Automate Active Directory jobs with PowerShell scripts
Much of what admins do in Active Directory is not exactly cutting-edge, and they don't want to waste time on mundane tasks. A dash of PowerShell can speed things along.
Most IT professionals have some experience with Active Directory, whether they use it to create new users, reset passwords or generate child domains. Tools like Active Directory Users and Computers and Active Directory Administrative Center get the job done, but they're based on a GUI and require a lot of manual manipulation.
Active Directory is suitable for automation -- it's an area where admins make constant, and often repetitive modifications, such as creating users, computers and organizational units. With the right tools in place, you can use PowerShell to automate Active Directory tasks and eliminate a lot of these recurring steps.
After the installation, enable the AD module. Go to Programs and Features in the Control Panel and follow this path: Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools > Active Directory Module for Windows PowerShell.
Once the AD module is enabled, open the PowerShell console and use the Get-Command cmdlet to check that every command is available to you.
Active Directory is suitable for automation -- an area where admins make constant, and often repetitive modifications, such as creating users, computers and organizational units.
Next, run the Update-Help command to download the latest documentation for each PowerShell command. Microsoft regularly updates the comprehensive PowerShell help system. Running the Update-Help command is a worthwhile step for administrators who are new to PowerShell, especially when exploring a new module.
To adjust settings for a user, you need to find the user. There are several ways to do this in Active Directory, but the most common is with the Get-AdUser cmdlet. This cmdlet enables you to search based either on the name of the user or via a filter that locates several users at once. The following example uses a filter to find users with the first name Joe:
PS> Get-AdUser -Filter 'givenName -eq "Joe"'
If you know the user's name, you could use the Identity parameter:
PS> Get-AdUser -Identity 'jjones'
Create new users
The New-AdUser cmdlet creates new users and lets you specify the majority of the attributes. For example, if you want to create a new user called David Jones with a password of p@$$w0rd10, use PowerShell's splatting feature to package several parameters to pass them to the New-AdUser cmdlet.
Another common administrative task is to add new users to groups. This is easily done with the Add-AdGroupMember cmdlet. The example below adds the user David Jones to an Active Directory group called Accounting:
We can combine these commands when the human resources department provides a CSV file that lists new users to create in Active Directory. The CSV file might look like this:
To create these users, write a script that invokes the New-AdUser command for each user in the CSV file. Use the built-in Import-Csv command and a foreach loop in PowerShell to go through the file and give users the same password.
These are a few basic examples of how an admin can automate Active Directory tasks with PowerShell. The Active Directory PowerShell module has many commands that enable admins to execute more complex jobs, such as permission delegation for groups.
