Skip to main content

Moving from the DS DOS commands to PowerShell V2

By

In the original implementation of PowerShell, I was very discouraged with the lack of Active Directory support. SUre, you can create user accounts and Organizational units, but it was not easy.  With PowerShell V2, that all changed with the addition on the Active Directory module. For the Microsoft Exam 70-640, I’m seeing a couple of changes. In the Maintaining the Active Directory Environment, I’m seeing PowerShell listed with no mention of the DS commands that are taught in The instructor lead course 6425B.  Here are some tips on how to do the PowerShell equivalent of the DS commands.

 

DSQuery returns objects out of Active Directory.  With DSQuery you can return information on objects in Active Directory

DSGet returns specified attributes of an object.

DSMod modifies specified attributes of an object.

DSAdd creates an object in the directory.

DSMove moves an object to a new container or OU.

DSRM removes an object, all multiple objects, from the directory.

 

PowerShell, with the Active Directory module installed, you can do all these things.  So why make the change?  Well, Microsoft is making the change.  With the force the Microsoft is placing behind PowerShell, and how frequently it is listed on exam topics.

The first requirement is to install PowerShell V2.  V2 is installed by default on Windows 7 and Server 2008 R2.  This can be downloaded from Microsoft (http://support.microsoft.com/kb/968929). Once you have installed PowerShell V2, you also need to install the Remote Server Administrator Tools onto your client:

RSAT for VISTA :http://www.microsoft.com/downloads/details.aspx?familyid=9ff6e897-23ce-4a36-b7fc-d52065de9960&displaylang=en

RSAT for WINDOWS 7:http://www.microsoft.com/downloads/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displaylang=en

 

OK, now that all that work is done, start PowrShell.  Type Import-Module ActiveDirectory.  This will add 76 new cmdlets specifically for active directory into your PowerShell session.  These cmdlets have a verb-noun syntax. For the verbs, you have:

Add – add an object to another object.

Enable – Enables an object

Get – returns an Active Directory object

Move – Moves an object

New – Creates as object.

Remove – Removes an object from Active Directory.

Set – Modifies the properties of an object.

For the Noun portion you have a lot more choices.  Here are a few of them:

Computer

Group

OrganizationalUnit

User

The DS commands were designed for command line / batch file management of Active Directory.  For daily use, the GUI is still the best method, unless you have a very specific need.  For example, let’s say you needed to move all the users from 5 different OUs to a single OU.  There are 500 user objects in each OU, but only about 15 of them are in the SalesTeam group.  How would you accomplish that with a GUI?  That is why we still use a shell environment.  For the sake of demonstration, the OU we want the user objects to end up in is called Indianapolis.  It does not matter what OU they reside in.  The group we want to filter on is called SalesTeam_GG.  Here is the PowerShell command that will make this happen:

Get-ADGroupMember –identity SalesTeam_GG | Move-ADObject –Targetpath “OU=Indianapolis,DC=MCTNET,DC=com”

 

That’s it! PowerShell will first enumerate all the users in Active Directory that are members of the SalesTeam_GG group.  Then those objects are sent to the Move-ADObject cmdlet and are sent to the Indianapolis OU.  Try that in a GUI!

How do you know what each of these PowerShell cmdlets can do?  Well, first let’s find them.  Type Get-Command *-AD* and press Enter  Most of the cmdlets listed here are Active Directory commands.  PowerShell also has a very good built in help structure.  Type in Get-Help Get-ADGroupMember –full.  This will give you a description of the cmdlet, its syntax, parameters, and examples on how to use it.

Here is a simple comparison of some of the PowerShell commands vs an equivalent DS command:

DSQuery

DS Command PowerShell (not all of them)
DSQuery Get-ADComputer
Get-ADUser
Get-ADGroup
Get-ADGroupMember
DSGet Same as above
DSAdd New-ADComputer
New-ADUser
New-ADGroup
New-ADOrganizationalUnit
DSMod Set-ADComputer
Set-ADUser
Set-ADGroup
DSRM Remove-ADComputer
Remove-ADUser
Remove-ADGroup
Remove-ADOrganizationalUnit

 

It would be a good idea to review these commands prior to taking the exam just to be safe.

Labels:

Comments

Unknown said…
It's just a darn shame that these commands don't seem to exist for PowerShell on Windows XP -_-
June 25, 2013 at 4:54 AM
Jason Yoder, MCT said…
Lars,

Take a look at Implicit remoting. This will allow your Windows XP client to utilize the Active Directory module on a Windows Server 2008 R2 domain controller.

Jason
June 25, 2013 at 8:03 AM
Post a Comment

Popular posts from this blog

Sticky Key problem between Windows Server 2012 and LogMeIn

By
This week I instructed my first class using Windows Server 2012 accessed via LogMeIn and discovered a Sticky Key problem every time you press the Shift key. Here is my solution to resolve this.  First off, in the Preferences of LogMeIn for the connection to the Windows Server, click General . Change the Keyboard and mouse priority to Host side user and click Apply at the bottom. On the Windows 2012 server, open the Control Panel – Ease of Access – Change how your keyboard works . Uncheck Turn on Sticky Keys . Click Set up Sticky Keys . Uncheck Turn on Sticky Keys when SHIFT is pressed five times . Click OK twice. If you are using Windows Server 2012 as a Hyper-V host, you will need to redo the Easy of Use settings on each guest operating system in order to avoid the Sticky Key Problem. Updated Information: March 20, 2013 If you continue to have problems, Uncheck Turn on Filter Keys .
6 comments
Read more

Where did a User’s Account Get Locked Out?

By
Updated: May 15, 2015 When this article was originally published, two extra carriage returns were add causing the code to malfunction.  The code below is correct.   My client for this week’s PowerShell class had a really interesting question. They needed to know where an account is being locked out at. OK, interesting. Apparently users hop around clients and forget to log off, leading to eventual lock out of their accounts. The accounts can be unlocked, but are then relocked after Active Directory replication. This problem is solved in two parts. The first one is to modify the event auditing on the network. The second part is resolved with PowerShell. The first part involves creating a group policy that will encompass your Domain Controllers. In this GPO, make these changes. Expand Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Advanced Audit Policy Configuration \ Audit Policies \ Account Management Double click User Account Management C...
18 comments
Read more

Backup and Restore AD LDS with DSDBUTIL.exe

By
Active Directory Lightweight Directory Services allow you to create a directory service that allows applications to have access to user accounts, groups, and authentication similar to Active Directory Domain Services.  The big advantage here is that the schema of the directory service will not be bound by the rules of an Active Directory database.  Exchange 2007/2010, for example, use an instance of AD LDS on the Edge Transport Server to provide for user authentication from the internet.  Because your Active Directory database is not exposed to the internet, this is more secure. Applications will handle most of the dirty work should they require AD LDS.  You may want to make sure the database is being backed up and also have a restore plan in place.  Should the database become corrupt, the application that uses that database will fail.  This document will walk you through backing up and restoring an instance of AD LDS using the dsdbutil.exe command. Fi...
6 comments
Read more