The PowerShell Guy : AD Infrastructure management with PowerShell

AD Infrastructure management with PowerShell

Adam Bell, is doing a very cool series about AD and PowerShell on his blog : Lead, Follow, or Move

and has some very interesting topics about Active Directory Infrastructure management, a recommended read !

It shows very well how to work with the ADSI wrapper (a.o. the create method in the OU example )

But for the Infrastructure tasks, as I also showed with some examples on my old blog here : /\/\o\/\/ PowerShelled: AD Infastructure exploring with MSH

the .NET Framework 2.0 has an extra NameSpace System.DirectoryServices.ActiveDirectory that helps with this kind of work.

I will first give the link and title if the Blogentry Adam Bell did using the DirectoryEntry and then the version using the System.DirectoryServices.ActiveDirectory namespace :

Retrieving Active Directory FSMO roles with PowerShell

$dom = [System.DirectoryServices.ActiveDirectory.Domain]::getcurrentdomain()

$dom | Format-List *

PoSH>$dom = [System.DirectoryServices.ActiveDirectory.Domain]::getcurrentdomain()                                       
PoSH>$dom | Format-List *                                                                                               
                                                                                                                        
                                                                                                                        
Forest                  : mow.local                                                                                     
DomainControllers       : {mowdc001.mow.local}                                                                          
Children                : {}                                                                                            
DomainMode              : Windows2000MixedDomain                                                                        
Parent                  :                                                                                               
PdcRoleOwner            : mowdc001.mow.local                                                                            
RidRoleOwner            : mowdc001.mow.local                                                                            
InfrastructureRoleOwner : mowdc001.mow.local                                                                            
Name                    : mow.local

Transferring Active Directory FSMO roles with PowerShell

$dc = $dom.FindDomainController()

$dc.TransferRoleOwnership('PdcRole')

$dc.TransferRoleOwnership('InfrastructureRole')

PoSH>$dom                                                                                                                     
                                                                                                                        
PoSH>$dc = $dom.FindDomainController()                                                                                  
PoSH>$dc                                                                                                                
                                                                                                                        
                                                                                                                        
Forest                     : mow.local                                                                                  
CurrentTime                : 2/9/2007 10:34:43 PM                                                                       
HighestCommittedUsn        : 90155                                                                                      
OSVersion                  : Windows Server 2003                                                                        
Roles                      : {SchemaRole, NamingRole, PdcRole, RidRole...}                                              
Domain                     : mow.local                                                                                  
IPAddress                  : 192.168.0.1                                                                                
SiteName                   : Default-First-Site                                                                         
SyncFromAllServersCallback :                                                                                            
InboundConnections         : {}                                                                                         
OutboundConnections        : {}                                                                                         
Name                       : mowdc001.mow.local                                                                         
Partitions                 : {DC=mow,DC=local, CN=Configuration,DC=mow,DC=local, CN=Schema,CN=Configuration,DC=mow,DC=l 
                             ocal, DC=DomainDnsZones,DC=mow,DC=local...}                                                
                                                                                                                        
                                                                                                                        
                                                                                                                        
  
                                                                                                                        
                                                                                                                        
PoSH>$dc.Roles                                                                                                          
SchemaRole                                                                                                              
NamingRole                                                                                                              
PdcRole                                                                                                                 
RidRole                                                                                                                 
InfrastructureRole                                                                                                      
PoSH>$dc.TransferRoleOwnership                                                                                          
                                                                                                                        
                                                                                                                        
MemberType          : Method                                                                                            
OverloadDefinitions : {System.Void TransferRoleOwnership(ActiveDirectoryRole role)}                                     
TypeNameOfValue     : System.Management.Automation.PSMethod                                                             
Value               : System.Void TransferRoleOwnership(ActiveDirectoryRole role)                                       
Name                : TransferRoleOwnership                                                                             
IsInstance          : True                                                                                              
                                                                                                                        
                                                                                                                        
                                                                                                                        
PoSH>$dc.TransferRoleOwnership('PdcRole')                                                                               
Exception calling "TransferRoleOwnership" with "1" argument(s): "The server is unwilling to process the request. (Excep 
tion from HRESULT: 0x80072035)"                                                                                         
At line:1 char:26                                                                                                       
+ $dc.TransferRoleOwnership( <<<< 'PdcRole')                                                                            
PoSH>

You can get to different DomainControllers from the Domain Object (to get a DC direct see post on Old blog /\/\o\/\/ PowerShelled: AD Infastructure exploring with MSH ) or from the collection or by selecting a role.

                                                                                   
                                                                                                                        
                                                                                                                        
PoSH>$dom.DomainControllers.GetType()                                                                                   
                                                                                                                        
IsPublic IsSerial Name                                     BaseType                                                     
-------- -------- ----                                     --------                                                     
True     False    DomainControllerCollection               System.Collections.ReadOnlyCollectionBase                    
                                                                                                                        
                                                                                                                        
PoSH>$dom.PdcRoleOwner.GetType()                                                                                        
                                                                                                                        
IsPublic IsSerial Name                                     BaseType                                                     
-------- -------- ----                                     --------                                                     
True     False    DomainController                         System.DirectoryServices.ActiveDirectory.DirectoryServer     
                                                                                                                        
                                                                                                                        
PoSH>$pdc = $dom.PdcRoleOwner                                                                                           
PoSH>get-buffer | out-file Domain3.html

Raising Active Directory Domain and Forest functionality to Windows 2003 with PowerShell

$dom = [System.DirectoryServices.ActiveDirectory.Domain]::getcurrentdomain()

$dom.RaiseDomainFunctionality('Windows2000NativeDomain')

$dom.RaiseDomainFunctionality('Windows2003Domain')

PoSH>$dom = [System.DirectoryServices.ActiveDirectory.Domain]::getcurrentdomain()                                       
PoSH>$dom | Format-List *                                                                                               
                                                                                                                        
                                                                                                                        
Forest                  : mow.local                                                                                     
DomainControllers       : {mowdc001.mow.local}                                                                          
Children                : {}                                                                                            
DomainMode              : Windows2000MixedDomain                                                                        
Parent                  :                                                                                               
PdcRoleOwner            : mowdc001.mow.local                                                                            
RidRoleOwner            : mowdc001.mow.local                                                                            
InfrastructureRoleOwner : mowdc001.mow.local                                                                            
Name                    : mow.local                                                                                     
                                                                                                                        
                                                                                                                        
                                                                                                                        
PoSH>$dom | Get-Member -MemberType Method                                                                               
                                                                                                                        
                                                                                                                        
   TypeName: System.DirectoryServices.ActiveDirectory.Domain                                                            
                                                                                                                        
Name                                 MemberType Definition                                                              
----                                 ---------- ----------                                                              
CreateLocalSideOfTrustRelationship   Method     System.Void CreateLocalSideOfTrustRelationship(String targetDomainNa... 
CreateTrustRelationship              Method     System.Void CreateTrustRelationship(Domain targetDomain, TrustDirect... 
DeleteLocalSideOfTrustRelationship   Method     System.Void DeleteLocalSideOfTrustRelationship(String targetDomainName) 
DeleteTrustRelationship              Method     System.Void DeleteTrustRelationship(Domain targetDomain)                
Dispose                              Method     System.Void Dispose()                                                   
Equals                               Method     System.Boolean Equals(Object obj)                                       
FindAllDiscoverableDomainControllers Method     System.DirectoryServices.ActiveDirectory.DomainControllerCollection ... 
FindAllDomainControllers             Method     System.DirectoryServices.ActiveDirectory.DomainControllerCollection ... 
FindDomainController                 Method     System.DirectoryServices.ActiveDirectory.DomainController FindDomain... 
GetAllTrustRelationships             Method     System.DirectoryServices.ActiveDirectory.TrustRelationshipInformatio... 
GetDirectoryEntry                    Method     System.DirectoryServices.DirectoryEntry GetDirectoryEntry()             
GetHashCode                          Method     System.Int32 GetHashCode()                                              
GetSelectiveAuthenticationStatus     Method     System.Boolean GetSelectiveAuthenticationStatus(String targetDomainN... 
GetSidFilteringStatus                Method     System.Boolean GetSidFilteringStatus(String targetDomainName)           
GetTrustRelationship                 Method     System.DirectoryServices.ActiveDirectory.TrustRelationshipInformatio... 
GetType                              Method     System.Type GetType()                                                   
get_Children                         Method     System.DirectoryServices.ActiveDirectory.DomainCollection get_Childr... 
get_DomainControllers                Method     System.DirectoryServices.ActiveDirectory.DomainControllerCollection ... 
get_DomainMode                       Method     System.DirectoryServices.ActiveDirectory.DomainMode get_DomainMode()    
get_Forest                           Method     System.DirectoryServices.ActiveDirectory.Forest get_Forest()            
get_InfrastructureRoleOwner          Method     System.DirectoryServices.ActiveDirectory.DomainController get_Infras... 
get_Name                             Method     System.String get_Name()                                                
get_Parent                           Method     System.DirectoryServices.ActiveDirectory.Domain get_Parent()            
get_PdcRoleOwner                     Method     System.DirectoryServices.ActiveDirectory.DomainController get_PdcRol... 
get_RidRoleOwner                     Method     System.DirectoryServices.ActiveDirectory.DomainController get_RidRol... 
RaiseDomainFunctionality             Method     System.Void RaiseDomainFunctionality(DomainMode domainMode)             
RepairTrustRelationship              Method     System.Void RepairTrustRelationship(Domain targetDomain)                
SetSelectiveAuthenticationStatus     Method     System.Void SetSelectiveAuthenticationStatus(String targetDomainName... 
SetSidFilteringStatus                Method     System.Void SetSidFilteringStatus(String targetDomainName, Boolean e... 
ToString                             Method     System.String ToString()                                                
UpdateLocalSideOfTrustRelationship   Method     System.Void UpdateLocalSideOfTrustRelationship(String targetDomainNa... 
UpdateTrustRelationship              Method     System.Void UpdateTrustRelationship(Domain targetDomain, TrustDirect... 
VerifyOutboundTrustRelationship      Method     System.Void VerifyOutboundTrustRelationship(String targetDomainName)    
VerifyTrustRelationship              Method     System.Void VerifyTrustRelationship(Domain targetDomain, TrustDirect... 
                                                                                                                        
                                                                                                                        
PoSH>$dom.RaiseDomainFunctionality                                                                                      
                                                                                                                        
                                                                                                                        
MemberType          : Method                                                                                            
OverloadDefinitions : {System.Void RaiseDomainFunctionality(DomainMode domainMode)}                                     
TypeNameOfValue     : System.Management.Automation.PSMethod                                                             
Value               : System.Void RaiseDomainFunctionality(DomainMode domainMode)                                       
Name                : RaiseDomainFunctionality                                                                          
IsInstance          : True                                                                                              
                                                                                                                        
                                                                                                                        
                                                                                                                        
PoSH>[enum]::GetNames([System.DirectoryServices.ActiveDirectory.DomainMode])                                            
Windows2000MixedDomain                                                                                                  
Windows2000NativeDomain                                                                                                 
Windows2003InterimDomain                                                                                                
Windows2003Domain                                                                                                       
PoSH>$dom.RaiseDomainFunctionality('Windows2003Domain')                                                                 
Exception calling "RaiseDomainFunctionality" with "1" argument(s): "The server is unwilling to process the request. (Ex 
ception from HRESULT: 0x80072035)"                                                                                      
At line:1 char:30                                                                                                       
+ $dom.RaiseDomainFunctionality( <<<< 'Windows2003Domain')                                                              
PoSH>$dom.RaiseDomainFunctionality('Windows2000NativeDomain')                                                           
PoSH>$dom.RaiseDomainFunctionality('Windows2003Domain')                                                                 
PoSH>$dom                                                                                                               
                                                                                                                        
                                                                                                                        
Forest                  : mow.local                                                                                     
DomainControllers       : {mowdc001.mow.local}                                                                          
Children                : {}                                                                                            
DomainMode              : Windows2003Domain                                                                             
Parent                  :                                                                                               
PdcRoleOwner            : mowdc001.mow.local                                                                            
RidRoleOwner            : mowdc001.mow.local                                                                            
InfrastructureRoleOwner : mowdc001.mow.local                                                                            
Name                    : mow.local                                                                                     
                                                                                                                        
                                                                                                                        
                                                                                                                        
PoSH>

Enabling and disabling a Global Catalog server with PowerShell

$for = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()

$gc = $for.FindGlobalCatalog()

$gc.DisableGlobalCatalog()

$gc.EnableGlobalCatalog()

PoSH>$for = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()                                       
PoSH>$for                                                                                                               
                                                                                                                        
                                                                                                                        
Name                  : mow.local                                                                                       
Sites                 : {Default-First-Site}                                                                            
Domains               : {mow.local}                                                                                     
GlobalCatalogs        : {mowdc001.mow.local}                                                                            
ApplicationPartitions : {DC=DomainDnsZones,DC=mow,DC=local, DC=ForestDnsZones,DC=mow,DC=local, DC=TAPI3Directory,DC=mow 
                        ,DC=local}                                                                                      
ForestMode            : Windows2000Forest                                                                               
RootDomain            : mow.local                                                                                       
Schema                : CN=Schema,CN=Configuration,DC=mow,DC=local                                                      
SchemaRoleOwner       : mowdc001.mow.local                                                                              
NamingRoleOwner       : mowdc001.mow.local                                                                              
                                                                                                                        
                                                                                                                        
                                                                                                                        
PoSH>$gc = $for.FindGlobalCatalog()                                                                                     
PoSH>$gc                                                                                                                
                                                                                                                        
                                                                                                                        
Forest                     : mow.local                                                                                  
CurrentTime                : 2/9/2007 11:20:16 PM                                                                       
HighestCommittedUsn        : 90156                                                                                      
OSVersion                  : Windows Server 2003                                                                        
Roles                      : {SchemaRole, NamingRole, PdcRole, RidRole...}                                              
Domain                     : mow.local                                                                                  
IPAddress                  : 192.168.0.1                                                                                
SiteName                   : Default-First-Site                                                                         
SyncFromAllServersCallback :                                                                                            
InboundConnections         : {}                                                                                         
OutboundConnections        : {}                                                                                         
Name                       : mowdc001.mow.local                                                                         
Partitions                 : {DC=mow,DC=local, CN=Configuration,DC=mow,DC=local, CN=Schema,CN=Configuration,DC=mow,DC=l 
                             ocal, DC=DomainDnsZones,DC=mow,DC=local...}                                                
                                                                                                                        
                                                                                                                 
          
                                                                                                                        
PoSH>$gc.DisableGlobalCatalog                                                                                           
                                                                                                                        
                                                                                                                        
MemberType          : Method                                                                                            
OverloadDefinitions : {System.DirectoryServices.ActiveDirectory.DomainController DisableGlobalCatalog()}                
TypeNameOfValue     : System.Management.Automation.PSMethod                                                             
Value               : System.DirectoryServices.ActiveDirectory.DomainController DisableGlobalCatalog()                  
Name                : DisableGlobalCatalog                                                                              
IsInstance          : True                                                                                              
                                                                                                                        
                                                                                                                        
                                                                                                                        
PoSH>$gc.EnableGlobalCatalog                                                                                            
                                                                                                                        
                                                                                                                        
MemberType          : Method                                                                                            
OverloadDefinitions : {System.DirectoryServices.ActiveDirectory.GlobalCatalog EnableGlobalCatalog()}                    
TypeNameOfValue     : System.Management.Automation.PSMethod                                                             
Value               : System.DirectoryServices.ActiveDirectory.GlobalCatalog EnableGlobalCatalog()                      
Name                : EnableGlobalCatalog                                                                               
IsInstance          : True                                                                                              
                                                                                                                        
                                                                                                                        
                                                                                                                        
PoSH>

Creating an Organizational Unit in Active Directory with PowerShell

n/a

As I have only one DC in my VM, I can not test all, but you see that this NameSpace helps a lot in Managing AD infrastructure

Enjoy,

Greetings /\/\o\/\/

Published Friday, February 09, 2007 5:31 PM by admin

Filed under: PowerShell, .NET, Active Directory

Comments

# re: AD Infrastructure management with PowerShell

Another absolutely excellent batch of resources.

I was just getting ready to go looking for how to do some of this an - bang - ther it is. MOW did it all and documented it extremely well.

Thank You

Friday, February 09, 2007 7:53 PM by jvierra

# re: AD Infrastructure management with PowerShell

MOW,

Very cool. I used the ADSI provider as a throw back to my VBscript background.

I've basically been porting my VBS code across to PS and making it slicker as I have seen the chance.

Using .Net is obviously a much nicer touch. Thanks for the information and the mention ;)

Cheers

Adam

Saturday, February 10, 2007 6:23 AM by Adam Bell

# re: AD Infrastructure management with PowerShell

It is solid post.Rich of knowledge. It is certainly going make AD management much easier

Saturday, February 10, 2007 7:20 AM by PReetamz

# AD Infrastructure management with PowerShell

If you love Windows PowerShell then you must already read Marc Blog. BUT this is just the dogs whatits!

Wednesday, February 14, 2007 5:12 AM by Carpe Diem: Flaphead.com @ Home

# Lead, Follow, or Move » Blog Archive » Managing Group membership in Active Directory with PowerShell (Part 2)

PingBack from http://www.leadfollowmove.com/?p=48

Friday, February 16, 2007 6:39 AM by Lead, Follow, or Move » Blog Archive » Managing Group membership in Active Directory with PowerShell (Part 2)

# re: AD Infrastructure management with PowerShell

Need to be careful with System.DirectoryServices.ActiveDirectory classes as they don't expose all of the attributes you might need. e.g. for sites, site-links and subnets the description attribute isn't exposed which means you need to drop back to System.DirectoryServices which in effect is an ADSI wrapper so might as well use that in the first place at least for certain actions. Powershell and AD is an area still needs some work

Friday, February 16, 2007 8:43 AM by Richard Siddaway

# PowerShell cmdlets for AD « Dmitry’s PowerBlog

PingBack from http://dmitrysotnikov.wordpress.com/2007/03/22/powershell-cmdlets-for-ad/

Thursday, March 22, 2007 2:09 AM by PowerShell cmdlets for AD « Dmitry’s PowerBlog

# re: AD Infrastructure management with PowerShell

This helped me out in writing a script to transfer FSMO roles. However, I think that the example with dc.TransferRoleOwnership('PdcRole') is incorrect. You need to use an enumerated type instead of a string value. I think you would not get an error message if you used:

dc.TransferRoleOwnership([System.DirectoryServices.ActiveDirectory.ActiveDirectoryRole]::PdcRole)

At least that is what I had to do to get my script to work.

Tuesday, October 23, 2007 12:24 PM by Gabriel

# re: AD Infrastructure management with PowerShell

I have a problem where particular user properties can be viewed via adsi edit but are not displayed by Powershell - Powershell returns a name or a cn but when I try to return for example pwdLastSet or createTimeStamp for users then no data is returned. I am running .NET 2.0

I have some sample script below which homes in on the problem I am having - any advice would be muchly appeciated as I have started using PS and like it but if I can't get this working I'm going to have to revert to VBScript which would be a shame as it would mean me losing faith in PS at this early stage:

$Dom = 'LDAP://ou=SWAPCLEARITD_Test,dc=X,dc=X'

$Root = New-Object DirectoryServices.DirectoryEntry $Dom cls Write-host "PowerShell connects to domain: $Dom `n"

# Create a selector and start searching from the Root of AD $selector = New-Object DirectoryServices.DirectorySearcher

$selector.SearchRoot = $root

# Filter the users with -like "CN=*". Note the ForEach loop $adobj=

$selector.findall() `

| where {$_.properties.objectcategory -like "CN=*"}

foreach ($Group in $adobj){

$prop=$Group.properties

Write-host "$($prop.name)"

}

Write-host "`n`n"

Write-host "There are $($adobj.count) Groups in the $($root.name) OU."

######EndOfScript

Wednesday, October 24, 2007 3:10 AM by Jobbsy

Anonymous comments are disabled

The PowerShell Guy

This Blog

Recent Posts

Search

Tags

Books

PowerShell Blogs

PowerShell Links

PowerShell Videos and Webcasts

Tab Completion

CodePlex

Hosted by :

Archives

Syndication

AD Infrastructure management with PowerShell

Comments

# re: AD Infrastructure management with PowerShell

# re: AD Infrastructure management with PowerShell

# re: AD Infrastructure management with PowerShell

# AD Infrastructure management with PowerShell

# Lead, Follow, or Move » Blog Archive » Managing Group membership in Active Directory with PowerShell (Part 2)

# re: AD Infrastructure management with PowerShell

# PowerShell cmdlets for AD « Dmitry’s PowerBlog

# re: AD Infrastructure management with PowerShell

# re: AD Infrastructure management with PowerShell

The PowerShell Guy

This Blog

Recent Posts

Search

Tags

Books

PowerShell Blogs

PowerShell Links

PowerShell Videos and Webcasts

Tab Completion

CodePlex

Hosted by :

Archives

Syndication

AD Infrastructure management with PowerShell

Comments

# re: AD Infrastructure management with PowerShell

# re: AD Infrastructure management with PowerShell

# re: AD Infrastructure management with PowerShell

# AD Infrastructure management with PowerShell

# Lead, Follow, or Move &raquo; Blog Archive &raquo; Managing Group membership in Active Directory with PowerShell (Part 2)

# re: AD Infrastructure management with PowerShell

# PowerShell cmdlets for AD &laquo; Dmitry&#8217;s PowerBlog

# re: AD Infrastructure management with PowerShell

# re: AD Infrastructure management with PowerShell

# Lead, Follow, or Move » Blog Archive » Managing Group membership in Active Directory with PowerShell (Part 2)

# PowerShell cmdlets for AD « Dmitry’s PowerBlog