like VBscript (.VBS), or of course with Windows PowerShell. To tie these different tasks together, you probably guessed that I demonstrated use of PowerShell. Note the following function: New-DelegatedOU.

function New-DelegatedOU( $ou ){

$dom = ([ADSI]””).distinguishedName

$ouDN = “ou=$ou,$dom”

dsadd ou $ouDN

dsadd user “cn=$($ou) Template,$($ouDN)” -dept “$ou”

dsadd group “cn=$($ou) Users,$($ouDN)” -members “cn=$($ou) Template,$($ouDN)”

$groupDN = “cn=$($ou) Admins,$($ouDN)”

dsadd group “$groupDN”

dsacls $ouDN /g “$($groupDN):SDRCWDWOWPRPCALO” | out-null

dsacls $ouDN /g “$($groupDN):CCDC;user;” | out-null

dsacls $ouDN /g “$($groupDN):CCDC;group;” | out-null

dsacls $ouDN /g “$($groupDN):SDRCWDWO;;user” | out-null


Because the course was not about PowerShell, I didn’t start using the [ADSI] type accelerator very much, although using its objects’ .Create, .Put, .GetInfo, and .SetInfo methods is something we do in the PowerShell course. Also, because not all of the students are going to be using Windows Server 2008 R2 or a download of PowerShell version 2.0, I didn’t want to use the Active Directory Module for PowerShell 2.0 with the AD provider and cmdlets. Instead, you can see from the above function, I opted for the somewhat more familiar dsadd and dsacls commands. I suppose using ADSI class instances, using the newer cmdlets, or using the ds* commands is another trichotomy of AD management in PowerShell.

Rather than delve into an explanation of what the script does, I just wanted to note one thing along the lines of these trichotomies (or spectra). If you’re trying to learn any scripting language, there are as many styles of how you use that language as there are people using it. Certainly, there are patterns we can use. If you’re new to PowerShell, keep it simple. If you don’t like pipelines, don’t use them. If you don’t like variables don’t use them. If parentheses scare you, don’t use them. Then again, it’s always good to learn new aspects of the shell once you have gotten comfortable with a simple example that suits your style. Venture deeper into the water as you learn to swim better.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.