When wrapping up our PowerShell lunch and learn today, I made you guys two promises. First, I would get the notes uploaded. Second, I would copy up the 4 sample scripts that we worked with. Here is that content:
The PowerShell + AD management notes can be found here. The notes are sparse but are designed to be followed with a PowerShell console. We started our session by querying machines and ended by stringing together multiple cmdlets for some cool automation! If you have any questions (or thoughts) about the notes, drop me a comment.
At the end of our session, we dove into 4 scripts. All four scripts use the Quest AD Cmdlets. You can use the native AD module if desired.
Cleaning Up Old Computers
Our first script disables (and eventually deletes) stale computers from your domain. You will need to create an OU named Computers_Stale. If you have the AD recycle bin enabled, you can modify the script to just delete the computer instead of disabling it.
#Import Module Add-PSSnapin Quest.ActiveRoles.ADManagement #Disable and Move to Computer_stale #Administration: Disable Old Computers and Move to Computers_Stale $Computers = Get-QADComputer -SearchRoot "DC=Test,DC=local" -SearchScope Subtree -Inactivefor 366 $Computers | Set-QADComputer -Location (Get-Date) $Computers | Disable-QADComputer $Computers | Move-QADObject -NewParentContainer 'OU=Computers_Stale,DC=Test,DC=local' #Delete Super Stale Computers $Computers = Get-QADComputer -SearchRoot "OU=Computers_Stale,DC=Test,DC=Local" | where Location -GT (Get-Date).AddMonths(-7) $Computers | Remove-QADObject
A lengthier version of this script (along with some additional instructions) can be found here.
Creating Everything a New User Needs
Our second script automates user creation based off of a CSV. Your CSV will need four columns: FN, LN, DOB and PIN. FN would be first name, LN is last name, and PIN is used as the username. We use the date of birth field for the default password.
Add-PSSnapin Quest.ActiveRoles.ADManagement $Domain='@Test.local' $Userslist=import-csv ".\enrollment.csv" ForEach ($User in $Userslist) { $User.FN $User.LN $User.Pin $FullName=$User.FN+" "+$User.LN $UPN=$User.Pin+$Domain $UNC='\\Server\share\' $HomeDirectory=$UNC+$User.Pin if( (Get-QADUser $User.pin) -eq $Null){ New-QADUser -name $FullName -FirstName $User.FN -LastName $User.LN -SamAccountName $User.Pin -DisplayName $FullName -UserPrincipalName $UPN -UserPassword $User.DOB -ParentContainer 'OU=Domain Users,DC=Test,DC=local' -HomeDirectory $HomeDirectory -HomeDrive 'U:' Set-QADUser -Identity $User.Pin -PasswordNeverExpires $True Enable-QADUser -Identity $User.Pin Add-QADGroupMember -Identity 'Test\Security Group' -Member $User.Pin } if( (Get-QADUser $User.pin) -ne $Null){Get-QADUser $User.Pin | Select-Object Name,UserPrincipalName | Out-File -FilePath "C:\Users\Public\Scripts\CreateStudentAccounts\Students.txt" -Append } Get-Date | Out-File -FilePath "C:\Users\Public\Scripts\CreateStudentAccounts\Students.txt" -Append }
To get this script to work, you will need to make a few modifications. You need to configure the $Domain and $UNC for your environment. You will also need to edit the ADD-QADGroupMember line as well as the OU location for the new users.
Renaming Computers Without Worry
Our third script makes renaming computers super easy! It requires a CSV with two columns: NewName and Name. When you need to rename a group of computers, add their old names under the name column and their new names under the NewName column.
$username = "Test\admin" $password = get-content .\securestring.txt | convertto-securestring $cred = new-object -typename System.Management.Automation.PSCredential ` -argumentlist $username, $password $Computers = import-csv ".\RenameComputers.csv" foreach ($Computer in $Computers){ if ((Get-QADComputer $Computer.Name) -eq $Null){ (get-content ".\RenameComputers.csv") | Where-Object {$_ -notmatch $computer.name} | set-content ".\RenameComputers.csv" } Rename-Computer -NewName $Computer.NewName -ComputerName $Computer.Name -DomainCredential $cred if ($? -eq $True){ (get-content ".\RenameComputers.csv") | Where-Object {$_ -notmatch $computer.name} | set-content ".\RenameComputers.csv" } }
When ran as a task, you can just type the name changes and let PowerShell handle the work. If you use a separate account to run this script, you will need to edit the first few lines. It requires the password to be stored locally (which is then imported). Additional instructions can be found here.
Updating Distribution Groups Automatically
Our final script is a long one but hang in there! We start by filtering for certain users. In this example, we use the department attribute. You can modify it to filter based on OU or another attribute.
Add-PSSnapin Quest.ActiveRoles.ADManagement #Elementary Schools $Users=Get-QADUser -SearchRoot "OU=Faculty,DC=Test,DC=local" -Department "Joseph Moody Academy" Add-QADGroupMember -identity "Moody School" $Users
We end our script by adding the filtered users to our group (Moody School). If you have any questions about any of these scripts, let me know. If you have any cool scripts, feel free to share!
Is there any reason to use the Quest AD cmdlets over the native ones? Do they offer any advantage (other than backwards compatibility with Server 2003 and 2008)?
I find the quest get- cmdlets easier to use. Other than that, not much of a reason. If you have access to the default AD module, stick with it.