Skip to main content

Moving from the DS DOS commands to PowerShell V2

By

In the original implementation of PowerShell, I was very discouraged with the lack of Active Directory support. SUre, you can create user accounts and Organizational units, but it was not easy.  With PowerShell V2, that all changed with the addition on the Active Directory module. For the Microsoft Exam 70-640, I’m seeing a couple of changes. In the Maintaining the Active Directory Environment, I’m seeing PowerShell listed with no mention of the DS commands that are taught in The instructor lead course 6425B.  Here are some tips on how to do the PowerShell equivalent of the DS commands.

 

DSQuery returns objects out of Active Directory.  With DSQuery you can return information on objects in Active Directory

DSGet returns specified attributes of an object.

DSMod modifies specified attributes of an object.

DSAdd creates an object in the directory.

DSMove moves an object to a new container or OU.

DSRM removes an object, all multiple objects, from the directory.

 

PowerShell, with the Active Directory module installed, you can do all these things.  So why make the change?  Well, Microsoft is making the change.  With the force the Microsoft is placing behind PowerShell, and how frequently it is listed on exam topics.

The first requirement is to install PowerShell V2.  V2 is installed by default on Windows 7 and Server 2008 R2.  This can be downloaded from Microsoft (http://support.microsoft.com/kb/968929). Once you have installed PowerShell V2, you also need to install the Remote Server Administrator Tools onto your client:

RSAT for VISTA :http://www.microsoft.com/downloads/details.aspx?familyid=9ff6e897-23ce-4a36-b7fc-d52065de9960&displaylang=en

RSAT for WINDOWS 7:http://www.microsoft.com/downloads/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displaylang=en

 

OK, now that all that work is done, start PowrShell.  Type Import-Module ActiveDirectory.  This will add 76 new cmdlets specifically for active directory into your PowerShell session.  These cmdlets have a verb-noun syntax. For the verbs, you have:

Add – add an object to another object.

Enable – Enables an object

Get – returns an Active Directory object

Move – Moves an object

New – Creates as object.

Remove – Removes an object from Active Directory.

Set – Modifies the properties of an object.

For the Noun portion you have a lot more choices.  Here are a few of them:

Computer

Group

OrganizationalUnit

User

The DS commands were designed for command line / batch file management of Active Directory.  For daily use, the GUI is still the best method, unless you have a very specific need.  For example, let’s say you needed to move all the users from 5 different OUs to a single OU.  There are 500 user objects in each OU, but only about 15 of them are in the SalesTeam group.  How would you accomplish that with a GUI?  That is why we still use a shell environment.  For the sake of demonstration, the OU we want the user objects to end up in is called Indianapolis.  It does not matter what OU they reside in.  The group we want to filter on is called SalesTeam_GG.  Here is the PowerShell command that will make this happen:

Get-ADGroupMember –identity SalesTeam_GG | Move-ADObject –Targetpath “OU=Indianapolis,DC=MCTNET,DC=com”

 

That’s it! PowerShell will first enumerate all the users in Active Directory that are members of the SalesTeam_GG group.  Then those objects are sent to the Move-ADObject cmdlet and are sent to the Indianapolis OU.  Try that in a GUI!

How do you know what each of these PowerShell cmdlets can do?  Well, first let’s find them.  Type Get-Command *-AD* and press Enter  Most of the cmdlets listed here are Active Directory commands.  PowerShell also has a very good built in help structure.  Type in Get-Help Get-ADGroupMember –full.  This will give you a description of the cmdlet, its syntax, parameters, and examples on how to use it.

Here is a simple comparison of some of the PowerShell commands vs an equivalent DS command:

DSQuery

DS Command PowerShell (not all of them)
DSQuery Get-ADComputer
Get-ADUser
Get-ADGroup
Get-ADGroupMember
DSGet Same as above
DSAdd New-ADComputer
New-ADUser
New-ADGroup
New-ADOrganizationalUnit
DSMod Set-ADComputer
Set-ADUser
Set-ADGroup
DSRM Remove-ADComputer
Remove-ADUser
Remove-ADGroup
Remove-ADOrganizationalUnit

 

It would be a good idea to review these commands prior to taking the exam just to be safe.

Labels:

Comments

Unknown said…
It's just a darn shame that these commands don't seem to exist for PowerShell on Windows XP -_-
June 25, 2013 at 4:54 AM
Jason Yoder, MCT said…
Lars,

Take a look at Implicit remoting. This will allow your Windows XP client to utilize the Active Directory module on a Windows Server 2008 R2 domain controller.

Jason
June 25, 2013 at 8:03 AM
Post a Comment

Popular posts from this blog

How to list all the AD LDS instances on a server

By
AD LDS allows you to provide directory services to applications that are free of the confines of Active Directory.  To list all the AD LDS instances on a server, follow this procedure: Log into the server in question Open a command prompt. Type dsdbutil and press Enter Type List Instances and press Enter . You will receive a list of the instance name, both the LDAP and SSL port numbers, the location of the database, and its status.
Post a Comment
Read more

How to run GPResult on a remote client with PowerShell

By
In the past, to run the GPResult command, you would need to either physically visit this client, have the user do it, or use and RDP connection.  In all cases, this will disrupt the user.  First, you need PowerShell remoting enabled on the target machine.  You can do this via Group Policy . Open PowerShell and type this command. Invoke-Command –ScriptBlock {GPResult /r} –ComputerName <ComputerName> Replace <ComputerName> with the name of the target.  Remember, the target needs to be online and accessible to you.
Post a Comment
Read more

Error icon when creating a GPO Preference drive map

By
You may not have an error at all.  Take a look at the drive mapping below. The red triangle is what threw us off.  It is not an error.  It is simply a color representation of the Replace option of the Action field in the properties of the drive mappings. Create action This give you a green triangle. The Create action creates a new mapped drive for users. Replace Action The Replace action gives you a red triangle.  This action will delete and recreate mapped drives for users. The net result of the Replace action is to overwrite all existing settings associated with the mapped drive. If the drive mapping does not exist, then the Replace action creates a new drive mapping. Update Action The Update action will have a yellow triangle. Update will modify settings of an existing mapped drive for users. This action differs from Replace in that it only updates settings defined within the preference item. All other settings remain as configured on the mapped drive. If the
1 comment
Read more