Active Directory Management Using PowerShell

-Vijay Saini
Active Directory Management Using PowerShell

-Vijay Saini
Understanding Active Directory

Course Creating a VM
Overview
Introduction in Public Cloud

Creating a VM
AD Installation
in Desktop
Creating a VM in Local Computer
What you need:

• Oracle Virtual box

https://www.virtualbox.org/wiki/Downloads

• ISO Image:
Windows Server 2016 :
https://www.microsoft.com/en-in/evalcenter/evaluate-windows-server-2016
Target Audience

✓ Server Administrators
✓ PowerShell Scripters
✓ Students
Course Goals

After completing this course you will:

 Understand what is Active Directory and Why to use it
 Understand what is PowerShell and how it can help
 Be able to manage Active Directory using PowerShell
 Be able to handle bulk request for AD
 Strategy

Lab AD
Setup Basics

PowerShell AD Mgmt.
Basics Using
PowerShell
Lab

✓ Learn to create a Virtual Machine in your System

✓ Learn to create a Virtual Machine in Public Cloud(AWS)

✓ Install Active Directory

✓ Configure AD to promote the server to Domain Controller
Creating a VM in Public Cloud
Advantages of AWS EC2 (Virtual Server Hosting):
Complete Control with Ease of Access
We will use free tier, so it is going to be free of cost

What you need:

Create an account on https://aws.amazon.com
You are required to have a credit/debit card for adding to your AWS account
Follow the steps along with me if you are doing it for the first time
Lab: Installing Active Directory
Agenda:
• To install Active Directory on a Sever
• To Promote the server to “Domain Controller” by configuring AD on it

Purpose:
To Setup a simple environment where we can write our PowerShell scripts
and learn automation of AD related common tasks
Thank
You
Section
Completed
☺
Active Directory Management Using PowerShell

-Vijay Saini
Section 2: Understanding Active Directory
Understanding Active Directory

What is Active AD
AD Structure
Directory Components-I

AD
Designing OUs
Components-II
What is Active
Directory
Active Directory (AD) is a directory service that
Microsoft developed for Windows domain networks

It is a service that facilitates working with

interconnected, complex and different network
resources in a unified manner

It is a x.500 database based database that provides

centralized control to all resources available in a
domain
Understanding Active Directory

Local database

Username/Password
stored in local database

Computer
Understanding Active Directory Other Servers/Computers
in environment

User Logon
Credentials
Understanding Active Directory Other Servers/Computers
in environment

Domain Controller (Centralized

Control over all resources)
Understanding Active Directory Other Servers/Computers
in environment

Domain Controller (Centralized

Control over all resources)
Understanding Active Directory Other Servers/Computers
in environment

Apply Group Policy from

Centralized location
Domain Controller (Centralized
Control over all resources)
Understanding Active Directory
AD is a distributed database that stores Users, Passwords of all the
users across the organization and controls there level of access

AD stores all different Computers in an organization and provides a

centralized control

It logs all the password changes, user account currently logged in

different machines, enabled users, user getting added to security
groups etc.
Understanding Active Directory
• Support for the Lightweight Directory Access Protocol (LDAP) to
enable inter-directory operability

• Stores computers, printers, shared folders, Group policies, Users as

objects. So it is an Object oriented storage
Active Directory
• History

• Workgroup vs AD

• Centralized Management

• Group Policy
Active Directory

NTDS: NT Domain Service

DIT: Directory Information Tree
Centralized database based on X.500 Standards
Ideal for storing Hierarchical form of data

LDAP: Simple way to access X.500 databases

NTDS.DIT
Workgroup
Workgroup is Microsoft's term for peer-to-peer local area network.
Computers running Microsoft operating systems in the same workgroup may
share files, printers, or Internet connection.

• All computers are peers; no computer has control over another computer.
• Each computer has a set of user accounts. To log on to any computer in the
workgroup, you must have an account on that computer.
• There are typically no more than twenty computers.
• A workgroup is not protected by a password.
• All computers must be on the same local network or subnet.
Workgroup
Active Directory Domain Controller

NTDS.DIT

Computer
User

Group
Computer Policy &
Security
settings

Shared
User folder
Printer
AD
• One or more computers are servers. Network administrators use servers to control the
security and permissions for all computers on the domain. This makes it easy to make
changes because the changes are automatically made to all computers.

• If you have a user account on the domain, you can log on to any computer on the
domain without needing an account on that computer.

• You probably can make only limited changes to a computer's settings because network
administrators often want to ensure consistency among computers.

• There can be thousands of computers in a domain.

• The computers can be on different local networks.

Lightweight Directory Access Protocol (LDAP)
The Lightweight Directory Access Protocol (LDAP) is a directory service
protocol that runs on a layer above the TCP/IP stack. It provides a mechanism
used to connect to, search, and modify Internet directories

The LDAP directory service is based on a client-server model. The function of

LDAP is to enable access to an existing directory

The data model (data and namespace) of LDAP is similar to that of the X.500
OSI directory service, but with lower resource requirements. The associated
LDAP API simplifies writing Internet directory service applications.
AD Limits
Maximum Number of Objects
Each domain controller in an AD can create ~2.15 billion objects.

Maximum Number of Security Identifiers

~ 1 billion security identifiers (SIDs) over the life of a domain.

Group Memberships for Security Principals

Security principals can be members of a maximum of ~1,015 groups.

Maximum Number of Group Policy Objects Applied: 999 for an Object

Understanding AD Structure
Organizational Unit
• An organizational unit (OU) is a subdivision within an Active Directory into
which you can place users, groups, computers, and other organizational
units.
• You can create organizational units to mirror your organization's functional
or business structure.
• Each domain can implement its own organizational unit hierarchy.

• If your organization contains several domains, you can create

organizational unit structures in each domain that are independent of the
structures in the other domains.

• The term "organizational unit" is often shortened to "OU" or "Container"

Organizational Unit
Example:
1.) Type of resources

Computers Users Printers Shared Folders

Prod Non Prod Admins Readonly Public Mgmt Official Clients

Organizational Unit
Example:
2.) Department Wise

HR_Dept Support_Dept PD_Dept Infra_Dept

Users Shared_drive Users Shared_drive Users Shared_drive Users Shared_drive

Printers Servers Printers Servers Printers Servers Printers Servers

AD Structure
Domain

Domain Controller: MyCorp.com logical group or collection of computers defined

by an administrator that share a common
directory database

OU 1

OU 2 OU 3
AD Structure A domain tree is a collection of domains that share a contiguous namespace

MyCorp.com
Domain Tree
OU 1

OU 2 OU 3

Security.MyCorp.com Contractors.MyCorp.com
Trust Relationship
OU 1
OU 1

OU 2 OU 3
OU 2 OU 3
AD Structure Schema
Domain Tree
Trust Relationship

MyCorp.com AnotherDomain.com
OU 1 OU
1
OU OU
OU 2 OU 3 2 3

Contractors.MyCorp.com
Security.MyCorp.com
OU OU 1
1 Trust Relationship

OU
Domain Forest
2 OU 3 OU 2 OU 3
Two or more domain trees which do not
share a contiguous namespace can be
joined in a forest
Active Directory Account
-Includes Users, Computers, Printers etc.
-Each account have a SID(Unique Identity of any account)
SID
• Allows Windows to uniquely identify an account event if other
attributes like first name, last name, email etc are changed.

• SID do not get modify on attribute change

GUID
• Active Directory assigns the new object a globally unique identifier
(GUID), which is a 128-bit value that is unique not only in the
enterprise but also across the world.

• GUIDs are assigned to every object created by Active Directory, not

just User and Group objects(Security Principles).
GUID & SID

GUID SID GUID SID GUID SID GUID SID

GUID GUID GUID

AD User Nomenclature
Old Standard
Domain \ UserName
example: myCorp\Andy.Smith

New Standard
Username@UPNSuffix
example: [email protected]
SamAaccountName
• Specifies the Security Accounts Manager (SAM) account name of the user, group, computer, or
service account.

• The samAccountName attribute is the user logon name used to support clients and servers from a
previous version of Windows

• The samAccountName must be unique among all security principal objects within the domain.

• Example: Andy.Smith (domain name not included)

UserPrincipalName (UPN)
• The UPN is an Internet-style login name for the user based on the Internet standard RFC 822.

• The user logon name format is : [email protected].

• The UPN must be unique among all security principal objects within the directory forest.

• The advantage of using an UPN is that it can be the same as the users email address so that the
user need to remember only a single name.
SamAaccountName vs UPN
Service Accounts
Service accounts are created to run a particular application or service

Service accounts ensure the principle of least privileges(Giving only the

essential permissions)
Service account’s minimum privilege ensure minimum damage in case
it is compromised

Example: Application for Importing/Exporting files do not need

privileges to uninstall other applications or registry editing access
Local User
In Windows, a local user is one whose username and encrypted
password are stored on the computer itself.

When you log in as a local user, the computer checks its own list of
users and its own password file to see if you are allowed to log into the
computer.

The computer itself then applies all the permissions

Domain User
A domain user is one whose username and password are stored on a
domain controller rather than the computer the user is logging into.

When you log in as a domain user, the computer asks the domain
controller what privileges are assigned to you.

When the computer receives an appropriate response from the domain

controller, it logs you in with the proper permissions and restrictions.
AD Access Management
User1

Read

User2

Common_Share Read & Write

User3

Read

User5 Read User4 Modify

 Groups
AD Groups Group Members

User1 User2 User3

Read_Share

Common_Share
Modify_Share
User1 User3

User2
Write_Share
 Groups
AD Groups Group Members

User1 User2 User3

Read_Share

Common_Share
Modify_Share
User1 User3

User2
Write_Share
Active Directory Groups
• Groups are containers that contain user and computer objects within them as
members.

• When security permissions are set for a group in the Access Control List on a
resource, all members of that group receive those permissions.

• Domain Groups enable centralized administration in a domain. All domain groups

are created on a domain controller.

• Types: Security Groups & Distribution Groups

Security Groups vs Distribution Groups
Security Groups Distribution Groups
Use Security groups to grant permission to gain Distribution groups can be used only with email
access to resources. applications (such as Exchange Server) to send email
to collections of users.
Sending an e-mail message to a group sends the Distribution groups are not security enabled, which
message to all group members. means that they cannot be listed in discretionary
access control lists
Therefore, security groups share the capabilities of
distribution groups.

A user’s membership in many security groups could result in slow logon performance. Therefore
distribution groups should be used wherever possible.
Group scope
Groups are characterized by a scope that identifies the extent to which
the group is applied in the domain tree or forest. The scope of the
group defines where the group can be granted permissions. The
following three group scopes are defined by Active Directory:
• Universal
• Global
• Domain Local
Group scope
Universal:
Possible Members: Accounts from any domain in the same forest
Can Grant Permissions: On any domain in the same forest or trusting forests

Global:
Possible Members: Accounts from the same domain or trusting domain
Can Grant Permissions: On any domain in the same forest

Domain Local:
Possible Members: Accounts from any domain or any trusted domain
Can Grant Permissions: Within the same domain
Printers
AD Container
Organizational Unit
• An organizational unit (OU) is a subdivision within an Active Directory into
which you can place users, groups, computers, and other organizational
units.
• You can create organizational units to mirror your organization's functional
or business structure.
• Each domain can implement its own organizational unit hierarchy.

• If your organization contains several domains, you can create

organizational unit structures in each domain that are independent of the
structures in the other domains.

• The term "organizational unit" is often shortened to "OU" or "Container"

Designing OU
Assumption:
Organization have resources and users in a single region
Small Sized Organization

Departments:
HR sub-departments: Accounts, Hiring, Management
PD sub-departments: Development, Testing, Management
Infrastructure sub-departments: Server Management, Network, Monitoring
Designing OU

Users Computers Printers Users Computers Printers

Users Computers Printers

HR_Dept Supports_Dept Infra_Dept

Domain Controller: mycorp.com

Designing OU

Asia EMEA Americas Asia EMEA Americas

Asia EMEA Americas
Pacific Pacific
Pacific

Printers Shared Folders

Computers

Domain Controller: mycorp.com

Thank
You
Section
Completed
☺
Section 3: Understanding The Power of PowerShell
 Recap Object Pipeline
Section 3 :
Understanding
The Power of Convert Format Export
PowerShell Objects Objects Objects

AD
Cmdlets
Important Parameters
-WhatIf
-Confirm
-Force
-Credential
-Server
Thank
You
Section
Completed
☺
Active Directory Management Using PowerShell

-Vijay Saini
Section 4 : Working with AD User
 AD Module Parameters AD Users

Section 4 :
Working with Contact User
Filters
Modification Cleanup
AD User
Bulk
Operations
AD Basics

AD User Accounts
Security Principles
SID, GUID & SAMAccountname
Service Accounts
Security Groups
Organizational Units
PowerShell Basics

What is an Object
What is Pipeline
Convert Objects
Format Objects
Export Output to file format
PowerShell – Where To Start
Enable you to quickly start with scripting (For new bees)

1.) Learning Task Automation using Windows PowerShell Coupon Code: STUDENT
https://www.udemy.com/automation-using-windows-powershell/?couponCode=STUDENT

Advanced & Detailed Course(recommended )

2.) Advanced Scripting & Tool Making using Windows PowerShell Coupon Code: STUDENT
https://www.udemy.com/advanced-scripting-tool-making-using-windows-powershell/?couponCode=STUDENT
PowerShell AD Module

The Active Directory module for Windows PowerShell is for IT Professionals who are
administering and interfacing with Active Directory.

The Active Directory module provides an efficient way to complete many administrative,
configuration, and diagnostic tasks across Active Directory Domain Services (AD DS) and Active
Directory Lightweight Directory Services (AD LDS) instances in their environments.

The Active Directory module includes a set of Windows PowerShell cmdlets and a provider. The
provider exposes the Active Directory database through a hierarchical navigation system, which
is very similar to the file system.
PowerShell AD Module Coverage
Coverage of Active Directory Module Cmdlets Create, Read, Update, and Delete actions are
supported for Active Directory objects by cmdlets such as New-ADUser, Get-
ADOrganizationalUnit, Set-ADComputer, and Remove-ADUser

Account and Password Policy Management are supported by cmdlets such as Enable-
ADAccount, Unlock-ADAccount, New-ADServiceAccount, Set-ADAccountControl, and Remove-
ADFineGrainedPasswordPolicy

Domain and Forest Management is supported by cmdlets such as Get-ADForest, Set-ADForest,

Set-ADForestMode, Enable-ADOptionalFeature, Get-ADDomainController, and Get-ADDomain
PowerShell Parameters

WhatIf

Enables the user to test a script/statement without putting system at

risk

WhatIf switch only displays what the outcome of running the script
would be if it were actually run
Understanding AD Object -
Credential Parameter:
Specifies the user account credentials to use to perform this task. The default credentials are the credentials of
the currently logged on user unless the cmdlet is run from an Active Directory module for Windows PowerShell
provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default.

To specify this parameter, you can type a user name, such as User1 or Domain01\User01 or you can specify a
PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password.

You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set
the Credential parameter to the PSCredential object.

If the acting credentials do not have directory-level permission to perform the task, Active Directory module for
Windows PowerShell returns a terminating error.
Understanding AD Object - Server
Specifies the Active Directory Domain Services (AD DS) instance to connect to, by providing one
of the following values for a corresponding domain name or directory server.
The service may be any of the following: Active Directory Lightweight Domain Services (AD LDS),
AD DS, or Active Directory snapshot instance.

New-ADUser -Name "TestUser" -Server my.server.com:50000

Help:
Get-Help Get-ADUser -Parameter server
Understanding AD Object - Identity
-Identity
Used to help PowerShell in searching exact AD Object
Example:
Get-ADUser -Identity testuser
Get-ADGroup -Identity Administrators

The acceptable values for this parameter are:

Distinguished name
GUID (objectGUID)
SID or Security identifier (objectSid)
SAM account name (SAMAccountName)
Get-ADDomain
The Get-ADDomain cmdlet gets the Active Directory domain specified by the parameters

(Get-ADDomain).Forest

(Get-ADDomain).UsersContainer
(Get-ADDomain).ComputersContainer
Methods of Creating AD Object

Different ways of creating AD Objects(Users, groups, OU etc)

1.) Create a new user specify the required parameters

2.) Use an existing Object as template, clone it, modify and save

3.) Import details from CSV file and create new objects
A Programming Object
An object is simply the programmatic representation of anything.

It is a good practice to take a look at Get-Member cmdlet’s output to understand what exactly is particular object
and what it can do.

Whatever cmdlets, we have seen so far which seems to be displaying plain text on console, None of that was plain
text but they all were programmable Objects.
A Programming Object
Real-world objects share two characteristics:
◦ They all have ”state” and ”behavior”.
◦ -> Dogs have state (name, color, breed, hungry) and behavior (barking, wagging tail).
◦ -> Bicycles also have state (current gear, current speed) and behavior (changing gear, applying brakes).

Programming objects are conceptually similar to real-world objects:

they too consist of state and related behavior. An object stores its state in

properties/variables/fields and exposes its behavior through

methods(called as functions in some programming languages)

 Distinguished Name

File path:
C:\AD\Practice\test\file.txt

Distinguished name:
CN=AccountLeads, OU=Accounts,OU=HR, DC=mycorp, DC=com
-Filter <String>
Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell
Expression Language syntax.

The PowerShell Expression Language syntax provides rich type-conversion support for value
types received by the Filter parameter.
The syntax uses an in-order representation, which means that the operator is placed between
the operand and the value.

For more information about the Filter parameter, see about_ActiveDirectory_Filter.

LDAPFilter <String>
Specifies an LDAP query string that is used to filter Active Directory objects. You can use this
parameter to run your existing LDAP queries.

The Filter parameter syntax supports the same functionality as the LDAP syntax.

-SearchBase <String>
Specifies an Active Directory path to search under.
Filter vs LDAPFilter
Below statements are quivalent

Get-ADUser -LDAPFilter (&(objectClass=user) |(cn=firstname*)(cn=lastname))

{OR}

Get-ADUser -Filter 'CN -like "firstname*" -or CN -eq "lastname"

Creating AD Users
The New-ADUser cmdlet creates an Active Directory user. You can set commonly used user
property values by using the cmdlet parameters.

You can set property values that are not associated with cmdlet parameters by using
the OtherAttributes parameter. When using this parameter, be sure to place single quotes
around the attribute name.

https://docs.microsoft.com/en-us/powershell/module/addsadministration/new-
aduser?view=win10-ps
Thank
You
Section
Completed
☺
Active Directory Management Using PowerShell

-Vijay Saini
Section 5 : Working with AD Groups
 Add/Remove
Create Group
members

Section 5 :
Working with Group
OU Reports
AD Groups Management

Delete Group
Create AD Group
The New-ADGroup cmdlet creates a new Active Directory group object. Many
object properties are defined by setting cmdlet parameters. Properties that
cannot be set by cmdlet parameters can be set using the OtherAttributes
parameter.

The Name and GroupScope parameters specify the name and scope of the group
and are required to create a new group. You can define the new group as a
security or distribution group by setting the GroupType parameter. The Path
parameter specifies the container or organizational unit (OU) for the group.
Get-ADGroup
The Get-ADGroup cmdlet gets a group or performs a search to retrieve multiple groups from an Active Directory.

The Identity parameter specifies the Active Directory group to get. You can identify a group by its distinguished
name (DN), GUID, security identifier (SID), Security Accounts Manager (SAM) account name, or canonical name.
You can also specify group object variable, such as $<localGroupObject>.
Getting Members from a Group
The Get-ADGroupMember cmdlet gets the members of an Active Directory group. Members can be users, groups,
and computers.

Get-ADGroupMember -Identity Administrators

Get-ADGroupMember
Adding Members to a Group
Add-ADGroupMember

Description
The Add-ADGroupMember cmdlet adds one or more users, groups, service accounts, or
computers as new members of an Active Directory group.
Remove Members from a Group

Description
The Remove-ADGroupMember cmdlet removes one or more users, groups, service accounts, or computers from
an Active Directory group.
Remove AD Group

Description
The Remove-ADGroup cmdlet removes an Active Directory group object. You can use this cmdlet to
remove security and distribution groups.
Thank
You
Section
Completed
☺